Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Creating a policy on SSG550M from Untrust to multiple zones

    Posted 10-17-2014 00:53

    Hi Guys,

     

    I it possible to create one policy which will permit/block an access from "Untrust" to multiple zones on SSG550M?

     

    When I say multiple we have like 20x DMZ zones and I don't really want to create a single policy from "Untrust" to each DMZ zone.

     

     

    I have been reading about "Global" zone on the firewall but not too sure how to implement this.



  • 2.  RE: Creating a policy on SSG550M from Untrust to multiple zones
    Best Answer

    Posted 10-19-2014 03:30

    Hi,

     

    What part you dont understand? Global policy is just the thing you're looking for. It ignores zones and you only define source and destination addresses, services and either allow or deny. For example I have used global policy to allow ping globally in the firewall for debug purposes so I dont need to do multiple policies. It's a great feature.

    From WebUI you click the new policy and choose Global/Global as zones or from cli you use "set policy global"-command.

     

    If you are satisfied with the answer, please click "Accepted as Solution". Kudos also welcome!



  • 3.  RE: Creating a policy on SSG550M from Untrust to multiple zones

    Posted 10-20-2014 00:45

    Thanks Terosa for explaining this fetarue.

     

    I was not very sure how it work as the Global policy is processed only if there is no match previously.



  • 4.  RE: Creating a policy on SSG550M from Untrust to multiple zones

    Posted 10-20-2014 02:20
    You are correct, the global policy is checked after the zone-policies. 1. Look for a policy between the ingress and egress zones 2. If no policy is found (in step 1), search for a Global policy 3. If no Global policy is found and if the ingress zone is same as the egress zone, apply the intra-zone block i.e if intra-zone block is enabled, drop the packet unless an intra-zone rule permits. 4. Implied deny all (also known as the Default Policy) PS. Use "get pol global" or "get pol all" to see global policies in cli.


  • 5.  RE: Creating a policy on SSG550M from Untrust to multiple zones

    Posted 10-29-2014 09:08

    Using the "Global" zone is actually good when permitting a traffic.

     

    For us it wasn't that good as what we were trying to do was to block traffic sourced from China to one of our web servers which had a policy already in place Untrust --> DMZ_Web source-Any; destination-MIP(Web_server); services(80,443); action (permit)

     

    So the traffic coming from China will always hit the Untrust-->DMZ_Web policy and will be permitted before Global policy Untrust-->Global source-china_range; destination-any; services-any; action(deny)...

     

     

    What we have actually done was to create a separate policy for Untrust --> each DMZ (about 20 of them)

     

    Untrust --> DMZ1,2,3... source-Denied; destination-any; services-any; action-deny where "Denied" is an group where we keep adding new IP/subnets which we should not expect any traffic from

     

    The rule has to sit in front of the access list to block the traffic before it will be permitted.