ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
ye_line
Contributor
ye_line
Posts: 26
Registered: ‎04-22-2010
0

Global Deny Any

Options

‎05-14-2010 02:15 AM

Dear All: By default, there is a global deny all policy. however, it is delete , may advise how to add one policy like that one.

 

Thanks for any idea.

 

Bin

Message 1 of 7 (7,855 Views)
 
Reply
Distinguished Expert
Distinguished Expert
spuluka
Posts: 1,612
Registered: ‎03-30-2009
0

Re: Global Deny Any

Options

‎05-14-2010 03:32 AM

this default Global Deny is not an explict rule you can see but a behaviour of the system.  If traffic does not match a rule on the policy list then the traffic is denied.

 

You do not need to have that rule on the list.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Message 2 of 7 (7,851 Views)
 
Reply
ye_line
Contributor
ye_line
Posts: 26
Registered: ‎04-22-2010
0

Re: Global Deny Any

Options

‎05-14-2010 05:43 AM

Dear above:

 

Thanks. The action are done like following:

1. default global deny any policy will be shown in GUI are deleted at initial config;

2. config a policy which is permit all in the zones between untrust , trust and DMZ, etc;

3 need to reactivate the deny all policy in that firewall

 

by checking the forum should the command line " set global den a a a log" will be effecitve as initial deny all policy?

 

Thanks for any feedback

 

Bin

Message 3 of 7 (7,838 Views)
 
Reply
Distinguished Expert
Distinguished Expert
spuluka
Posts: 1,612
Registered: ‎03-30-2009
0

Re: Global Deny Any

Options

‎05-15-2010 05:01 AM

I'm afraid I'm not fully understanding the request.

 

I've attached a factory default configuration from an SSG5 firewall.

 

As you can see there is only one pre-defined policy in this configuration.  The policy that allows internet access from trust to Untrust on the device.

 

The default deny policy is not an explicitly defined policy but the actual behaviour of the device.  Any request that does not match a policy rule that is defined will be denied. 

 

There is no need to create a final deny policy rule.  This is just how the device will handle it anyway.

 

 

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Attachment SSG5-Default.txt ‏5 KB
Message 4 of 7 (7,804 Views)
 
Reply
Distinguished Expert
Distinguished Expert
echidov
Posts: 830
Registered: ‎11-02-2009
0

Re: Global Deny Any

Options

‎05-17-2010 12:58 AM

Hi Bin,

 

This is really the default behaviour of the ScreenOS device. It is not like a hidden policy on Checkpoint.

I suppose that you want to log all dropped requests not corresponding to any explicit policy. You can use global policies for this, f.i.:

set policy  global  id xxx   Any Any ANY  deny            
set policy id xxx
set log session-init

As you see, the global policy does not contain the src-zone nor the dst-zone. It is applied to the request after all corresponding zone-to zone policies have been checked but with no hits. If you start debugging with "debug flow basic" you'll see, that the global policy is the last one that is checked.

 

Kind regards,

Edouard

 

Kind regards,
Edouard
Message 5 of 7 (7,788 Views)
 
Reply
dsd
Regular Visitor
dsd
Posts: 5
Registered: ‎05-12-2010
0

Re: Global Deny Any

Options

‎05-18-2010 05:38 PM

Any explicit global deny rule is useful if you want to log all denied packets:

 

set policy global from global to global any any any deny log

 

Wish the SRX made it that easy :-)

 

-dsd

Message 6 of 7 (7,767 Views)
 
Reply
Recognized Expert
Recognized Expert
shadow
Posts: 152
Registered: ‎04-29-2008
0

Re: Global Deny Any

[ Edited ]
Options

‎05-18-2010 05:40 PM - edited ‎05-18-2010 05:57 PM

Edouard is correct on using the global policy to create a logged deny at the end of the policy chain..  To follow up on his correct answer is to remember that by default a "get policy" is not going to display the global policies.  You will need to use either a "get policy all" or "get policy global" to display the global policy.. 

 

Defined intrazone and interzone policies are checked if no match is found then the global policy is checked.  If the global policy is not matched then the default deny is applied for interzone traffic.   If its intrazone traffic the zone is checked for intrazone blocking.  If blocking is turned on, the packet is dropped.  If blocking is not turned on the packet is allowed.  

JNCIP-ENT, JNCIP-SEC, JNCIS-FWV, JNCIS-AC, JNCIS-SSL, JNCI
twitter: @traceoptions

**If this worked for you please flag my post as an Accepted Solution so others can benefit.**
Message 7 of 7 (7,766 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.