ScreenOS Firewalls (NOT SRX)
Reply
Contributor
ye_line
Posts: 26
Registered: ‎04-22-2010
0

Global Deny Any

Dear All: By default, there is a global deny all policy. however, it is delete , may advise how to add one policy like that one.

 

Thanks for any idea.

 

Bin

Distinguished Expert
spuluka
Posts: 2,691
Registered: ‎03-30-2009
0

Re: Global Deny Any

this default Global Deny is not an explict rule you can see but a behaviour of the system.  If traffic does not match a rule on the policy list then the traffic is denied.

 

You do not need to have that rule on the list.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Contributor
ye_line
Posts: 26
Registered: ‎04-22-2010
0

Re: Global Deny Any

Dear above:

 

Thanks. The action are done like following:

1. default global deny any policy will be shown in GUI are deleted at initial config;

2. config a policy which is permit all in the zones between untrust , trust and DMZ, etc;

3 need to reactivate the deny all policy in that firewall

 

by checking the forum should the command line " set global den a a a log" will be effecitve as initial deny all policy?

 

Thanks for any feedback

 

Bin

Distinguished Expert
spuluka
Posts: 2,691
Registered: ‎03-30-2009
0

Re: Global Deny Any

I'm afraid I'm not fully understanding the request.

 

I've attached a factory default configuration from an SSG5 firewall.

 

As you can see there is only one pre-defined policy in this configuration.  The policy that allows internet access from trust to Untrust on the device.

 

The default deny policy is not an explicitly defined policy but the actual behaviour of the device.  Any request that does not match a policy rule that is defined will be denied. 

 

There is no need to create a final deny policy rule.  This is just how the device will handle it anyway.

 

 

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: Global Deny Any

Hi Bin,

 

This is really the default behaviour of the ScreenOS device. It is not like a hidden policy on Checkpoint.

I suppose that you want to log all dropped requests not corresponding to any explicit policy. You can use global policies for this, f.i.:

set policy  global  id xxx   Any Any ANY  deny            
set policy id xxx
set log session-init

As you see, the global policy does not contain the src-zone nor the dst-zone. It is applied to the request after all corresponding zone-to zone policies have been checked but with no hits. If you start debugging with "debug flow basic" you'll see, that the global policy is the last one that is checked.

 

Kind regards,

Edouard

 

Kind regards,
Edouard
dsd
Regular Visitor
dsd
Posts: 5
Registered: ‎05-12-2010
0

Re: Global Deny Any

Any explicit global deny rule is useful if you want to log all denied packets:

 

set policy global from global to global any any any deny log

 

Wish the SRX made it that easy :-)

 

-dsd

Recognized Expert
traceoptions
Posts: 152
Registered: ‎04-29-2008
0

Re: Global Deny Any

[ Edited ]

Edouard is correct on using the global policy to create a logged deny at the end of the policy chain..  To follow up on his correct answer is to remember that by default a "get policy" is not going to display the global policies.  You will need to use either a "get policy all" or "get policy global" to display the global policy.. 

 

Defined intrazone and interzone policies are checked if no match is found then the global policy is checked.  If the global policy is not matched then the default deny is applied for interzone traffic.   If its intrazone traffic the zone is checked for intrazone blocking.  If blocking is turned on, the packet is dropped.  If blocking is not turned on the packet is allowed.  

JNCIE-ENT #424 JNCIP-SEC, JNCI @traceoptions

**If this worked for you please flag my post as an Accepted Solution so others can benefit.**
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.