SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Global Policy and need for Zones

    Posted 06-08-2018 15:34

    Hi everyone.

    Let say we have SRX and only Global Security Policy that allows all Traffic.  In Global Policy, no zone pair is checked, traffic is evaulated against the Global policy alone.

    This is what I see:

    1) When all zones were deleted, no transit traffic flows though Global Policy allows all traffic

    2) Zones are still needed even if use Global Policy alone on the SRX for Transit traffic.

     

    My questions is why do we need zones when using Global Policy only as no zone is checked in Global policy?

     

    Thanks and have a nice weekend!!

     



  • 2.  RE: Global Policy and need for Zones
    Best Answer

     
    Posted 06-09-2018 01:00

    Interfaces that are not explicitly assigned to any zone are assigned to special Null zone.  By design traffic hitting null zone is dropped.

    Even though you do not have to specify zones in global policies you can

    An example:

    set security policies global policy Pa match source-address any
set security policies global policy Pa match destination-address any
set security policies global policy Pa match application any
set security policies global policy Pa match from-zone zone1
set security policies global policy Pa match from-zone zone2
set security policies global policy Pa match to-zone zone3
set security policies global policy Pa match to-zone zone4
set security policies global policy Pa then permit

    As you can see global policies are more flexible than just permitting/denying traffic from all zones.

     

    Regards, Wojtek