SRX Services Gateway
SRX Services Gateway

Netscreen Global Policies Migration to SRX Configuration

‎02-09-2014 04:22 AM

Hi,

 

I am migrating Netscreen to SRX Firewall. I am facing issue to migrate configuration of Global Policy.

 

In Netscreen we have few policies from (Specific Zone) to Global Zone.

 

set policy id 100 from "Trust" to "Global"  "x.x.x.x" "Any-IPv4" "HTTP" permit log
set policy id 100
set service "HTTPS"
exit

I have configure same in SRX under GROUP hierarchy.

 

groups {
    node0 {
        security {
            policies {
                from-zone Trust to-zone <*> {
                    policy test {
                        match {
                            source-address x.x.x.x;
                            destination-address any;
                            application [junos-http junos-https];                        }
                        then {
                            permit;
                        }
                    }
                }
            }
        }
    }
    node1 {
        security {
            policies {
                from-zone Trust  to-zone <*> {
                    policy test {
                        match {
                            source-address x.x.x.x;
                            destination-address any;
                            application [junos-http junos-https];
                        }
                        then {
                            permit;
                        }
                    }
                }
            }
        }
    }
}
apply-groups "${node}";

 

Similar I have few more policies from different specific zones to Global.

 

My question is that will I migrated this part correctly or not. If this is not correct, kindly let me know correct way to configure similar to netscreen policy.

1 REPLY 1
SRX Services Gateway
Solution
Accepted by topic author Muhammad Atif Jauhar
‎08-26-2015 01:27 AM

Re: Netscreen Global Policies Migration to SRX Configuration

‎02-10-2014 06:46 AM

Hello.

 

Security policies are not typically configured under

 

groups {
    node0 {
        security {
            policies {

 

But under

 

security {
    policies {

 

 

The groups/node0 and groups/node1 are configs that need to be different between the 2 nodes, such as hostnames, fxp0 (mgmt) IP addresses.  Security policies should be common between the 2 nodes in the cluster so should be configured as part of the security heiarchy.

 

Global policies are configured as such:

 

set security policies global policy default-deny match source-address any
set security policies global policy default-deny match destination-address any
set security policies global policy default-deny match application any
set security policies global policy default-deny then deny
set security policies global policy default-deny then log session-init
set security policies global policy default-deny then log session-close
set security policies global policy default-deny then count

 

 

 

Hope this helps.

 

Regards,

Sam