SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Security policy ordering

    Posted 04-08-2014 11:28

     

    I am sure this is answered already, but I am confused on the order of security policy organization.  ( and I am confused on the naming convention of what is a global, etc.)

    So we have a zone:

     

    NOC {

      security {

       policies {

         from-zone <*> to-zone NOC-zone

          bunch of permits with no deny

     

    But we have inter zone policies, like

    polices {

      from-zone untrust to-zone NOC-zone {

      bunch of permit and at the end of that is a deny all.

     

    My question is what is the order of application.  Does the <*> get evaluated and then it drop to the more specific policy?

    Or does the <*> one override the more specific?  It seems to be that the <*> permits are evaluated even without a corresponding one in the more specific one.  For instance, an allow for http in the <*> works, even if there is no http permit in the more specific.

     

    I am sure I am over analyzing this, but I want to know the exact rule.

     

           ...



  • 2.  RE: Security policy ordering
    Best Answer

    Posted 04-08-2014 12:20

    oppps.

     

    Misread my config.

     

    The specific policy  has no Deny, so I assume the order is more specific and then the <*> policy, which makes sense.



  • 3.  RE: Security policy ordering

    Posted 04-08-2014 17:35

    I don't think the security policies get evaluated based on how specific they are. They get evaluated in a top-down order.

     

    http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-41208.html

     

    So if the first policy is a match, regardless of how much more specific the policies are further down the list, the traffic is still evaluated based on the first policy.