SRX Services Gateway
SRX Services Gateway

how to specifically locating a new creating security policy in the sec policy list

[ Edited ]
‎05-22-2019 08:54 PM

Hi all,

 

There is a high number of security policies on srx device. I like to ask about it is possible to locating a security policy in the security list during to creation of a sec policy not after creation? If so, can you provide example in CLI set.

 

Thx.

arx 

6 REPLIES 6
SRX Services Gateway

Re: how to specifically locating a new creating security policy in the sec policy list

‎05-22-2019 09:22 PM

Hello,

 

Not sure if I completely understood the question. Are you looking to insert the security policy at a particular location before the commit?

 

By default the new security policy is at the end of the list. You can use the insert statement to move the security policy to the desired location.

> insert security policies from-zone trust to-zone untrust policy trust-to-untrust-new after policy trust-to-untrust

> insert security policies from-zone trust to-zone untrust policy trust-to-untrust-new before policy trust-to-untrust

 

I hope this answers your question. Regards,

 

Vikas

 

 

SRX Services Gateway

Re: how to specifically locating a new creating security policy in the sec policy list

‎05-22-2019 11:32 PM

Arix,

 

There is no way of inserting a policy on a specifc position during its creation, it will have to be done after it is created and with the use of the "insert" command:

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10120

 

If you have several policies the following command is very useful to avoid overlapping policies:

 

https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-security-sha...

 

I hope it helps you.

 

SRX Services Gateway

Re: how to specifically locating a new creating security policy in the sec policy list

[ Edited ]
‎05-23-2019 04:32 PM

Thanks Nelumbo and lpaniagua for reply.

 

So we can not get 2 birds with only one stone at the same time........! 

 

Create a security policy first that locates end of the list then use "insert" command for re-location the policy.... My understanding is correct?

If this is correct, Juniper should need to put more functionality on "insert" command like creating L2 Vlans.

 

Thx,

Arx.

 

SRX Services Gateway

Re: how to specifically locating a new creating security policy in the sec policy list

‎05-23-2019 04:49 PM

Create a security policy first that locates end of the list then use "insert" command for re-location the policy.... My understanding is correct?
Yes you are absolutely correct.

insert command not restricted to security policies, different functionalities like routing policy-option have insert feature, this again various feature and hierarchy wise what you can do with various variables. 

 

SRX Services Gateway

Re: how to specifically locating a new creating security policy in the sec policy list

[ Edited ]
‎05-23-2019 05:42 PM

Arix,

 

Yes, your understanding is correct. Ive never thought about it but you have a good point.

 

In case you are looking to see all the policies names in a quick way, you could try "show security policies | match policy":

 

root@SRX100H2# show security policies | match policy
    policy A-2-B {
    policy B-2-A {
    policy A-2-C {
    policy C-2-A {

 

This way you can have a good idea of after/before what policy to insert your newly created policy. I hope this helps.

 

If you consider this to be a valid answer to your question please mark this comment as Solution.

 

SRX Services Gateway

Re: how to specifically locating a new creating security policy in the sec policy list

‎06-12-2019 12:43 AM

you can do, "show configuration security policy policy XYZ"  , "show security policies" or show security policies detial"  to find out which policies are already configured, prior to commiting a new one.