ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

global policy and policy processing order

[ Edited ]
‎12-05-2015 10:21 PM

Hi,

 

We are running ISG1000 cluster with 15 zones, both inter zone and intra zones policies.

Each "from zone xxx to zone yyy stance" ends with a deny any any log line.

With 15 zones, there are 15x14 "deny any any log" lines in the configuration.

 

In order to reduce the number of rules in configuration I was considering using a single "deny any any log" rule in global policy.

 

But looking for information about global policy on screenos, I found info that suggests that global policy could prevent intra-zone policy to be evaluated in case they contain a deny any any...

 

 

 

https://www.fir3net.com/Firewalls/Juniper/netscreen-rule-processing-order.html

Rule Processing Order

The general processing order is as follows,

  1. Look for a policy between the ingress and egress zones
  2. If no policy is found (in step 1), search for a Global policy
  3. If no Global policy is found and if the ingress zone is same as the egress zone, apply the intra-zone block i.e if intra-zone block is enabled, drop the packet unless an intra-zone rule permits.
  4. Implied deny all (also known as the Default Policy) 

So to summarize the above,

  1. Policy for Ingress > Egress Zone
  2. Global Policy
  3. Intra-Zone Policy
  4. Implied deny all

Logging

 

 

If I read correctly what is stated above, global policy are evaluated before intra-zone policies.

So a deny any any log *in global policy* would always match any traffic before intra zone have a chance to be evaluated, and then intra zone policy would never be processed...

Is that true ??

 

Is there another way to get my intra-zone evaluated, while reducing the number of rules in our config by suppressing the n(n-1) deny any any lines in the zone to zone policies...?

I guess the Implied deny all would do the trick, but i need logging of traffic matching the deny any any rule and I guess that the implied deny all does'nt produce log (?)

 

 

3 REPLIES 3
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: global policy and policy processing order

[ Edited ]
‎12-06-2015 04:48 AM

Hi,

 

Global policies are processed in ScreenOS after all the intra-zone and inter-zone policies. Furthermore, it should be noted that when ScreenOS goes through a policy list, it does not process policies any further as soon as a match is found. Hence, if your inter-zone or intra-zone policies have an explicit Source-Any to Destination-Any deny/reject policy at the end of the policy set, the global policies will never be reached in the ScreenOS processing order.

 

Source: https://www.safaribooksonline.com/library/view/screenos-cookbook/9780596510039/ch07s12.html

 

ScreenOS Cookbook

Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com
ScreenOS Firewalls (NOT SRX)

Re: global policy and policy processing order

[ Edited ]
‎12-06-2015 11:30 AM

ok, thanks.

That means that what is stated at https://www.fir3net.com/Firewalls/Juniper/netscreen-rule-processing-order.html

about policies processing order is wrong then.

Makes more sense as you explained it (it's also the same behavior as srx boxes then).

 

 

ScreenOS Firewalls (NOT SRX)

Re: global policy and policy processing order

[ Edited ]
‎12-06-2015 11:41 AM

Hi,

Yes .
I also wrote to who he had wrote that article to correct the mistake. Hope he will .

Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com