Security
Security

How-To: Set a policy using a specific IP address

by Juniper Employee on ‎05-10-2016 09:32 AM - edited on ‎09-22-2017 03:51 PM by Administrator Administrator (3,059 Views)

Overview

How to set a policy to trigger on a specific IP address.

Description

In some scenarios, you may need to set a policy for a specific IP address. For example, it is possible to set a policy to allow connection from 172.16.25.13 to 172.16.30.7 but reject a connection to 172.16.30.6. Similarly, you could allow a connection from 172.16.25.3 to 172.16.30.6 but reject a connection to 172.16.30.7.

 

Guidelines

In this scenario, you want to be aware of the following issues when configuring your policies:

  • Use a specific /32 IP address in the policy configuration to control a single host. For example:
    • set address Trust "test" 172.16.30.0/24 <-- this is for the entire /24 subnet
    • set address Trust "test/32" 172.16.30.7/32 <-- this is for /32 or for single IP address 172.16.30.7
  • Ensure that your specific policies are listed above of any generic policies. For example, policies listed in this order:
    • policy 1 which is for 192.168.0.0/24 <===>192.168.1.0/24 will trigger first
    • policy 2 which is for 192.168.0.1/32 <===>192.168.1.1/32 will be ignored, though it has more specific IP addresses.  Move policy 2 on top of policy 1 to trigger this more specific policy.

Further Reading

https://kb.juniper.net/InfoCenter/index?page=content&id=KB15074&actp=search