JUNOS software offers a tool for verifying that the order of policies in the policy list is valid.
Before You Begin |
|---|
For background information, read Security Policies Overview. |
It is possible for one policy to eclipse, or shadow, another policy. Consider the following example:
- user@host# set security policies from-zone internal
to-zone external policy 1 match source-address any
- user@host# set security policies from-zone internal
to-zone external policy 1 match destination-address any
- user@host# set security policies from-zone internal
to-zone external policy 1 match application junos-http
- user@host# set security policies from-zone internal
to-zone external policy 1 then permit
- user@host# set security policies from-zone internal
to-zone external policy 2 match source-address any
- user@host# set security policies from-zone internal
to-zone external policy 2 match destination-address any
- user@host# set security policies from-zone internal
to-zone external policy 2 match application junos-http
- user@host# set security policies from-zone internal
to-zone external policy 2 then deny
Because JUNOS software performs a policy lookup starting from the top of the list, when it finds a match for traffic received, it does not look any lower in the policy list. In the previous example, JUNOS software never reaches policy 2 because the destination address any in policy 1 includes the more specific dst-A address in policy 2. When an HTTP packet arrives at JUNOS software from an address in the Internal zone bound for dst-A in the External zone, JUNOS software always first finds a match with policy 1.
To correct the previous example, you can simply reverse the order of the policies, putting the more specific one first:
- user@host# set security policies from-zone internal
to-zone external policy 2 match source-address any
- user@host# set security policies from-zone internal
to-zone external policy 2 match destination-address any
- user@host# set security policies from-zone internal
to-zone external policy 2 match application junos-http
- user@host# set security policies from-zone internal
to-zone external policy 2 then deny
- user@host# set security policies from-zone internal
to-zone external policy 1 match source-address any
- user@host# set security policies from-zone internal
to-zone external policy 1 match destination-address any
- user@host# set security policies from-zone internal
to-zone external policy 1 match application junos-http
- user@host# set security policies from-zone internal
to-zone external policy 1 then permit
Of course, this example is purposefully simple to illustrate the basic concept. In cases where there are dozens or hundreds of policies, the eclipsing of one policy by another might not be so easy to spot. To check if there is any policy shadowing in your policy list, you can use the following CLI command:
This command reports the shadowing and shadowed policies. It is then the administrator's responsibility to correct the situation.
 |
Note: The concept of policy shadowing refers to the situation where a policy higher in the policy list always takes effect before a subsequent policy. Because the policy lookup always uses the first policy it finds that matches the five-part tuple of source and destination zone, source and destination address, and application type, if another policy applies to the same tuple (or a subset of the tuple), the policy lookup uses the first policy in the list and never reaches the second one. |
The policy verification tool cannot detect the case where a combination of policies shadows another policy. In the following example, no single policy shadows policy 3; however, policies 1 and 2 together do shadow it:
- user@host# set security zones security-zone trust address-book
address-set grp1 address host1
- user@host# set security zones security-zone trust address-book
address-set grp1 address host2
- user@host# set policy id 1 from trust to untrust host1
server1 HTTP permit
- user@host# set policy id 2 from trust to untrust host2
server1 HTTP permit
- user@host# set policy id 3 from trust to untrust grp1
server1 HTTP deny