Understanding Security Policy Elements

A policy permits, denies, or tunnels specified types of traffic unidirectionally between two points.

To define a policy, you need:

• An incoming zone (the from-zone)
• An outgoing zone (the to-zone)
• An ordered set of policies between the from-zone and to-zone

Each policy consists of:

• A unique name for the policy.
• A set of match criteria defining the conditions that must be satisfied to apply the policy rule. The match criteria are based on a source IP address, destination IP address, and applications.
• A set of actions to be performed in case of a match—permit, deny, or reject.
• Accounting and auditing elements—counting, logging, or structured system logging.

The following example shows a policy configuration that allows traffic from the green zone (from-zone) to the red zone (to-zone).

• The red zone’s address book contains the abc address.
• The green zone’s address book contains the public address.

  user@host# set security policies from-zone green to-zone red policy abctopublic
  match source-address abc

  user@host# set security policies from-zone red to-zone green policy abctopublic
  match destination-address public

  user@host# set security policies from-zone red to-zone green policy abctopublic
  match application ssh

  user@host# set security policies from-zone red to-zone green policy abctopublic
  then permit

For more information on the policy configuration syntax and options, see the JUNOS Software CLI Reference.

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Security Policies Overview
• Understanding Security Policy Rules
• Security Policies Configuration Overview
• Understanding Security Policy Ordering