Reordering Security Policies
Reordering security policy allows to move the policies around after they have been created. Junos OS offers a tool for verifying that the order of policies in the policy list is valid.
Understanding Security Policy Ordering
Junos OS offers a tool for verifying that the order of policies in the policy list is valid.
It is possible for one policy to eclipse, or shadow, another policy. Consider the following examples:
Example 1
[edit] user@host# set security zones security-zone trust interfaces ge-0/0/2 host-inbound-traffic system-services all user@host# set security zones security-zone untrust interfaces ge-0/0/1 host-inbound-traffic system-services all user@host# set security policies from-zone trust to-zone untrust policy permit-all match source-address any user@host# set security policies from-zone trust to-zone untrust match destination-address any user@host# set security policies from-zone trust to-zone untrust match application any user@host# set security policies from-zone trust to-zone untrust set then permit user@host# set security policies from-zone untrust to-zone trust policy deny-all match source-address any user@host# set security policies from-zone untrust to-zone trust policy deny-all match destination-address any user@host# set security policies from-zone untrust to-zone trust policy deny-all match application any user@host# set security policies from-zone untrust to-zone trust policy deny-all then deny
Example 2
[edit] user@host# set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services all user@host# set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services all user@host# set security address-book book1 address mail-untrust 192.0.2.1/24 user@host# set security address-book book1 attach zone untrust user@host# set security address-book book2 address mail-trust 192.168.1.1/24 user@host# set security address-book book2 attach zone trust user@host# set security policies from-zone trust to-zone untrust policy permit-mail match source-address mail-trust user@host# set security policies from-zone trust to-zone untrust policy permit-mail match destination-address mail-untrust user@host# set security policies from-zone trust to-zone untrust policy permit-mail match application junos-mail user@host# set security policies from-zone trust to-zone untrust policy permit-mail then permit
In examples 1 and 2, where policy permit-mail is configured after policy permit-all from zone trust to zone untrust. All traffic coming from zone untrust matches the first policy permit-all and
is allowed by default. No traffic matches policy permit-mail.
Because Junos OS performs a policy lookup starting from the top of the list, when it finds a match for traffic received, it does not look any lower in the policy list. To correct the previous example, you can simply reverse the order of the policies, putting the more specific one first:
[edit]
user@host# insert security policies from-zone trust to-zone untrust policy permit-mail before policy permit-all
In cases where there are dozens or hundreds of policies, the eclipsing of one policy by another might not be so easy to detect. To check if policies are being shadowed, enter any of the following commands:
[edit]
user@host# run show security shadow-policies logical-system lsys-name from-zone from-zone-name to-zone to-zone-name
[edit]
user@host# run show security shadow-policies logical-system lsys-name global
This command reports the shadowing and shadowed policies. It is then the administrator's responsibility to correct the situation.
The concept of policy shadowing refers to the situation where a policy higher in the policy list always takes effect before a subsequent policy. Because the policy lookup always uses the first policy it finds that matches the five-part tuple of the source and destination zone, source and destination address, and application type, if another policy applies to the same tuple (or a subset of the tuple), the policy lookup uses the first policy in the list and never reaches the second one.
See Also
Example: Reordering Security Policies
This example shows show how to move policies around after they have been created.
Requirements
Before you begin:
Create zones. See Example: Creating Security Zones.
Configure the address book and create addresses for use in the policy. See Example: Configuring Address Books and Address Sets.
Overview
To reorder policies to correct shadowing, you can simply reverse the order of the policies, putting the more specific one first.
Configuration
Procedure
Step-by-Step Procedure
To reorder existing policies:
Reorder two existing policies by entering the following command:
[edit] user@host# insert security policies from-zone trust to-zone untrust policy permit-mail before policy permit-all
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Verification
To verify the configuration is working properly,
enter the show security policies command.