Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Reordering Security Policies

Reordering security policy allows to move the policies around after they have been created. Junos OS provides CLI statements and command for verifying that the order of policies in the policy list and change the order if required.

View and Change Security Policy Ordering

Security policies execute in the order of their appearance in the configuration file, you should be aware of the following:

  • Policy order is important.
  • New policies go to the end of the policy list.
  • The last policy is the default policy, which has the default action of denying all traffic.

When you have configured the number of security policies, it is possible for one policy to eclipse, or shadow, another policy. In such case:

  • You can view the list of shadowed policies in the policy list using the show security shadow-policies command.
  • You can change the order of policies and put the more specific policy before other by using the insert and before statement.

Consider the following examples:

Example 1

Example 2

In examples 1 and 2, where policy permit-mail is configured after policy permit-all from zone trust to zone untrust. All traffic coming from zone untrust matches the first policy permit-all and is allowed by default. No traffic matches policy permit-mail.

Because Junos OS performs a policy lookup starting from the top of the list, when it finds a match for traffic received, it does not look any lower in the policy list. To correct the previous example, you can simply reverse the order of the policies, putting the more specific one first:

In cases where there are dozens or hundreds of policies, the eclipsing of one policy by another might not be so easy to detect. To check if policies are being shadowed, enter any of the following commands:

This command reports the shadowing and shadowed policies. It is then the administrator's responsibility to correct the situation.

Note:

The concept of policy shadowing refers to the situation where a policy higher in the policy list always takes effect before a subsequent policy. Because the policy lookup always uses the first policy it finds that matches the five-part tuple of the source and destination zone, source and destination address, and application type, if another policy applies to the same tuple (or a subset of the tuple), the policy lookup uses the first policy in the list and never reaches the second one.