TechLibrary

Navigation Back up to About Overview
 

Related Documentation

 

Example: Configuring Global Policy

Unlike other security policies in Junos OS, global policies do not reference specific source and destination zones. Global policies reference the predefined address “any” or user-defined addresses that can span multiple security zones. Global policies give you the flexibility of performing actions on traffic without any zone restrictions. For example, you can create a global policy so that every host in every zone can access the company website, for example, www.juniper.net. Using a global policy is a convenient shortcut when there are many security zones. Traffic is classified by matching its source address, destination address, and the application that the traffic carries in its protocol header.

This example shows how to configure a global policy to deny or permit traffic.

Requirements

Before you begin:

Overview

This configuration example shows how to configure a global policy that accomplishes what multiple security policies (using zones) would have accomplished. Global policy gp1 permits all traffic while policy gp2 denies all traffic.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

set security address-book global address server1 www.juniper.netset security address-book global address server2 www.mail.comset security policies global policy gp1 match source-address server1set security policies global policy gp1 match destination-address server2set security policies global policy gp1 match application anyset security policies global policy gp1 then permitset security policies global policy gp2 match source-address server2set security policies global policy gp2 match destination-address server1set security policies global policy gp2 match application junos-ftpset security policies global policy gp2 then deny

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a global policy to permit or deny all traffic:

  1. Create addresses.
    [edit security]user@host# set security address-book global address server1 www.juniper.netuser@host# set security address-book global address server2 www.mail.com
  2. Create the global policy to permit all traffic.
    [edit security]user@host# set policy global policy gp1 match source-address server1user@host# set policy global policy gp1 match destination-address server2user@host# set policy global policy gp1 match application anyuser@host# set policy global policy gp1 then permit
  3. Create the global policy to deny all traffic.
    [edit security]user@host# set policy global policy gp2 match source-address server2user@host# set policy global policy gp2 match destination-address server1user@host# set policy global policy gp2 match application junos-ftpuser@host# set policy global policy gp2 then deny

Results

From configuration mode, confirm your configuration by entering the show security policies and show security policies <global> commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

user@host> show security policies
Default policy: permit-all
Global policies:
  Policy: gp1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
    Source addresses: server1
    Destination addresses: server2
    Applications: any
    Action: permit
  Policy: gp2, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2
    Source addresses: server2
    Destination addresses: server1
    Applications: junos-ftp
    Action: deny

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying Global Policy Configuration

Purpose

Verify that global policies gp1 and gp2 are configured as required.

Action

From operational mode, enter the show security policy <global>command.

 

Related Documentation

 

Published: 2012-10-05