Example: Configuring Security Policies in a User Logical System
This example shows how to configure security policies for a user logical system.
Requirements
Before you begin:
- Log in to the user logical system as the logical system administrator. See User Logical System Configuration Overview.
- Use the show system security-profiles policy command
to see the security policy resources allocated to the logical system.
See the Junos OS CLI Reference
. - Configure zones and address books. See Example: Configuring Zones for a User Logical System.
Overview
This example configures the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.
This example configures the security policies described in Table 1.
Table 1: User Logical System Security Policies Configuration
Name | Configuration Parameters |
|---|---|
permit-all-to-otherlsys | Permit the following traffic:
|
permit-all-from-otherlsys | Permit the following traffic:
|
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Step-by-Step Procedure
The following example requires you to navigate various levels
in the configuration hierarchy. For instructions on how to do that,
see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .
To configure security policies in a user logical system:
- Log in to the user logical system as the logical system
administrator and enter configuration mode.lsdesignadmin1@host:ls-product-design> configurelsdesignadmin1@host:ls-product-design#
- Configure a security policy that permits traffic from
the ls-product-design-trust zone to the ls-product-design-untrust
zone.[edit security policies from-zone ls-product-design-trust to-zone ls-product-design-untrust]lsdesignadmin1@host:ls-product-design# set policy permit-all-to-otherlsys match source-address product-designerslsdesignadmin1@host:ls-product-design# set policy permit-all-to-otherlsys match destination-address otherlsyslsdesignadmin1@host:ls-product-design# set policy permit-all-to-otherlsys match application anylsdesignadmin1@host:ls-product-design# set policy permit-all-to-otherlsys then permit
- Configure a security policy that permits traffic from
the ls-product-design-untrust zone to the ls-product-design-trust
zone.[edit security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust]lsdesignadmin1@host:ls-product-design# set policy permit-all-from-otherlsys match source-address otherlsyslsdesignadmin1@host:ls-product-design# set policy permit-all-from-otherlsys match destination-address product-designerslsdesignadmin1@host:ls-product-design# set policy permit-all-from-otherlsys match application anylsdesignadmin1@host:ls-product-design# set policy permit-all-from-otherlsys then permit
Results
From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying Policy Configuration
Purpose
Verify information about policies and rules.
Action
From operational mode, enter the show security policies detail command to display a summary of all policies configured on the logical system.
