Example: Configuring a Security Policy to Permit or Deny All Traffic
This example shows how to configure a security policy to permit or deny all traffic.
Requirements
Before you begin:
- Create zones. See Example: Creating Security Zones.
- Configure an address book and create addresses for use in the policy. See Example: Configuring Address Books and Address Sets.
- Create an application (or application set) that indicates that the policy applies to traffic of that type. See Example: Configuring Applications and Application Sets.
Overview
In the Junos OS, security policies enforce rules for transit traffic, in terms of what traffic can pass through the device, and the actions that need to take place on traffic as it passes through the device. From the perspective of security policies, the traffic enters one security zone and exits another security zone. In this example, you configure the trust and untrust interfaces, ge-0/0/2 and ge-0/0/1. See Figure 1.
Figure 1: Permitting All Traffic
This configuration example shows how to:
- Permit or deny all traffic from the trust zone to the untrust zone but block everything from the untrust zone to the trust zone.
- Permit or deny selected traffic from a host in the trust zone to a server in the untrust zone at a particular time.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Step-by-Step Procedure
The following example requires you to navigate various
levels in the configuration hierarchy. For instructions on how to
do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide 
.
To configure a security policy to permit or deny all traffic:
- Configure the interfaces and security zones.[edit security zones]user@host# set security-zone trust interfaces ge-0/0/2 host-inbound-traffic system-services all user@host# set security-zone untrust interfaces ge-0/0/1 host-inbound-traffic system-services all
- Create the security policy to permit traffic from the
trust zone to the untrust zone.[edit security policies from-zone trust to-zone untrust]user@host# set policy permit-all match source-address anyuser@host# set policy permit-all match destination-address any user@host# set policy permit-all match application anyuser@host# set policy permit-all then permit
- Create the security policy to deny traffic from the untrust
zone to the trust zone.[edit security policies from-zone untrust to-zone trust]user@host# set policy deny-all match source-address anyuser@host# set policy deny-all match destination-address anyuser@host# set policy deny-all match application anyuser@host# set policy deny-all then deny
Results
From configuration mode, confirm your configuration by entering the show security policies and show security zones commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
 | Note: The configuration example is a default permit-all from the trust zone to the untrust zone. |
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform this task:
Verifying Policy Configuration
Purpose
Verify information about security policies.
Action
From operational mode, enter the show security policies detail command to display a summary of all security policies configured on the device.
Meaning
The output displays information about policies configured on the system. Verify the following information:
- From and to zones
- Source and destination addresses
- Match criteria
