TechLibrary

Navigation

Table of Contents

Guide That Contains This Content

[+] Expand All

[-] Collapse All

Example: Configuring a Security Policy to Permit or Deny Selected Traffic

This example shows how to configure a security policy to permit or deny selected traffic.

Requirements

Before you begin:

Create zones. See Example: Creating Security Zones.
Configure an address book and create addresses for use in the policy. See Example: Configuring Address Books and Address Sets.
Create an application (or application set) that indicates that the policy applies to traffic of that type. See Example: Configuring Applications and Application Sets.
Permit traffic to and from trust and untrust zones. See Example: Configuring a Security Policy to Permit or Deny All Traffic.

Overview

In a Junos OS, security policies enforce rules for the transit traffic, in terms of what traffic can pass through the device, and the actions that need to take place on the traffic as it passes through the device. From the perspective of security policies, the traffic enters one security zone and exits another security zone. In this example, you configure a specific security policy to allow only e-mail traffic from a host in the trust zone to a server in the untrust zone. No other traffic is allowed. See Figure 1.

Figure 1: Permitting Selected Traffic

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

set security zones security-zone trust interfaces ge-0/0/2 host-inbound-traffic system-services all set security zones security-zone untrust interfaces ge-0/0/1 host-inbound-traffic system-services all set security address-book book1 address mail-untrust 1.1.1.24/32 set security address-book book1 attach zone untrust set security address-book book2 address mail-trust 192.168.1.1/32 set security address-book book2 attach zone trustset security policies from-zone trust to-zone untrust policy permit-mail match source-address mail-trustset security policies from-zone trust to-zone untrust policy permit-mail match destination-address mail-untrust set security policies from-zone trust to-zone untrust policy permit-mail match application junos-mail set security policies from-zone trust to-zone untrust policy permit-mail then permit

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .

To configure a security policy to allow selected traffic:

Configure the interfaces and security zones.
[edit security zones]user@host# set security-zone trust interfaces ge-0/0/2 host-inbound-traffic system-services all user@host# set security-zone untrust interfaces ge-0/0/1 host-inbound-traffic system-services all
Create address book entries for both the client and the server. Also, attach security zones to the address books.
[edit security address-book book1]user@host# set address mail-untrust 1.1.1.24/32 user@host# set attach zone untrust
[edit security address-book book2]user@host# set address mail-trust 192.168.1.1/32 user@host# set attach zone trust
Define the policy to permit mail traffic.
[edit security policies from-zone trust to-zone untrust]user@host# set policy permit-mail match source-address mail-trustuser@host# set policy permit-mail match destination-address mail-untrust user@host# set policy permit-mail match application junos-mail user@host# set policy permit-mail then permit

Results

From configuration mode, confirm your configuration by entering the show security policies and show security zones commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]user@host# show security policiesfrom-zone trust to-zone untrust {policy permit-mail {match {source-address mail-trust;destination-address mail-untrust;application junos-mail;}then {permit;}}}

user@host# show security zonessecurity-zone trust {host-inbound-traffic {system-services {all;}interfaces {ge-0/0/2 {host-inbound-traffic {system-services {all;}}}}}security-zone untrust {interfaces {ge-0/0/1 {host-inbound-traffic {system-services {all;}}}}}

user@host# show security address-bookbook1 {address mail-untrust 1.1.1.24/32;attach {zone untrust;}}book2 {address mail-trust 192.168.1.1/32;attach {zone trust;}}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying Policy Configuration

Verifying Policy Configuration

Purpose

Verify information about security policies.

Action

From operational mode, enter the show security policies detail command to display a summary of all security policies configured on the device.

Meaning

The output displays information about policies configured on the system. Verify the following information:

From and to zones
Source and destination addresses
Match criteria