Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring a Security Policy to Permit or Deny Wildcard Address Traffic

    This example shows how to configure a security policy to permit or deny wildcard address traffic.

    Requirements

    Before you begin:

    Overview

    In the Junos operating system (Junos OS), security policies enforce rules for the transit traffic, in terms of what traffic can pass through the device, and the actions that need to take place on the traffic as it passes through the device. From the perspective of security policies, the traffic enters one security zone and exits another security zone. In this example, you configure a specific security to allow only wildcard address traffic from a host in the trust zone to the untrust zone. No other traffic is allowed.

    Configuration

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set security zones security-zone trust interfaces ge-0/0/2 host-inbound-traffic system-services all set security zones security-zone untrust interfaces ge-0/0/1 host-inbound-traffic system-services all set security address-book book1 address wildcard-trust wildcard-address 192.168.0.11/255.255.0.255 set security address-book book1 attach zone trustset security policies from-zone trust to-zone untrust policy permit-wildcard match source-address wildcard-trustset security policies from-zone trust to-zone untrust policy permit-wildcard match destination-address anyset security policies from-zone trust to-zone untrust policy permit-wildcard match application anyset security policies from-zone trust to-zone untrust policy permit-wildcard then permit

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To configure a security policy to allow selected traffic:

    1. Configure the interfaces and security zones.
      [edit security zones]user@host# set security-zone trust interfaces ge-0/0/2 host-inbound-traffic system-services all user@host# set security-zone untrust interfaces ge-0/0/1 host-inbound-traffic system-services all
    2. Create an address book entry for the host and attach the address book to a zone.
      [edit security address-book book1]user@host# set address wildcard-trust wildcard-address 192.168.0.11/255.255.0.255 user@host# set attach zone trust
    3. Define the policy to permit wildcard address traffic.
      [edit security policies from-zone trust to-zone untrust]user@host# set policy permit-wildcard match source-address wildcard-trustuser@host# set policy permit-wildcard match destination-address anyuser@host# set policy permit-wildcard match application anyuser@host# set policy permit-wildcard then permit

    Results

    From configuration mode, confirm your configuration by entering the show security policies and show security zones commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]user@host# show security policiesfrom-zone trust to-zone untrust {policy permit-wildcard {match {source-address wildcard-trust;destination-address any;application any;}then {permit;}}}
    user@host# show security zonessecurity-zone trust {host-inbound-traffic {system-services {all;}interfaces {ge-0/0/2 {host-inbound-traffic {system-services {all;}}}}}}security-zone untrust {interfaces {ge-0/0/1 {host-inbound-traffic {system-services {all;}}}}}user@host# show security address-bookbook1 {address wildcard-trust {wildcard-address 192.168.0.11/255.255.0.255;}attach {zone trust;}}

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    To confirm that the configuration is working properly, perform this task:

    Verifying Policy Configuration

    Purpose

    Verify information about security policies.

    Action

    From operational mode, enter the show security policies policy-name permit-wildcard detail command to display details about the permit-wildcard security policy configured on the device.

    Meaning

    The output displays information about the permit-wildcard policy configured on the system. Verify the following information:

    • From and To zones
    • Source and destination addresses
    • Match criteria

    Published: 2012-06-29