Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring Global Policy


Unlike other security policies in Junos OS, global policies do not reference specific source and destination zones. Global policies reference the predefined address “any” or user-defined addresses that can span multiple security zones. Global policies give you the flexibility of performing actions on traffic without any zone restrictions. For example, you can create a global policy so that every host in every zone can access the company website, for example, Using a global policy is a convenient shortcut when there are many security zones. Traffic is classified by matching its source address, destination address, and the application that the traffic carries in its protocol header.

This example shows how to configure a global policy to deny or permit traffic.


Before you begin:

  • Review the firewall security policies.

    See Security Policies Overview.

  • Configure an address book and create addresses for use in the policy.

  • Create an application (or application set) that indicates that the policy applies to traffic of that type.


This configuration example shows how to configure a global policy that accomplishes what multiple security policies (using zones) would have accomplished. Global policy gp1 permits all traffic while policy gp2 denies all traffic.


CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a global policy to permit or deny all traffic:

  1. Create addresses.
  2. Create the global policy to permit all traffic.
  3. Create the global policy to deny all traffic.


From configuration mode, confirm your configuration by entering the show security policies and show security policies <global> commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.


Confirm that the configuration is working properly.

Verifying Global Policy Configuration


Verify that global policies gp1 and gp2 are configured as required.


From operational mode, enter the show security policy <global>command.

Related Documentation