IN THIS PAGE
Example: Configuring Global Policy
Unlike other security policies in Junos OS, global policies do not reference specific source and destination zones. Global policies reference the predefined address “any” or user-defined addresses that can span multiple security zones. Global policies give you the flexibility of performing actions on traffic without any zone restrictions. For example, you can create a global policy so that every host in every zone can access the company website, for example, www.juniper.net. Using a global policy is a convenient shortcut when there are many security zones. Traffic is classified by matching its source address, destination address, and the application that the traffic carries in its protocol header.
This example shows how to configure a global policy to deny or permit traffic.
Requirements
Before you begin:
Review the firewall security policies.
Configure an address book and create addresses for use in the policy.
Create an application (or application set) that indicates that the policy applies to traffic of that type.
Overview
This configuration example shows how to configure a global policy that accomplishes what multiple security policies (using zones) would have accomplished. Global policy gp1 permits all traffic while policy gp2 denies all traffic.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure a global policy to permit or deny all traffic:
- Create addresses.[edit security]user@host# set security address-book global address server1 www.juniper.netuser@host# set security address-book global address server2 www.mail.com
- Create the global policy to permit all traffic.[edit security]user@host# set policy global policy gp1 match source-address server1user@host# set policy global policy gp1 match destination-address server2user@host# set policy global policy gp1 match application anyuser@host# set policy global policy gp1 then permit
- Create the global policy to deny all traffic.[edit security]user@host# set policy global policy gp2 match source-address server2user@host# set policy global policy gp2 match destination-address server1user@host# set policy global policy gp2 match application junos-ftpuser@host# set policy global policy gp2 then deny
Results
From configuration mode, confirm your configuration by entering the show security policies and show security policies <global> commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
user@host> show security policies
Default policy: permit-all
Global policies:
Policy: gp1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: server1
Destination addresses: server2
Applications: any
Action: permit
Policy: gp2, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2
Source addresses: server2
Destination addresses: server1
Applications: junos-ftp
Action: deny
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying Global Policy Configuration
Purpose
Verify that global policies gp1 and gp2 are configured as required.
Action
From operational mode, enter the show security policy <global>command.