Example: Configuring a Security Policy to Permit or Deny Selected Traffic
This example shows how to configure a security policy to permit or deny selected traffic.
Requirements
Before you begin:
- Create zones. See Example: Creating Security Zones.
- Configure an address book and create addresses for use in the policy. See Example: Configuring Address Books.
- Create an application (or application set) that indicates that the policy applies to traffic of that type. See Example: Configuring Applications and Application Sets.
- Permit traffic to and from trust and untrust zones. See Example: Configuring a Security Policy to Permit or Deny All Traffic.
Overview
In a Junos OS, security policies enforce rules for the transit traffic, in terms of what traffic can pass through the device, and the actions that need to take place on the traffic as it passes through the device. From the perspective of security policies, the traffic enters one security zone and exits another security zone. In this example, you configure a specific security to allow only e-mail traffic from a host in the trust zone to a server in the untrust zone. No other traffic is allowed. See Figure 12.
Figure 12: Permitting Selected Traffic

Configuration
CLI Quick Configuration
To quickly configure a security policy to allow selected traffic, copy the following commands and paste them into the CLI:
set security zones security-zone trust interfaces ge-0/0/2 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ge-0/0/1 host-inbound-traffic system-services all
set security zones security-zone untrust address-book address mail-untrust 1.1.1.24/32
set security zones security-zone trust address-book address mail-trust 192.168.1.1/32
set security policies from-zone trust to-zone untrust policy permit-mail match source-address mail-trust
set security policies from-zone trust to-zone untrust policy permit-mail match destination-address mail-untrust
set security policies from-zone trust to-zone untrust policy permit-mail match application junos-mail
set security policies from-zone trust to-zone untrust policy permit-mail then permit
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure a security policy to allow selected traffic:
- Configure the interfaces and security zones.[edit security zones]
user@host# set security-zone trust interfaces ge-0/0/2 host-inbound-traffic system-services all
user@host# set security-zone untrust interfaces ge-0/0/1 host-inbound-traffic system-services all - Create address book entries for both
client and server.[edit security zones]
user@host# set security-zone untrust address-book address mail-untrust 1.1.1.24/32
user@host# set security-zone trust address-book address mail-trust 192.168.1.1/32 - Define the policy to permit mail traffic.[edit security policies from-zone trust to-zone untrust]
user@host# set policy permit-mail match source-address mail-trust
user@host# set policy permit-mail match destination-address mail-untrust
user@host# set policy permit-mail match application junos-mail
user@host# set policy permit-mail then permit
Results
From configuration mode, confirm your configuration by entering the show security policies and show security zones commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform this task:
Verifying Policy Configuration
Purpose
Verify information about address books and zones.
Action
From operational mode, enter the show security policies policy-name permit-all detail command to display a summary of all security policies configured on the device.
Meaning
The output displays information about policies configured on the system. Verify the following information:
- From and to zones
- Source and destination addresses
- Match criteria
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Security Policies Overview
- Example: Configuring a Security Policy to Permit or Deny All Traffic
Hide Navigation Pane
Show Navigation Pane
Download
SHA1