Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


WAN Edge Templates: Access Policy

Access policies are where you define which network/users can access which applications, and according to which traffic steering policy. The source zone is determined by the Networks/Users and the destination zone is determined by the Application + Traffic Steering path. Additionally, you can assign an action of Permit or Deny. Access policies are evaluated and applied in the order listed.

  • You can move a given policy up or down in the order by clicking the ellipsis button.
  • Likewise, you can delete a policy by clicking the ellipsis and then Delete
  • Steering policies are required when used with SRX series devices.
  • To add applications from the Access Policies section, click the Edit Applications button.

For our current hub-spoke example, we will create seven access policies, listed below. The figure below shows them in the context of a screenshot.

Steps for the first access policy are provided, after which you can use the details in the table to complete the others.

Spoke Policies

  • Policy 1— local-breakout. Provides a local breakout through the underlay.
  • Policy 2 —guest-local-breakout. Provides a local breakout through the underlay for guest users (TCP ports 80 and 443, and UDP port 53) only.
  • Policy 3— ssh-in. Allows inbound traffic to the hub from the spokes through the corporate LAN.
  • Policy 4— corp-spoke-out. Allows outbound spoke-to-spoke traffic over the aggregate network attached to the overlay.
  • Policy 5— corp-spoke-in. Allows inbound spoke-to-spoke traffic over the aggregate network attached to the overlay.
  • Policy 6— corp-overlay. Provides an Internet breakout through the overlay at the Hub
  • Policy 7—dc-corp-lan.

To create an access policy,

  1. Under the Access Policy section, click the Add Policy button to add a new rule in the policy list.
  2. Click the new field under the Name column and give the policy a name. Here, we will use local-breakout, then click the blue checkmark to apply your changes.
  3. Click the + icon in the Network/User column and in the drop-down that appears, select spoke-corp from the list of network/user combos that appears.
  4. Select Allow for the Action. This controls the network/users’ access to the application over the given path.
  5. Click the + icon in the Application/Destination column, and then any from the list of applications that appears.
  6. Click the + icon in the Traffic Steering column and in the drop-down that appears, select underlay from the list of policies that appears.

Values for Access Policies in the WAN Edge Template

Order Policy Name Network/User Action Application/Destination Traffic Steering
1 local-breakout spoke-corp Allow any underlay
2 guest-local-breakout spoke-guest Allow guest-web


3 ssh-in internet Allow spoke-ssh-in corp-lan
4 corp-spoke-out spoke-corp-agg.spoke-corp Allow spoke-corp-agg overlay
5 corp-spoke-in spoke-corp-agg.spoke-corp Allow spoke-corp-agg corp-lan
6 corp-overlay spoke-corp Allow any overlay
7 dc-corp-lan dc1-servers Allow spoke-corp-agg corp-lan