Text Size:        

• Ask the KB
• Find answers in our KB
  
  Example: "Configure BGP"
  
• KB Article Feedback
• This article was easy to understand:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  This article was complete and accurate:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  How best can we improve this article?:

  
  

  What is your overall rating on this article?:

  Excellent
  Good
  Neutral
  Poor
  Very Poor
  

How to change the order of the Policies and why it is important? (KB ID: KB6629)

Back to Previous Page | Knowledge Base Home

Article URL

http://kb.juniper.net/KB6629

Synopsis

The order of the configured policies is significant in how the Juniper device handles traffic.  If a specific policy is listed after a general policy, it is highly likely the specific policy will not be used.  Policy ordering is very important in VPN environments.  Listing the VPN or encryption policy first will ensure the VPN traffic will reach the encryption policy, rather than a clear Permit policy.

Problem

Environment:

• Policy ordering
• Position at Top

Symptoms & Errors:

• Newly created policy will be placed at the bottom position replacing the default deny policy
• Don't want to move policy position ever time a new policy is created
• Need to place a particular policy at Bottom Position or a specific position permanently
• Phase 1 and Phase 2 VPN negotiations completed successfully but traffic isn't going through the VPN tunnel
  

Solution

It is not possible to keep a default or a particular policy at the bottom statically or place any policy in a specific position permanently.

There are 2 methods for arranging the policy ordering:

1. Upon creating the new policy from the WebUI, select "Position at TOP" to place the new policy above any existing policies. 
   

   Having the policy at the top is important when creating a Virtual Private Network (VPN) policy, as it will ensure the designated VPN traffic reaches the encryption policy, rather than a clear Permit policy.
   
   This feature is only selectable upon initial creation of the policy.  Once the policy has been created, you cannot enable "Position at Top" by editing the policy.  If the desired position for the policy is top, use the Move feature to place the policy first in the order.

   
   
2. You can also move policy position using the WebUI.
   

   1. Select Policies
   2. Locate the policy you would like to move
   3. Click on the Arrow Icon
   4. Move the policy above or below any policy ID.

 

Category Description

By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Software » Network Operating Systems » ScreenOS Software
By Network Technology » Network Management » Policy » Routing Policy

Purpose

Troubleshooting

Related Articles

Related Links

• KB9217 - How to Troubleshoot a Site-to-Site VPN that won't come up and there are No Messages in the Event Logs

Related Files