Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to change the order of security policies

0

0

Article ID: KB10120 KB Last Updated: 24 Dec 2020Version: 10.0
Summary:

This article describes how to change the order of security policies on an SRX device and the importance of doing so.

 

Symptoms:

The ordering of security policies is important because the policy lookup process is performed from top to bottom until a match is found. If a specific security policy is listed after a non-specific, more general security policy, it is likely that the specific security policy will not be used.

Symptoms and Errors

  • Newly created security policies are placed at the bottom.

  • There is a need to place a security policy at a specific location within the policy list.

  • Traffic is not passing on the expected security policy.

 

Solution:

Note: For policy-based VPN environments, tunnel policies should be listed after clear-text policies. Careful consideration of policy creation and ordering must be taken to ensure the following:

  • VPN traffic matches the expected tunnel security policy instead of matching on a non-tunnel policy.

  • Non-VPN traffic does not match a VPN policy that is on the ingress (out-of-tunnel) direction.

 

CLI

To move a policy in the CLI, use the insert command:

root@siteA# insert security policies from-zone <zone> to-zone <zone> policy <policy-name> before policy <policy-name>
root@siteA# insert security policies from-zone <zone> to-zone <zone> policy <policy-name> after policy <policy-name>
  

J-Web

To move a policy in J-Web, use the Move drop-down menu in the upper-right corner:

  1. Navigate to Configure > Security > Policy > Apply Policy.
  2. Locate the policy that must be moved.

  3. Click the Move drop-down menu that is located in the top-right corner.

  4. Use the "Move up," "Move down," "Move to top," and "Move to bottom" options to reorder security policies:

 

Important Tips

  • As new security policies are added at the bottom of the list, they might require re-ordering by moving the security policy above or below other policies.
  • It is not possible to place a particular security policy at the bottom of the policy list statically.

  • It is not possible to place a security policy in a specific order permanently, because the rearrangement of policies impacts all policies.

For more information about security policies and security policy ordering, see Security Policies Feature Guide for Security Devices.

 

Modification History:
  • 2020-12-24: Article verified for accuracy; article valid and accurate

  • 2018-11-12: Article reviewed for accuracy; link updated to point to current document. No changes have been made to the content. Article is correct and complete.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search