Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

What is Rule Shadowing in ScreenOS?



Article ID: KB13233 KB Last Updated: 06 Feb 2009Version: 1.0
ScreenOS will match a generic rule before a specific rule, if the generic rule is listed first in the configuration.
It is possible in large networks to create rules in the firewall that overlap. In ScreenOS, this is referred to as ‘rule shadowing’.  For example, in the following two polices, the addresses in policy id 4 overlap with the addresses in policy id 3:
set pol id 3 from trust to untrust FTP permit
set pol id 4 from trust to untrust FTP deny
Rule shadowing is used to verify if there are overlapping rules, i.e, a more generic rule before a specific rule. If this is the case, the specific rule will never be used since the generic rule was first in the list. It may be that the shadow rule contains multi-cell objects or groups. However if there are multiple shadow rules, between the same source and destination zones, ScreenOS will only display the first matched shadow rule pair.

The result can be seen in the following CLI output:
nsisg2000-> exec policy verify
Rulebase verified successfully
nsisg2000-> set pol id 3 from trust to untrust FTP permit
nsisg2000-> set pol id 4 from trust to untrust FTP deny
nsisg2000-> exec policy verify
Rule 4 is shadowed by rule 3
Rulebase verification done: shadowed rules were found
In this example, policy id 4 will never be executed.
It is recommended you run the 'exec policy verify' command after performing policy changes in order to confirm that a policy is not being shadowed.

Note:  The “exec policy verify” is part of the Deep Inspection (DI) feature, and cannot be used if there are IDP Security Modules and an IDP license installed on the ISG-series firewall. Since DI and IDP cannot be used together, the command is unavailable.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search