Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] What are the default global policies in ScreenOS?

0

0

Article ID: KB15195 KB Last Updated: 29 Mar 2021Version: 4.0
Summary:

This article covers what the default global policies in ScreenOS are.

Solution:

If custom global polices are created, they can be viewed by using the "get policy all" or "get policy global" command in the CLI; or in the WebUI by selecting the Global zone.

However, the default global policies can only be viewed by searching for the policy ID in the CLI. We cannot check the default global policies in WebUI.

There are four default global policies, as follows:

ISG2000-> get policy id 320000
name:"none" (id 320000), zone Null -> Null,action Deny, status "enabled"
src "N/A", dst "N/A", serv "ANY"

This is the default Deny-all policy. Action can be changed to "permit" using the command, "set policy default-permit-all".

For information on policy ID 320000, refer to KB14911 - Traffic log shows traffic passing thru Zone NULL to Zone NULL when hit the policy id 320000, while actually the traffic is related to two security zones.

ISG2000-> get policy id 320001
name:"none" (id 320001), zone Null -> Null,action Deny, status "hidden"
src "N/A", dst "N/A", serv "ANY"

This policy is used to log uninteresting self-traffic.

For information on policy ID 320001, refer to KB6389 - [ScreenOS] What does "policy id 320001" refer to?

ISG2000-> get policy id 320002
name:"none" (id 320002), zone Null -> Null,action Permit, status "enabled"
src "N/A", dst "N/A", serv "ANY"

This is an implicit permit policy.

For information on policy ID 320002, refer to KB6529 - What does policy id 320002 refer to?

ISG2000-> get policy id 320003
name:"none" (id 320003), zone Null -> Null,action Permit, status "hidden"
src "N/A", dst "N/A", serv "ANY"

Policy ID 320003 is for identifying traffic logs created by accepted traffic to self. This policy is a hidden policy, that is to say, we do not install this policy. Normal traffic could not match this policy.

Note that the above default policies cannot be deleted.

We can also choose to configure "notify-conn-close" on the above policies. When enabled, ScreenOS sends a TCP notification ACK to both the client and the server when the session is closed by session timeout or by executing a "clear session" command.

The "notify-conn-close" option is disabled by default.

ssg550-> set policy id 320000
ssg550(policy:320000)-> set notify-conn-close
ssg550(policy:320000)-> exit

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search