Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to Clone a security policy?



Article ID: KB27570 KB Last Updated: 15 Dec 2017Version: 2.0
This article explains how to clone a particular policy.
Information about cloning a particular policy.
This article is applicable to ScreenOS 4.0 or later.

The Clone feature is useful when you want to create a policy that is very similar to an existing one. Some policies are almost the same except for one or a few settings. Instead of configuring a completely new policy, you can use the Clone feature to copy a policy and then make minor modifications to the copy. This is particularly helpful while configuring a policy that is similar to an existing policy having multiple services or multiple address book entries, but with minor changes.


Let us say we have a policy from Trust to Untrust with multiple address book entries, multiple services and NAT enabled on it:


Suppose we want to configure one more policy from Trust to Untrust that is similar to the policy id 1157 (in above fig) but with slight changes in action, service and address book entry. We can use Policy Cloning and configure those changes only, instead of configuring an entirely new policy.


As seen above, the new cloned policy will appear at the bottom in the list of policies for policy look-up to take effect in top-down approach.

To Clone a Policy

In WebUI,

1. Click Clone for the policy that most closely matches the new policy you want to create. Clicking Clone opens the Policy Edit page for that policy.

2. Rename the policy (optional).

3. Modify the configuration.

4. Click OK to save your new policy.


Note: The commands provided below only offer the steps to configure a policy, as there are no special commands to clone a policy in the CLI.

SSG -> set policy id <> from <src-zone> to <dst-zone> <src-address> <dst-address> <service> <action>
SSG -> set polcy id <>
SSG (policy : <>) -> set/unset service <service>                        -if you wish to add/remove service to the existing policy
SSG (policy : <>) -> set/unset src-address <src-address>     -if you wish to add/remove src-address to the existing policy
SSG (policy : <>) -> set/unset dst-address <dst-address>     -if you wish to add/remove dst-address to the existing policy
SSG (policy : <>) -> exit

Note: If there is only one src-address, one dst-address or one service in the policy, we cannot unset/remove that field unless and untill we add another src-address, dst-address or service in that field.

set policy id 1 from Trust to Untrust "Chicago_base" ANY HTTP permit

To clone policy id 1, make a few changes to it and produce policy id 2, copy the policy creation command (with different id) and make the necessary changes.

SSG -> set policy id 2 from Trust to Untrust "Chicago_base" ANY HTTP permit
SSG -> set policy id 2
SSG (policy : 2) -> set src-address "Sunnywale_base"
SSG (policy : 2) -> set service "HTTPS"
SSG (policy : 2) -> exit
SSG ->
SSG ->
SSG -> get policy
Total regular policies 2, Default deny, Software based policy search, new policy enabled.
ID       From      To            Src-address           Dst-address      Service      Action     State            ASTLCB
1         Trust      Untrust   Chicago_base            Any              HTTP         Permit   enabled       ----------X
2         Trust      Untrust   Sunnyvale_base          Any              HTTP         Permit   enabled       ----------X
                               Chicago_base                              HTTPS
SSG ->
SSG -> set policy id 3 from Trust to Untrust "Chicago_base" ANY HTTP deny
SSG -> set policy id 3
SSG (policy : 3) -> set service "TELNET"
SSG (policy : 3) -> unset service "HTTP"
SSG (policy : 3) -> exit
SSG ->
SSG ->
SSG -> get policy
Total regular policies 3, Default deny, Software based policy search, new policy enabled.
ID      From       To           Src-address            Dst-address       Service       Action       State           ASTLCB
1        Trust     Untrust     Chicago_base            Any                HTTP         Permit       enabled     ----------X
2        Trust     Untrust     Sunnyvale_base          Any                HTTP         Permit       enabled      ----------X
                               Chicago_base                               HTTPS
3        Trust     Untrust     Chicago_base            Any                LNET         Deny         enabled      ---------X
SSG ->
SSG -> save

Modification History:
2017-12-07: Article reviewed for accuracy. Minor grammatical changes. Rest of the Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search