Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos Space] Security Director Preview Configuration shows unexpected rule orders when multiple policies are in use.

0

0

Article ID: KB34136 KB Last Updated: 02 May 2019Version: 1.0
Summary:

Junos Space Security Director (SD) allows users to assign multiple policies to a particular device. However, users may notice that Security Director Preview Configuration is showing unexpected rule orders when multiple policies are in use.

This article explains why this may be happening and what should be done to avoid the issue.

 

Symptoms:

The following symptoms may be observed:

  • Incorrect insert statements in the Preview Configuration for a particular policy

  • Different outputs in the Preview Configuration job when it is run for policies assigned to the same device

 

Cause:

When a preview is generated in the Devices view, only the published firewall rules are considered.

If you run a preview from the Policy Editor by selecting a specific policy, the preview will contain the following:

  • All pending changes from the selected policy

  • All published changes from all other assigned policies for the same device

Unexpected output may appear in the preview if any of the assigned policies show the Re-Publish Required status.

 

It is important to understand how policies and rules are evaluated in relation to Security Director, particularly while assigning them to a device. A brief explanation of key points is given as follows:

Each firewall policy in Security Director has a section for the following firewall rule types:

  • Zone

  • Global

Zone rules are processed completely for all zone rules assigned to the Juniper firewall before the Global rules. See Configuring Security Policies for details on how the firewall processes different rule types.

On Juniper firewalls, zone-based rules are grouped by source and destination zones due to which each source/destination zone combination is ordered separately across all assigned policies. Order of rules that are not in the same source/destination zone combination are not considered even if they appear next to each other in the SD Policy list.

Junos Space Security Director allows users to assign multiple policies to a particular device, as listed below:

  1. All Devices Group Policy Pre (applies to all devices, always first)
  2. One or more Group Policies Applied Before Device Specific Policies

  3. Device Specific Policies  (only one allowed per device)

  4. One or more Group Policies Applied After Device Specific Policies

  5. All Devices Group Policy Post (applies to all devices, always last)

Group policies can be assigned to one or more devices and usually contain a set of rules that is common across multiple devices. Device-specific policies can be assigned to only one device and should contain the set of rules that is specific to that particular device.

When we assign all types of policies mentioned above to a device, Security Director first processes all the zone-based rules, per zone combination, for each of the assigned policy types.

  1. All Devices Pre policy
  2. One or more assigned group policies before device specific rules

  3. Assigned Device Specific Policy

  4. One or more assigned group policies after device specific rules

  5. All Devices Post policy

The firewall Global policies are ordered in the same way, taking the Global firewall rule section from each of the above mentioned policies.

  1. All Devices Pre policy
  2. One or more assigned group policies before device specific rules

  3. Assigned Device Specific Policy

  4. One or more assigned group policies after device specific rules

  5. All Devices Post policy

Note: When multiple group policies are assigned to a single device ("Policies applied before/after device specific policies"), they are ordered according to the configured sequence numbers. Refer to Policy Ordering Overview and Firewall Policies Overview for more details about policy ordering and group policy sequence, respectively.

Note: A "policy" in Security Director nomenclature denotes a group of individual firewall rules. A "rule" refers to a single firewall policy tuple as per Junos OS nomenclature.

 

Solution:

Check each Security Director policy that is assigned to a device to confirm whether it shows the Published state before previewing the rule orders across all assigned policies and rules or before updating a policy to the firewall. To know more about publishing policies, see Publishing Policies.

If all policies have been published but incorrect inserts are still shown in the output of Preview Configuration, contact Support for further assistance.

Note: This "assign multiple policies" design applies to the following policy types: Firewall, NAT, and IPS. The Policy Viewer Preview processes only rules of the same type (although it will list pending changes to shared objects). If you use the Device preview and select all policy types simultaneously, preview for all types is displayed in the same view. You would then need to review the ordering of each policy type independently.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search