Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Is a policy required for a Route-Based VPN?



Article ID: KB6551 KB Last Updated: 18 Dec 2017Version: 8.0

This article provides information on how to determine if a policy is required for route-based VPN traffic to flow through a Juniper Firewall.

  • Route-based VPN tunnel.
  • Is a policy required? If so, to which zones should the policy be applied?

Symptoms and errors:

Traffic is allowed, even though the policy is set to deny.


Is a policy required for a Route-Based VPN?

A policy may or may not be needed.

When a policy is required:

A route based VPN will require a policy, if the user traffic initiates or arrives on a different security zone than the security zone, to which the tunnel interface is bound. For example, If the tunnel interface is bound to the Untrust zone and VPN traffic involves a user on the Trust zone, a policy is required from Trust  > Untrust zone.

When a policy is not required:

If the user traffic initiatesor arrives in the same security zone as the security zone, to which tunnel interface is bound, no access policy is required, as long as the Intrazone-Block is disabled for that zone. For example, If the tunnel interface is bound to the Trust zone and VPN traffic involves a user on the Trust zone, a policy is not required.



The zone, to which the tunnel interface is bound, will decide the policy to be created. If the tunnel is bound to the Trust Zone and the users to be allowed are on the trust zone, an Intra-zone policy (Trust to Trust) can be used to allow or deny traffic. If the tunnel is bound to the Untrust or a Custom Zone, then the policy will be from Trust to Untrust or Trust to [custom zone name] for the outward traffic that is generated from Trust zone users and reverse policies for inward direction traffic.

Note: By default, the blocking of Intra zone traffic is disabled for all zones; except for the Untrust zone. So, even without a policy, Intra zone traffic will be allowed; unless the Intra Zone Block setting is changed for the zone. So, you can use a explicit deny/reject policy to deny traffic for the tunnel that is bound to same zone with block intra zone traffic being disabled.

The order that the policy lookup takes place on ScreenOS device is as follows:

  • Standard policies

  • Global Policies

  • Intra-zone block/allow

If none of the above policies fit, the default is deny all.

The Action used in the policy will be either Permit, Deny, or Reject and not Tunnel. The Tunnel action is used, when configuring policy-based VPNs.

For a configuration example, refer to KB9514 - How to configure a policy for a route-based VPN .

For more information about the Packet Flow Sequence, refer to Concepts & Examples Guide - Part 2 - Fundamentals (ScreenOS 6.3).  For other ScreenOS versions, refer to the following link:

Modification History:
2017-12-07: Article reviewed for accuracy. No changes made. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search