Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to move the existing or new policy to a position in the policy set list .

0

0

Article ID: KB6629 KB Last Updated: 14 Jul 2017Version: 10.0
Summary:

The order of the configured policies is significant in how a Juniper device handles traffic. If a specific policy is listed after a general policy, it is highly likely that the specific policy will not be used. Policy ordering is very important in VPN environments. Listing the VPN or encryption policy first will ensure that the VPN traffic will reach the encryption policy, rather than a clear Permit policy. This article explains how to change the policy order of newly configured policies.

Symptoms:

Environment:

  • Policy ordering

  • Position at Top


Symptoms and errors:

  • The newly created policy will be placed at the bottom position; replacing the default deny policy.

  • Do not want to move the policy position, every time a new policy is created.

  • Need to place a particular policy at the bottom or a specific position permanently.

  • Phase 1 and Phase 2 VPN negotiations completed successfully; but traffic does not go through the VPN tunnel.
Solution:
It is possible to change the policy order of newly configured policies; both via the WebUI and CLI. 

In WebUI:

In the Policy -> Policies -> Under “Move” column in the policy, click either the circular arrows or single arrow to move the policy to a specific position in the list.

When you click on the circular arrows, a user prompt dialog box appears. To  move the policy to the very end in the list, enter <-1>. To move it up in the list, enter the ID number of the policy above which this policy needs to be positioned.

Click “OK” to execute the move.



When you click on the single arrow,  a policy move page appears, displaying the policy which we want to move and the tabular column displaying the other policies with the arrows pointing the location where we want to move the policy.


When the arrow respective to that location is clicked, the policy list page appears with the policy we moved in new position.
 

In CLI:

Use the following command:

set policy move policy_id [before | after] policy_id

By moving the policy we can prevent the shadowing of a new policy that is being added, which overlaps with another existing policy.

This is achieved by the following command to verify the overlapping rules.

Verification

Use the command:

exec policy verify

In addition to policy re-ordering, positioning a new configured policy on top is performed via the following methods:

  • At the time of policy creation, use the following command:
    set policy top from Untrust to Trust "DMZ-LAN" any any permit
  • Or use the set policy id <id-number> top command. For example:
    set policy id 3 from "Untrust" to "Trust" "Any-IPv4" "Any-IPv4" "ANY" deny
    set policy id 3
    set policy id 7 from "Untrust" to "Trust" "Trust-Lan" "Any-IPv4" "ANY" deny
    set policy id 7
    set policy id 7 top

The above commands cannot be executed by first entering the hierarchy and then placing the position to top:

nsisg2000(B)-> set policy id 7
nsisg2000(policy:7)(B)-> set
attack                 attack group
av                     AntiVirus scanning
count                  counting option
di-severity            attack severity
dst-address            destination address
idp                    enable IDP security module (default in inline mode)
log                    logging option
name                   policy name
no-hw-sess             disable hardware session creation
notify-conn-close      notify both ends if tcp session isn't normally terminated
service                service
sess-limit             session limit on policy
src-address            source address
url                    Web filtering option

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search