The order of the configured policies is significant in how a Juniper device handles traffic. If a specific policy is listed after a general policy, it is highly likely that the specific policy will not be used. Policy ordering is very important in VPN environments. Listing the VPN or encryption policy first will ensure that the VPN traffic will reach the encryption policy, rather than a clear Permit policy. This article explains how to change the policy order of newly configured policies.

Environment:

• Policy ordering


• Position at Top

Symptoms and errors:

• The newly created policy will be placed at the bottom position; replacing the default deny policy.


• Do not want to move the policy position, every time a new policy is created.


• Need to place a particular policy at the bottom or a specific position permanently.


• Phase 1 and Phase 2 VPN negotiations completed successfully; but traffic does not go through the VPN tunnel.

It is possible to change the policy order of newly configured policies; both via the WebUI and CLI. 

In WebUI:

In the Policy -> Policies -> Under “Move” column in the policy, click either the circular arrows or single arrow to move the policy to a specific position in the list.

When you click on the circular arrows, a user prompt dialog box appears. To  move the policy to the very end in the list, enter <-1>. To move it up in the list, enter the ID number of the policy above which this policy needs to be positioned.

Click “OK” to execute the move.

When you click on the single arrow,  a policy move page appears, displaying the policy which we want to move and the tabular column displaying the other policies with the arrows pointing the location where we want to move the policy.


When the arrow respective to that location is clicked, the policy list page appears with the policy we moved in new position.
 

In CLI:

Use the following command:

set policy move policy_id [before | after] policy_id

By moving the policy we can prevent the shadowing of a new policy that is being added, which overlaps with another existing policy.

This is achieved by the following command to verify the overlapping rules.

Verification

Use the command:

exec policy verify

In addition to policy re-ordering, positioning a new configured policy on top is performed via the following methods:

• At the time of policy creation, use the following command:

  set policy top from Untrust to Trust "DMZ-LAN" any any permit

• Or use the set policy id <id-number> top command. For example:

  set policy id 3 from "Untrust" to "Trust" "Any-IPv4" "Any-IPv4" "ANY" deny
  set policy id 3
  set policy id 7 from "Untrust" to "Trust" "Trust-Lan" "Any-IPv4" "ANY" deny
  set policy id 7
  set policy id 7 top

The above commands cannot be executed by first entering the hierarchy and then placing the position to top: