The order of the configured policies is significant in how a Juniper device handles traffic. If a specific policy is listed after a general policy, it is highly likely that the specific policy will not be used. Policy ordering is very important in VPN environments. Listing the VPN or encryption policy first will ensure that the VPN traffic will reach the encryption policy, rather than a clear Permit policy. This article explains how to change the policy order of newly configured policies.
It is possible to change the policy order of newly configured policies; both via the WebUI and CLI.
In WebUI:
In the Policy -> Policies -> Under “Move” column in the policy, click either the circular arrows or single arrow to move the policy to a specific position in the list.
When you click on the circular arrows, a user prompt dialog box appears. To move the policy to the very end in the list, enter <-1>. To move it up in the list, enter the ID number of the policy above which this policy needs to be positioned.
Click “OK” to execute the move.
When you click on the single arrow, a policy move page appears, displaying the policy which we want to move and the tabular column displaying the other policies with the arrows pointing the location where we want to move the policy.
When the arrow respective to that location is clicked, the policy list page appears with the policy we moved in new position.
In CLI:
Use the following command:
set policy move policy_id [before | after] policy_id
By moving the policy we can prevent the shadowing of a new policy that is being added, which overlaps with another existing policy.
This is achieved by the following command to verify the overlapping rules.
Verification
Use the command:
exec policy verify
In addition to policy re-ordering, positioning a new configured policy on top is performed via the following methods:
- At the time of policy creation, use the following command:
set policy top from Untrust to Trust "DMZ-LAN" any any permit
- Or use the
set policy id <id-number> top
command. For example:
set policy id 3 from "Untrust" to "Trust" "Any-IPv4" "Any-IPv4" "ANY" deny
set policy id 3
set policy id 7 from "Untrust" to "Trust" "Trust-Lan" "Any-IPv4" "ANY" deny
set policy id 7
set policy id 7 top
The above commands cannot be executed by first entering the hierarchy and then placing the position to top:
nsisg2000(B)-> set policy id 7
nsisg2000(policy:7)(B)-> set
attack attack group
av AntiVirus scanning
count counting option
di-severity attack severity
dst-address destination address
idp enable IDP security module (default in inline mode)
log logging option
name policy name
no-hw-sess disable hardware session creation
notify-conn-close notify both ends if tcp session isn't normally terminated
service service
sess-limit session limit on policy
src-address source address
url Web filtering option