JNCIS-SEC [Security Policies]

Security policy is set of rules that tells a Junos device what to do with transit traffic between zones and within a zone. SRXs as apposed to Netscreen devices by default don’t allow intra zone traffic.

If the destination of the traffic is the device itself, security policies aren’t applicable. Instead host-inbound-traffic option must be used under zone configuration to control the traffic destined to the device.

Security policies are examined if the traffic destination is other than the incoming interface which also means that even in the same zone policy check is done.

Default Policy

By default, SRX denies all traffic if no policy is matched on incoming packet. If you want to change it to permit;

[edit security policies]
root@host# set default-policy permit-all
Policy Ordering
Policy order is important in decision making. To move up policy WEB above policy FTP use;
host#insert security policies from-zone trust to-zone untrust policy WEB after policy FTP
Sample policy config

[edit security policies]
root@host# show 
from-zone trust to-zone untrust {
    policy trust-to-untrust {
        match {
            source-address any;
            destination-address any;
            application any;
        then {
As it can be seen, a policy configuration requires a source (from-zone) zone and a destination zone (to-zone) within which several policies can be defined.
  Policy match requires to define source-address,destination-address and application or application sets.
  BUT, there is a trick thing about addresses in policies.  You can set an IP address directly and it should come from an address book as you can see below no option to set an IP.
root@host# set policy trust-to-untrust match source-address ?
Possible completions:
  <address>            Address from address book
  [                    Open a set of values
  any                  Any IPv4 or IPv6 address
  any-ipv4             Any IPv4 address
  any-ipv6             Any IPv6 address
Address Books and address sets
   Addresses are configured under the specific zone and tied to it. Address sets are also configured within the address-book configuration.
[edit security zones security-zone trust]
root@host# show
address-book {
    address host1;
    address host2;
    address-set hosts {
        address host1;
        address host2;
   You can create a custom application named company-portal like below. One thing to note is inactivity-timeout which defines how long the session should be kept in session table if there is no activity.
[edit applications]
root@host# show
application company-portal {
    protocol tcp;
    destination-port 81;
    inactivity-timeout 3600;
Policy Actions
There are three actions permit,deny and reject.  Reject sends an ICMP unreachable for UDP and TCP reset for TCP traffic as opposed to deny which silently drops the packet.
Counting traffic
    You can also display policy related detail with the following command but for counting to be active, you must enable count option in the policy then statement.
root@host# show security policies policy-name trust-to-untrust detail    
Policy: trust-to-untrust, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
  Policy Type: Configured
  Sequence number: 1
  From zone: trust, To zone: untrust
  Source addresses:
    any-ipv6: ::/0
  Destination addresses:
    any-ipv6: ::/0
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0]
      Destination port range: [0-0]
  Per policy TCP Options: SYN check: No, SEQ check: No
  Policy statistics:
    Input  bytes     :                    0                    0 bps
    Output bytes     :                    0                    0 bps
    Input  packets   :                    0                    0 pps
    Output packets   :                    0                    0 pps
    Session rate     :                    0                    0 sps
    Active sessions  :                    0
    Session deletions:                    0
    Policy lookups   :                    0
Following is a sample config which also sends syslog info to a syslog server via host command 

[edit system syslog]
root@host# show 
archive size 100k files 3;
user * {
    any emergency;
host {
    user any;
file messages {
    any critical;
    authorization info;
file interactive-commands {
    interactive-commands error;
To log start and close of sessions use session-close and session-init within a security policy (this is data plane logging )
To display flow sessions
#show security flow session
Packet Tracing
You may also need to troubleshoot a particular flow for example packets coming from and destined to Here how we can do it via configuration statements;
[edit security flow]
root@host# show
traceoptions {
    file engineering.log;
    flag basic-datapath;
    packet-filter engineering-problem {
Policy Scheduler
You can also schedule a policy so that only within allowed period it can be active.  Here is the syntax;
root@host# show schedulers
scheduler MYSCHEDULER {
    daily {
        start-time 09:00:00 stop-time 18:00:00;
Then you can apply this to a policy
[edit security policies from-zone trust to-zone untrust policy trust-to-untrust]
root@host# show
match {
    source-address any;
    destination-address any;
    application any;
then {
scheduler-name MYSCHEDULER;
This statement is something important because it determines whether policy changes should be applied to the current sessions or not. If it is set, any change done in policies are applied to already established sessions too. By default, it isn’t set.
#set security policies policy-rematch

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE

You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading