[j-nsp] Netscreen to SRX config Migration and Global Policy

OBrien, Will ObrienH at missouri.edu
Sun Feb 9 10:27:21 EST 2014 

That method should work. Keep in mind that policies applied by group are applied after everything else.
If you have a deny in your normal policies (like trust to untrust) that the traffic meets, it'll get dropped before it ever makes it to this policy.

I prefer to put my policies in each zone to zone stanza simply to ensure readability. Then I may use the group technique to place a deny and log command. That keep it at the end.

On Feb 9, 2014, at 6:23 AM, Muhammad Atif Jauhar <atif.jauhar at gmail.com>
 wrote:

> Hi,
> 
> I am migrating Netscreen to SRX Firewall. I am facing issue to migrate
> configuration of Global Policy.
> 
> In Netscreen we have few policies from (Specific Zone) to Global Zone.
> 
> set policy id 100 from "Trust" to "Global"  "x.x.x.x" "Any-IPv4" "HTTP"
> permit log
> set policy id 100
> set service "HTTPS"
> exit
> 
> I have configure same in SRX under GROUP hierarchy.
> 
> groups {
>    node0 {
>        security {
>            policies {
>                from-zone Trust to-zone <*> {
>                    policy test {
>                        match {
>                            source-address x.x.x.x;
>                            destination-address any;
>                            application [junos-http
> junos-https];                        }
>                        then {
>                            permit;
>                        }
>                    }
>                }
>            }
>        }
>    }
>    node1 {
>        security {
>            policies {
>                from-zone Trust  to-zone <*> {
>                    policy test {
>                        match {
>                            source-address x.x.x.x;
>                            destination-address any;
>                            application [junos-http junos-https];
>                        }
>                        then {
>                            permit;
>                        }
>                    }
>                }
>            }
>        }
>    }
> }
> apply-groups "${node}";
> 
> 
> Similar I have few more policies from different specific zones to Global.
> 
> My question is that will I migrated this part correctly or not. If this is
> not correct, kindly let me know correct way to configure similar to
> netscreen policy.
> 
> Regards,
> 
> Muhammad Atif Jauhar
> (+966-56-00-04-985)
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list