[j-nsp] Netscreen to SRX config Migration and Global Policy

Andrew Jones andrew.jones at o2networks.com.au
Sun Feb 9 20:08:23 EST 2014


If you’re using JunOS 11.4 or later on a branch SRX, there is global policy support now.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB28109

Regards,

Andrew Jones

From: Muhammad Atif Jauhar<mailto:atif.jauhar at gmail.com>
Sent: ‎Sunday‎, ‎February‎ ‎9‎, ‎2014 ‎11‎:‎23‎ ‎PM
To: juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>

Hi,

I am migrating Netscreen to SRX Firewall. I am facing issue to migrate
configuration of Global Policy.

In Netscreen we have few policies from (Specific Zone) to Global Zone.

set policy id 100 from "Trust" to "Global"  "x.x.x.x" "Any-IPv4" "HTTP"
permit log
set policy id 100
set service "HTTPS"
exit

I have configure same in SRX under GROUP hierarchy.

groups {
    node0 {
        security {
            policies {
                from-zone Trust to-zone <*> {
                    policy test {
                        match {
                            source-address x.x.x.x;
                            destination-address any;
                            application [junos-http
junos-https];                        }
                        then {
                            permit;
                        }
                    }
                }
            }
        }
    }
    node1 {
        security {
            policies {
                from-zone Trust  to-zone <*> {
                    policy test {
                        match {
                            source-address x.x.x.x;
                            destination-address any;
                            application [junos-http junos-https];
                        }
                        then {
                            permit;
                        }
                    }
                }
            }
        }
    }
}
apply-groups "${node}";


Similar I have few more policies from different specific zones to Global.

My question is that will I migrated this part correctly or not. If this is
not correct, kindly let me know correct way to configure similar to
netscreen policy.

Regards,

Muhammad Atif Jauhar
(+966-56-00-04-985)
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list