Table of Contents

Junos Policy Configuration Examples



Show Policy

Operation Command
show zone > show security zones
# run show security zones
show policy >show security policies
> show configuration security policies |display set
#show | display set | no-more | match policy
# run show security policies
# run show security policies from ZONE to ZONE
show default application # show groups junos-defaults applications
# show groups junos-defaults applications | display set | match XXXX
# show groups junos-defaults applications | hold XXXX
show policies hit count > show security policies hit-count
Clear policies hit count > clear security policies hit-count


Create Security Zone

root> configure
root# set security zones security-zone Trust interfaces reth0.0
root# set security zones security-zone Unrust interfaces reth1.0
root# show | compare
root# commit check
root# commit


Add Policy

create address-book and attach address-book to zone

# set security zones security-zone TRUST address-book address NW1 192.168.10.0/24
or
# set security address-book TRUST-NW address NW1 192.168.10.0/24
# set security address-book TRUST-NW attach zone TRUST
set security zones security-zone untrust address-book address test-01 xx.xx.xx.xx/32
set security zones security-zone untrust address-book address test-02 xx.xx.xx.xx/32
set security zones security-zone untrust address-book address-set test address test-01
set security zones security-zone untrust address-book address-set test address test-02

create appplication

# set applications application test9999 protocol tcp
# set applications application test9999 source-port 0-65535
# set applications application test9999 destination-port 9999

create policy

# set security zones security-zone DMZ address-book address test-server1 100.100.100.11/32

# set security policies from-zone untrust to-zone DMZ policy 030102013 match source-address any
# set security policies from-zone untrust to-zone DMZ policy 030102013 match destination-address test-server1
# set security policies from-zone untrust to-zone DMZ policy 030102013 match application junos-http junos-https
# set security policies from-zone untrust to-zone DMZ policy 030102013 then permit
# set security policies from-zone untrust to-zone DMZ policy 030102013 then log session-init
# edit security policies from-zone UNTRUST to-zone TRUST
# set policy UNTRUST2TRUST match source-address any
# set policy UNTRUST2TRUST match destination-address NW1
# set policy UNTRUST2TRUST match application junos-https junos-http
# set policy UNTRUST2TRUST then permit
# set policy UNTRUST2TRUST then count
# show
# edit security policies from-zone UNTRUST to-zone TRUST policy UNTRUST2TRUST 
# set match source-address any
# set match destination-address NW1
# set match application junos-https junos-http
# set then permit
# set then count
# show


Change Policy Order

# insert security policies from-zone untrust to-zone DMZ  policy XXXX before XXXXX
# edit security policies from-zone untrust to-zone DMZ
# insert policy 10 before policy 6


Edit Policy

add smtp
# set security policies from-zone untrust to-zone DMZ policy 03102013 match application junos-smtp

remove https
# delete security policies from-zone untrust to-zone DMZ policy 03102013 match application junos-https


Delete Policy

# delete security policies from-zone untrust to-zone DMZ policy 03102013


Active, Inactive Policy

# edit security policies from-zone untrust to-zone DMZ policy 10
# inactive
# active


Check Session & Clear Session

> show security flow session summary

> show security flow session

> show security flow session source-prefix x.x.x.x
> clear security flow session all

> show security flow session source-prefix x.x.x.x destination-prefix x.x.x.x

> clear security flow session source-prefix x.x.x.x