Juniper firewalls, both netscreen and SRX, use a concept of security zones. Each interface is assigned to a zone and firewall policies are created between zones to permit traffic. This is very useful as you can safely use the "Any" object in firewall rules without unexpected results. However, sometimes its useful to create policies regardless of the source and destination zones. The most common reason is to create a default deny rule with logging enabled.
On netscreen firewalls, there was a global rulebase which was evaluated if there was no matching rule in the regular rulebase. On SRX series however, there is no global rulebase. So in order to create default deny rules with logging enabled, you have to create rules for each possible combination of source and destination zone. This can be a lot of work as the number of policies required increases exponentially.
Tired of creating so many rules, I figured there had to be an easier way. This device is running JUNOS, there must be some feature or script that can help simplify this, and there is. Its a feature called configuration groups which makes it easy to repeat a piece of configuration multiple times. This following example create a firewall rule that drops and logs all traffic. This rule is then appended to each rule set:
This can easily be extended to create address objects in multiple zones at once, or modified to apply only to select rule sets.
The apply-group is not entirely the same as the global policy on netscreen, it will only create a default log+drop rule in each existing rule set. So if there are two zones for which no policy exists yet, no drop rule will be installed either.
My name is Bart Jansens.
