Junos OS Global Policy Overview

Global policies do not support VPN tunnels because VPN tunnels require specific zone information (from-zone and to-zone)

In a Junos OS stateful firewall, security policies enforce rules for transit traffic, in terms of what traffic can pass through the firewall, and the actions that need to take place on traffic as it passes through the firewall. Security policies require traffic to enter one security zone and exit another security zone. This combination of a from-zone and to-zone is called a context. Each context contains an ordered list of policies. Each policy is processed in the order that it is defined within a context.

You can configure a security policy from the user interface. Security policies control traffic flow from one zone to another zone by defining the kind(s) of traffic permitted from specific IP sources to specific IP destinations at scheduled times. This works well in most cases, but it is not flexible enough. For example, if you want to perform actions on traffic but do not care about the zones (that is, you want to permit all traffic to access a given server in the DMZ), you have to configure policies for each possible context. To avoid creating multiple policies across every possible context, you can create a global policy. Global policies provide you with the flexibility to perform actions on traffic without the restrictions of zone specifications.

Junos OS Global Policy

Unlike other security policies, global policies do not reference specific source and destination zones (from-zone and to-zone). Global policies allow you to regulate traffic with addresses and applications, regardless of their security zones. Global policies reference user-defined addresses or the predefined address “any.” These addresses can span multiple security zones. For example, if you want to provide access to or from multiple zones, you can create a global policy with the address “any,” which encompasses all addresses in all zones. Selecting the “any” address matches any IP address, and when “any” is used as a source/destination address in any global policy configuration, it matches the source/destination address of any packet.

Traffic is classified by matching the policy’s source address, destination address, and the application that the traffic carries in its protocol header. Each global policy, as with any other security policy, has the following actions: permit, deny, reject, log, count.

Global policies in one logical system are in a separate context than other security policies and have a lower priority than regular security policies in a policy lookup. For example, if a policy lookup is performed, regular security policies have priority over global policies. Therefore, in a policy lookup, regular security policies are searched first and if there is no match, global policy lookup is performed.

Similar to regular policies, global policies in a context are ordered, such that the first matched policy is applied to the traffic.

You can define global policies for each logical system.