JUNOS Space Security Director Rules

JUNOS Space 14.1 and Security Director 14.1 have been out for a few months now.  With this version, I can finally start recommending the widespread adoption.  I’ve actually started using it and started installing it for customers.  It’s finally usable and workable!

Juniper’s documentation is usually one of the better vendors out there, but for some reason, the documentation around Security Director is a little sparse.

I was setting up a firewall policy to send to my devices and wanted to know what each “rule” meant.  I scoured the internet for a definition of what Global Pre, Global Post, Zone Pre, and Zone Post rules were.  It wasn’t until getting in touch with Juniper themselves that I was able to get an answer.

So what’s the deal with these types of rules?

If you see “Global” and “Zone” rules, you’re inside of a GROUP policy.  This means that the policy can be applied to a whole group of firewalls.

Global rules are applied globally to the device.  This means, that they aren’t zone dependent.  If you have a global firewall rule saying “any any permit”. That will allow ANY traffic from ANY zone to talk to ANY zone.  These are typically very broad security rules.

So when are global and zone based rules applied?

This is the Security Director Policy Workflow:

  1. Global Pre Policy
    1. From any zone to any zone
  2. Zone Pre Policy
    1. From zone x to zone y
  3. DEVICE Policy
    1. From zone x to zone y
      1. SPECIFIC only to this device
  4. Zone Post Policy
    1. From zone x to zone y
  5. Global Post Policy
    1. From any zone to any zone

Once you assign a device to the GROUP policy, you can create a device policy by right clicking on the device and clicking “Modify Policy”.

Screen Shot 2015-01-16 at 14.33.47



Why would you use a group firewall policy?

Let’s say you have 4 firewalls to manage.  You have a company policy that has to be applied to every firewall the block all NetBIOS traffic to the core. You can use a GROUP policy and apply it to all 4 firewalls so you don’t have to create the same rule 4 times.

Since each firewall will have its own networks behind it they’ll each have to have their own policies.  You can do this by assign a DEVICE policy to each device.  The GROUP policy will be applied along with the DEVICE policy to save you time on the rules that are duplicated and allow you to customize each device’s policy.

All rules created in the GROUP policy as a PRE rule will be added to before each device’s own rules and all rules created in the GROUP policy as a POST rule will be added after each device’s own rules.


Hopefully this helps explain GROUP and DEVICE policies as well as PRE and POST rules.  Let me know if you have any questions.


Leave a Reply

There aren't any comments at the moment, be the first to start the discussion!