Policy components

- [Narrator] Let's understand the different components that make up a security policy. The first one is security zones. Each security policy has two zones, a source zone, also known as from zone, and a destination zone, also known as two zones. Global policies, however, are an exception. They do not have source and destination zones. Global policies only match the address objects, and these can belong to any security zone. The second policy component is addresses or address objects. These are used to reference source and destination IP addresses. The most common address objects are IP Prefix address objects, IP range objects, and DNS address objects. IP Prefix address objects are used to define IP Prefixes, while IP range objects are used to defined a contiguous range of IP addresses. DNS objects are used in situations where the IP address may change. In a later movie, we'll understand how to create address objects. The third policy component is applications or application objects. These contain layer 3 or layer 4 protocol and port information to match the type of traffic passing through the device. The application objects may be system-defined or user-defined. The last one is actions. Once a policy has been matched, actions are used to specify whether you want to permit, deny, or reject the traffic. Permit causes the traffic to be allowed through the device. Reject causes the traffic to be dropped and the firewall will send TCP or ICMP reset depending on the protocol that was matched. Deny causes the traffic to be silently dropped. The firewall does not send an additional message like TCP reset or ICMP unreachable. To understand this, I've configured two security policies that block ICMP traffic. One that rejects, and the other that denies. Let's take a look at the first one. The command is show security policies from zone trust to zone untrust, and then the keyword is policy, And then the policy name, REJECT PINGTARGET1. As you can see, it matches any source address and the destination address is set as PINGTARGET1. This is an address-book entry representing the IP address 172.16.1.1. Let's take a look at it. The command is show security address-book. The address-book name, which is global, the keyword is address, and then the address name, which is PINGTARGET1. I'll press Enter, and we can see that the IP address configured is 172.16.1.1. The policy is set to match ICMP traffic, and the action is set to reject. I'll open a new tab and try to ping this IP address. Ping 172.16.1.1, press Enter. As you can see, traffic is being blocked, but there is a response from the firewall. I'll first press Control + C to terminate the process. It has some information such as the source of the traffic, the destination, and some headers as well. This is useful while troubleshooting network connectivity, and the reject action is usually configured for internal addresses. Let's go back to the Junos terminal and take a look at another policy. I'll hit the Up Arrow a couple of times and change the policy name to DENY-PINGTARGET2. Press Enter. This matches the same source address and the same application, but the address is set to PINGTARGET2. This is an address-book entry representing the IP address 172.16.1.2. Notice the action is set to deny. I'll go back to the other tab, hit the Up Arrow, and change the address to 172.16.1.2. Press Enter. The traffic is still being blocked, but this time, there is no additional message from the firewall. It's a simple timeout message. This is generally configured for traffic originating from outside. This is done to hide critical assets sitting behind the firewall. A part from permit, reject, and deny, additional actions that can be configured include count and log. These are used along with permit, deny, and reject. The count action is used to count the number of matched packets, while the log action generates a log entry for that session.