That method should work. Keep in mind that policies applied by group are applied after everything else. If you have a deny in your normal policies (like trust to untrust) that the traffic meets, it'll get dropped before it ever makes it to this policy.
I prefer to put my policies in each zone to zone stanza simply to ensure readability. Then I may use the group technique to place a deny and log command. That keep it at the end. On Feb 9, 2014, at 6:23 AM, Muhammad Atif Jauhar <atif.jau...@gmail.com> wrote: > Hi, > > I am migrating Netscreen to SRX Firewall. I am facing issue to migrate > configuration of Global Policy. > > In Netscreen we have few policies from (Specific Zone) to Global Zone. > > set policy id 100 from "Trust" to "Global" "x.x.x.x" "Any-IPv4" "HTTP" > permit log > set policy id 100 > set service "HTTPS" > exit > > I have configure same in SRX under GROUP hierarchy. > > groups { > node0 { > security { > policies { > from-zone Trust to-zone <*> { > policy test { > match { > source-address x.x.x.x; > destination-address any; > application [junos-http > junos-https]; } > then { > permit; > } > } > } > } > } > } > node1 { > security { > policies { > from-zone Trust to-zone <*> { > policy test { > match { > source-address x.x.x.x; > destination-address any; > application [junos-http junos-https]; > } > then { > permit; > } > } > } > } > } > } > } > apply-groups "${node}"; > > > Similar I have few more policies from different specific zones to Global. > > My question is that will I migrated this part correctly or not. If this is > not correct, kindly let me know correct way to configure similar to > netscreen policy. > > Regards, > > Muhammad Atif Jauhar > (+966-56-00-04-985) > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp