/ Networking

One policy to rule all zones

Following the example of my colleagues Said and Tom, who also blog about their networking journey, I decided to do the same.

Lately, I’ve been deploying IPv6 to different zones in my (Home)lab. To test basic connectivity, I wanted to allow ICMPv6 echo request by default. Which resulted in repeatedly use of this policy:

set security policies from-zone <ZONE-A> to-zone <ZONE-B> policy allow-icmp6-echo-request match source-address any-ipv6
set security policies from-zone <ZONE-A> to-zone <ZONE-B> policy allow-icmp6-echo-request match destination-address any-ipv6
set security policies from-zone <ZONE-A> to-zone <ZONE-B> policy allow-icmp6-echo-request match application junos-icmp6-echo-request
set security policies from-zone <ZONE-A> to-zone <ZONE-B> policy allow-icmp6-echo-request then permit

Since I currently have IPv6 deployed in 4 zones, I quickly deployed this policy 6 times, time to change it in a global policy:

set security policies global policy allow-icmp6-echo-request match source-address any-ipv6
set security policies global policy allow-icmp6-echo-request match destination-address router-self-v6
set security policies global policy allow-icmp6-echo-request match application junos-icmp6-echo-request
set security policies global policy allow-icmp6-echo-request then permit

Back to only 1 defined policy, which is also applied to new zones once added.

As of version 12.1X47, it’s also possible to use from-zone and to-zone in the match conditions, as described here.

One policy to rule all zones
Share this