Policy Template Group
Policy Template Group
Use security policy template group to make sure a policy is always at bottom, this can be used for the implicit deny policy as below or for dynamic VPN policy.
#Create a policy template group
set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny match source-address any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny match destination-address any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny match application any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny then deny
set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny then log session-init
#Apply the policy template group to zone based policy
set security policy from-zone untrust to-zone trust apply-groups default-deny-template
#Verification
show security policies from-zone trust to-zone trust | display inheritance
Comments
Post a Comment