Policy Template Group

Use security policy template group to make sure a policy is always at bottom, this can be used for the implicit deny policy as below or for dynamic VPN policy.

#Create a policy template group

set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny match source-address any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny match destination-address any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny match application any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny then deny
set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny then log session-init

#Apply the policy template group to zone based policy

set security policy from-zone untrust to-zone trust apply-groups default-deny-template

#Verification
show security policies from-zone trust to-zone trust | display inheritance

Net Worker World

Search This Blog

Policy Template Group

Policy Template Group

Comments

Post a Comment