Juniper SRX evaluatessecurity policies in order, top to bottom. The first matching policy determines the action, and no further policies are evaluated. This behavior can lead toshadowed policiesif later policies match the same conditions as earlier ones.
From the exhibit:
Policy1:Matches application junos-http and permits traffic.
Policy2:Matches application junos-https and permits traffic.
Policy3:Matches application junos-http again, but denies traffic.
Sincepolicy1already matches all HTTP traffic and permits it, traffic never reachespolicy3. This makespolicy3 shadowedbecause it has the same match condition as policy1 but is evaluated later in the list.
Other options:
Policy1 is not shadowed because it is evaluated first.
Policy2 is independent (application = HTTPS) and therefore unaffected.
Only policy3 is shadowed by policy1.
Correct Statement:Policy3 will be shadowed because it matches the same application as policy1.
[Reference:Juniper Networks –Security Policy Evaluation Order and Shadowed Policies, Junos OS Security Fundamentals.]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit