
Issue Description
The current policy setting is as below:
policy interzone trust untrust outbound
policy 1
action permit
policy service service-set icmp
policy service service-set http
policy source address-set “172.21.15.0/24”
policy 2
action permit
policy service service-set http
policy service service-set https
policy service service-set smtp
policy source address-set "172.21.4.0/24"
policy 50
action deny
Customer controls the service when the traffic is from trust zone to untrust zone. Now, customer. Now, customer add new policy to controls the service of new subnet. The configuration is as below:
policy 3
action permit
policy service service-set http
policy service service-set https
policy service service-set smtp
policy source address-set "172.21.16.0/24"
Customer finds that the policy configured doesn’t match their requirement. No service control occurs in this network. I find that the configuration is out of expect:
policy interzone trust untrust outbound
policy 1
action permit
policy service service-set icmp
policy service service-set http
policy source address-set “172.21.15.0/24”
policy 2
action permit
policy service service-set http
policy service service-set https
policy service service-set smtp
policy source address-set "172.21.4.0/24"
policy 50
action deny
policy 3
action permit
policy service service-set http
policy service service-set https
policy service service-set smtp
policy source address-set "172.21.16.0/24"

Handling Process
Policy 50 is prior to policy 3. After searching the information of the document, it was found that the priority of policy isn’t related to its policy ID.

Solution
Solution:
Use the command “policy move 3 before 50” to revise the problem. The final setting is:
policy interzone trust untrust outbound
policy 1
action permit
policy service service-set icmp
policy service service-set http
policy source address-set “172.21.15.0/24”
policy 2
action permit
policy service service-set http
policy service service-set https
policy service service-set smtp
policy source address-set "172.21.4.0/24"
policy 3
action permit
policy service service-set http
policy service service-set https
policy service service-set smtp
policy source address-set "172.21.16.0/24"
policy 50
action deny
END