- play_arrow Administration Portal
- play_arrow Introduction
- Unified Administration and Customer Portal Overview
- Administration Portal Overview
- Logging in to Administration Portal
- Switching the Tenant Scope
- Changing the Administration Portal Password
- Changing the Password on First Login
- Resetting the Password
- Setting Password Duration
- Extending the User Login Session
- Setting Up the Cloud CPE Centralized Deployment Model with Administration Portal
- Setting Up the Cloud CPE Distributed Deployment Model with Administration Portal
- play_arrow Managing Objects
- play_arrow Using the Dashboard
- play_arrow Monitoring Alerts, Alarms, and Device Events
- play_arrow Monitoring Tenants SLA Performance
- Multidepartment CPE Device Support
- About the SLA Performance of All Tenants Page
- About the SLA Performance of a Single Tenant Page
- Monitoring Application-Level SLA Performance for real time-optimized SD-WAN
- Viewing the SLA Performance of a Site
- Viewing the SLA Performance of an Application or Application Group
- Understanding SLA Performance Score for Applications, Links, Sites, and Tenants
- play_arrow Monitoring Jobs
- play_arrow Managing POPs
- About the POPs Page
- Creating a Single POP
- Importing Data for Multiple POPs
- Viewing the History of POP Data Imports
- Viewing the History of POP Data Deletions
- Managing a Single POP
- About the VIMs Page
- Creating a Cloud VIM
- About the EMS Page
- Creating an EMS
- Changing the Junos Space Virtual Appliance Password
- About the Routers Page
- Creating Devices
- Configuring Devices
- View the History of Device Data Deletions
- play_arrow Managing Devices
- About the Tenant Devices Page
- About the Cloud Hub Devices Page
- Managing a Tenant Device
- Managing a Cloud Hub Device
- Device Redundancy Support Overview
- Viewing the History of Tenant Device Activation Logs
- Viewing the History of Cloud Hub Device Activation Logs
- Secure OAM Network Overview
- Adding a Cloud Hub Device
- Upgrading a Cloud Hub Device
- Rebooting a CPE Device
- play_arrow Managing Device Templates
- play_arrow Managing Software Images
- play_arrow Configuring Network Services in a Centralized Deployment
- Network Services Overview
- About the Network Services Page
- About the Service Overview Page
- About the Service Instances Page
- Configuring VNF Properties
- Allocating a Service to Tenants
- Removing a Service from Tenants
- Viewing a Service Configuration
- vSRX VNF Configuration Settings
- LxCIPtable VNF Configuration Settings
- Cisco CSR-1000v VNF Configuration Settings
- Riverbed Steelhead VNF Configuration Settings
- Managing a Single Service
- play_arrow Configuring Application SLA Profiles
- Application Quality of Experience (AppQoE) Overview
- About the Application Traffic Type Profiles Page
- Creating Traffic Type Profiles
- Editing and Deleting Traffic Type Profiles
- SLA Profiles and SD-WAN Policies Overview
- Cost-Based Link Switching
- Local Breakout Overview
- About the Application SLA Profiles Page
- Creating SLA Profiles
- Editing and Deleting SLA Profiles
- play_arrow Configuring Application Signatures
- play_arrow Managing Tenants
- play_arrow Managing Operating Companies
- play_arrow Configuring SP Users
- play_arrow Managing Audit Logs
- play_arrow Managing Roles
- play_arrow Configuring Authentication
- play_arrow Configuring Licenses
- play_arrow Customizing the Unified Portal
- play_arrow Managing Signature Database
-
- play_arrow Designer Tools
- play_arrow Configuration Designer
- Configuration Designer Overview
- Accessing the Configuration Designer
- Using the Configuration Designer
- Changing Your Password
- About the Requests Page for the Configuration Designer
- Creating Requests for Configuration Templates
- Designing Templates with a YANG Configuration
- Designing Templates with a Configuration
- Publishing Configuration Templates
- About the Designs Page for the Configuration Designer
- Cloning Configuration Templates
- Deleting Configuration Template Designs
- play_arrow Resource Designer
- Resource Designer Overview
- Using the Resource Designer
- Accessing the Resource Designer
- About the Requests Page for the Resource Designer
- VNF Overview
- Creating Requests for VNF Packages
- Designing VNF Packages
- Adding VNF Managers
- Publishing VNF Packages
- About the Designs Page for the Resource Designer
- Cloning VNF Packages
- Importing VNF Packages
- Exporting VNF Packages
- Deleting VNF Packages
- play_arrow Network Service Designer introduction
- play_arrow Creating Requests for Network Services
- play_arrow Creating Network Services
- About the Build Page for the Network Service Designer
- Viewing Information About VNFs
- Designing Network Services
- Connecting VNFs in a Service Chain
- Defining Ingress and Egress Points for a Service Chain
- Monitoring Performance Goals
- Configuring Network Services
- vSRX Configuration Settings
- LxCIPtable VNF Configuration Settings
- Cisco CSR-1000v VNF Configuration Settings
- Riverbed Steelhead VNF Configuration Settings
- Fortinet VNF Configuration Settings
- Ubuntu VNF Configuration Settings
- play_arrow Managing Network Services
-
- play_arrow Downloads
Understanding How SSL Proxy Policy Intents Are Applied
When you deploy an SSL proxy policy, SSL proxy profiles are deployed to the applicable sites based on SSL proxy policy intents. The deployments of firewall and SSL polices are related in that firewall policy deployments take into account the last-deployed SSL snapshots and vice versa. Therefore, even if an SSL proxy profile is deployed to the applicable sites, it is applied only to traffic to which the firewall policy intent applies.
The decision regarding which SSL proxy profile is attached to a firewall policy intent is based on matching criteria between SSL proxy policy and firewall policy intents. In addition, if there is a match between the SSL proxy policy intent and the firewall policy intent, the SSL profile is applied only to the policy intents that are common between the firewall and the SSL proxy policies.
The following examples demonstrate the matching logic between SSL proxy policy and firewall policy intents.
Example 1: Firewall Policy Intent and SSL Proxy Policy Intent Match
Table 1 shows an example of a firewall policy intent and an SSL proxy policy intent that match, which means that the SSL proxy profile attaches to the firewall policy intent. In this case, the firewall policy intent has a source and destination of Any IP address, which signifies traffic from any IP address from any site to any IP address on the Internet. The SSL proxy policy intent has a source of Any IP address, which signifies any IP address from any site, and a destination IP address of 198.51.100.0.
Therefore, there is a match between the firewall policy intent and the SSL proxy policy intent and the SSL proxy profile is applied only to traffic from any IP address of any site to the IP address 198.51.100.0.
Table 1: (Example) Match Between Firewall Policy Intent and SSL Proxy Policy Intent
Type | Source | Destination | Action or Profile |
|---|---|---|---|
Firewall policy intent | IP address—Any | IP address—Any | Allow |
SSL proxy policy intent | IP address—Any | IP address—198.51.100.0 | SSL-Profile-1 |
Example 2: Firewall Policy Intent and SSL Proxy Policy Intent Do Not Match
Table 2 shows an example of a firewall policy intent and an SSL proxy policy intent that do not match, which means that the SSL proxy profiles do not attach.
Although, at first glance, it appears that an SSL proxy policy intent with a source and destination IP address Any should match a firewall policy intent with a source IP address Any and destination department Finance, this is not the case because of what the IP address Any signifies in the destination.
For both firewall and SSL proxy policy intents:
A source IP address value of Any signifies any IP address from any site.
A destination IP address value of Any signifies traffic going to the Internet—that is, to any IP address on the Internet. Traffic within sites (internal traffic) is not covered by the destination IP address value of Any.
In this example, the firewall policy intent applies to traffic from any IP address (from any site) to the Finance department. However, the SSL proxy policy intent applies to traffic from any IP address (from any site) to any IP address on the Internet. This means that there is no match between the firewall policy intent and the SSL proxy policy intent and the SSL proxy profile does not attach.
Table 2: (Example) No Match Between Firewall Policy Intent and SSL Proxy Policy Intent
Type | Source | Destination | Action or Profile |
|---|---|---|---|
Firewall policy intent | IP address—Any | Department—Finance | Allow |
SSL proxy policy intent | IP address—Any | IP address—Any | SSL-Profile-2 |
Example 3: Applying SSL Proxy Policy Intents on Internal (Site-to-Site) Traffic
SSL forward proxy typically might not be used for site-to-site traffic, but this example is provided as an explanation of how an SSL proxy policy intent applies to site-to-site traffic.
Consider a scenario in which you have three sites (A, B, C) and you want to configure an SSL proxy for traffic between the sites. Table 3 displays the firewall policy and SSL proxy policy intents that you can use for such a scenario.
Both the firewall policy intent and the SSL proxy policy intent use Site A, Site B, and Site C as the source and destination. Therefore, the firewall policy intent and the SSL proxy policy intent match, and the SSL proxy profile attaches to the firewall policy intent.
The destination must be Site A, Site B, and Site C because the destination IP address Any signifies any IP address on the Internet.
Table 3: (Example) Firewall Policy and SSL Proxy Policy Intents for Site-to-Site Traffic
Type | Source | Destination | Action or Profile |
|---|---|---|---|
Firewall Policy Intent | Site A, Site B, Site C | Site A, Site B, Site C | Allow |
SSL Proxy Policy Intent | Site A, Site B, Site C | Site A, Site B, Site C | SSL-Profile-3 |
