[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Security Configuration Statement Hierarchy

To configure security rules, actions, and zones, use the following statements at the [edit security] hierarchy level. Statements exclusively for J-series and SRX-series devices running JUNOS software are shown in bold font and are documented in this chapter.

Shared JUNOS statements in the security hierarchy are shown in normal font and are documented in the JUNOS System Basics Configuration Guide .

security {
alg {
dns {
disable;
traceoptions {
flag {
all <extensive>;
}
}
}
ftp {
disable;
traceoptions {
flag {
all <extensive>;
}
}
}
h323 {
application-screen {
message-flood {
gatekeeper threshold rate;
}
unknown-message {
permit-nat-applied;
permit-routed;
}
disable;
endpoint-registration-timeout seconds;
media-source-port-any;
traceoptions {
flag {
all <detail | extensive | terse>;
cc <detail | extensive | terse>;
h225-asn1 <detail | extensive | terse>;
h245 <detail | extensive | terse>;
h245-asn1 <detail | extensive | terse>;
q931 <detail | extensive | terse>;
ras <detail | extensive | terse>;
ras-asn1 <detail | extensive | terse>;
}
}
}
mgcp {
application-screen {
connection-flood threshold rate;
message-flood threshold rate;
unknown-message {
permit-nat-applied;
permit-routed;
}
}
disable;
inactive-media-timeout seconds;
maximum-call-duration minutes;
traceoptions {
flag {
all <extensive>;
call <extensive>;
cc <extensive>;
decode <extensive>;
error <extensive>;
nat <extensive>;
packet <extensive>;
rm <extensive>;
}
}
transaction-timeout seconds;
}
msrpc {
disable;
traceoptions {
flag {
all <extensive>
}
}
}
pptp {
disable;
traceoptions {
flag {
all <extensive>;
}
}
}
real {
disable;
traceoptions {
flag {
all <extensive>;
}
}
}
rsh {
disable;
traceoptions {
flag {
all <extensive>;
}
}
}
rtsp {
disable;
traceoptions {
flag {
all <extensive>;
}
}
}
sccp {
application-screen {
call-flood threshold rate;
unknown-message {
permit-nat-applied;
permit-routed;
}
}
disable;
inactive-media-timeout seconds;
traceoptions {
flag {
all <extensive>;
call <extensive>;
cc <extensive>;
cli <extensive>;
decode <extensive>;
error <extensive>;
init <extensive>;
nat <extensive>;
rm <extensive>;
}
}
}
sip {
application-screen {
protect {
deny {
all | destination-ip address;
timeout seconds;
}
}
unknown-message {
permit-nat-applied;
permit-routed;
}
}
c-timeout minutes;
disable;
disable-call-id-hiding;
inactive-media-timeout seconds;
maximum-call-duration minutes;
retain-hold-resource;
t1-interval milliseconds;
t4-interval seconds;
traceoptions {
flag {
all <detail | extensive | terse>;
call <detail | extensive | terse>;
cc <detail | extensive | terse>;
nat <detail | extensive | terse>;
parser <detail | extensive | terse>;
rm <detail | extensive | terse>;
}
}
}
sql {
disable;
traceoptions {
flag {
all <extensive>;
}
}
}
sunrpc {
disable;
traceoptions {
flag {
all <extensive>;
}
}
}
talk {
disable;
traceoptions {
flag {
all <extensive>;
}
}
}
tftp {
disable;
traceoptions {
flag {
all <extensive>;
}
}
}
}
authentication-key-chains {
key-chain key-chain-name {
description text ;
tolerance seconds ;
}
}
firewall-authentication {
traceoptions {
flag {
all <detail | extensive | terse>;
authentication <detail | extensive | terse>;
proxy <detail | extensive | terse>;
}
}
}
flow {
aging {
early-ageout seconds;
high-watermark percent;
low-watermark percent;
}
allow-dns-reply;
route-change-timeout seconds;
syn-flood-protection-mode (syn-cookie | syn-proxy);
tcp-mss {
all-tcp {
mss value;
}
gre-in {
mss value;
}
gre-out {
mss value;
}
ipsec-vpn {
mss value;
}
}
tcp-session {
no-sequence-check;
no-syn-check;
no-syn-check-in-tunnel;
rst-invalidate-session;
rst-sequence-check;
tcp-initial-timeout seconds;
}
traceoptions {
file filename <files number > <match regular-expression>
<size maximum-file-size> <world-readable | no-world-readable>;
flag flag;
}
}
forwarding-options {
family {
inet6 {
mode packet-based;
}
iso {
mode packet-based;
}
mpls {
mode packet-based;
}
}
}
idp {
active-policy policy-name;
custom-attack attack-name {
attack-type {
anomaly {
direction (any | client-to-server | server-to-client);
service service-name;
shellcode (all | intel | no-shellcode | sparc);
test test-condition;
}
chain {
expression boolean-expression;
member member-name {
attack-type {
(anomaly | signature);
}
}
order;
protocol-binding {
application application-name;
icmp;
ip {
protocol-number transport-layer-protocol-number;
}
rpc {
program-number rpc-program-number;
}
tcp {
minimum-port port-number maximum-port port-number;
}
udp {
minimum-port port-number maximum-port port-number;
}
}
reset;
scope (session | transaction);
}
signature {
context context-name;
direction (any | client-to-server | server-to-client);
negate;
pattern signature-pattern;
protocol {
icmp {
code {
match (equal | greater-than | less-than | not-equal);
value code-value;
}
data-length {
match (equal | greater-than | less-than | not-equal);
value data-length;
}
identification {
match (equal | greater-than | less-than | not-equal);
value identification-value;
}
sequence-number {
match (equal | greater-than | less-than | not-equal);
value sequence-number;
}
type {
match (equal | greater-than | less-than | not-equal);
value type-value;
}
}
ip {
destination {
match (equal | greater-than | less-than | not-equal);
value hostname;
}
identification {
match (equal | greater-than | less-than | not-equal);
value identification-value;
}
ip-flags {
(df | no-df);
(mf | no-mf);
(rb | no-rb);
}
protocol {
match (equal | greater-than | less-than | not-equal);
value transport-layer-protocol-id;
}
source {
match (equal | greater-than | less-than | not-equal);
value hostname;
}
tos {
match (equal | greater-than | less-than | not-equal);
value type-of-service-in-decimal;
}
total-length {
match (equal | greater-than | less-than | not-equal);
value total-length-of-ip-datagram;
}
ttl {
match (equal | greater-than | less-than | not-equal);
value time-to-live;
}
}
tcp {
ack-number {
match (equal | greater-than | less-than | not-equal);
value acknowledgement-number;
}
data-length {
match (equal | greater-than | less-than | not-equal);
value tcp-data-length;
}
destination-port {
match (equal | greater-than | less-than | not-equal);
value destination-port;
}
header-length {
match (equal | greater-than | less-than | not-equal);
value header-length;
}
mss {
match (equal | greater-than | less-than | not-equal);
value maximum-segment-size;
}
option {
match (equal | greater-than | less-than | not-equal);
value tcp-option;
}
sequence-number {
match (equal | greater-than | less-than | not-equal);
value sequence-number;
}
source-port {
match (equal | greater-than | less-than | not-equal);
value source-port;
}
tcp-flags {
(ack | no-ack);
(fin | no-fin);
(psh | no-psh);
(r1 | no-r1);
(r2 | no-r2);
(rst | no-rst);
(syn | no-syn);
(urg | no-urg);
}
urgent-pointer {
match (equal | greater-than | less-than | not-equal);
value urgent-pointer;
}
window-scale {
match (equal | greater-than | less-than | not-equal);
value window-scale-factor;
}
window-size {
match (equal | greater-than | less-than | not-equal);
value window-size;
}
}
udp {
data-length {
match (equal | greater-than | less-than | not-equal);
value data-length;
}
destination-port {
match (equal | greater-than | less-than | not-equal);
value destination-port;
}
source-port {
match (equal | greater-than | less-than | not-equal);
value source-port;
}
}
}
protocol-binding {
application application-name;
icmp;
ip {
protocol-number transport-layer-protocol-number;
}
rpc {
program-number rpc-program-number;
}
tcp {
minimum-port port-number maximum-port port-number;
}
udp {
minimum-port port-number maximum-port port-number;
}
}
regexp regular-expression;
shellcode (all | intel | no-shellcode | sparc);
}
}
recommended-action (close | close-client | close-server | drop | drop-packet | ignore | none);
severity (critical | info | major | minor | warning);
time-binding {
count count-value;
scope (destination | peer | source);
}
}
custom-attack-group custom-attack-group-name {
group-members [attack-group-name | attack-name];
}
dynamic-attack-group dynamic-attack-group-name {
filters {
category {
values [list-of-values];
}
direction {
values [any | client-to-server | exclude-any | exclude-client-to-server | exclude-server-to-client | server-to-client];
}
false-positives {
values [frequently | occasionally | rarely | unknown];
}
performance {
values [fast | normal | slow | unknown];
}
products {
values [list-of-values];
}
recommended;
service {
values [list-of-values];
}
severity {
values [critical | info | major | minor | warning];
}
type {
values [anomaly | signature];
}
}
}
idp-policy policy-name {
rulebase-exempt {
rule rule-name {
description text;
match {
attacks {
custom-attacks [attack-name];
predefined-attack-groups [attack-name];
predefined-attacks [attack-name];
}
destination-address [address-name];
destination-except [address-name];
from-zone zone-name;
source-address [address-name];
source-except [address-name];
to-zone zone-name;
}
}
}
rulebase-ips {
rule rule-name {
description text;
match {
attacks {
custom-attacks [ attack-name ];
predefined-attack-groups [ attack-name ];
predefined-attacks [ attack-name ];
}
destination-address [ address-name ];
destination-except [ address-name ];
from-zone zone-name;
source-address [ address-name ];
source-except [ address-name ];
to-zone zone-name;
}
terminal;
then {
action {
(close-client | close-client-and-server | close-server |
drop-connection | drop-packet | ignore-connection |
mark-diffserv value | no-action | recommended);
}
ip-action {
(ip-block | ip-close | ip-notify);
log;
target (destination-address | service | source-address |
source-zone | zone-service);
timeout seconds;
}
notification {
log-attacks {
alert;
}
}
severity (critical | info | major | minor | warning);
}
}
}
}
security-package {
automatic {
enable;
interval hours;
start-time start-time;
}
url url-name;
}
sensor-configuration {
application-identification {
application-system-cache;
application-system-cache-timeout value;
disable;
max-packet-memory value;
max-sessions value;
max-tcp-session-packet-memory value;
max-udp-session-packet-memory value;
}
detector {
protocol-name protocol-name {
tunable-name tunable-name {
tunable-value protocol-value;
}
}
}
flow {
(allow-icmp-without-flow | no-allow-icmp-without-flow);
(log-errors | no-log-errors);
max-timers-poll-ticks value;
reject-timeout value;
(reset-on-policy | no-reset-on-policy);
}
global {
(enable-all-qmodules | no-enable-all-qmodules);
(enable-packet-pool | no-enable-packet-pool);
(policy-lookup-cache | no-policy-lookup-cache);
}
ips {
detect-shellcode;
ignore-regular-expression;
log-supercede-min minimum-value;
pre-filter-shellcode;
process-ignore-s2c;
process-override;
process-port port-number;
}
log {
cache-size size;
suppression {
disable;
include-destination-address;
max-logs-operate value;
max-time-report value;
start-log value;
}
}
re-assembler {
ignore-mem-overflow;
max-flow-mem value;
max-packet-mem value;
}
ssl-inspection {
sessions number;
}
}
traceoptions {
file filename {
<files number>;
<match regular-expression>;
<size maximum-file-size>;
<world-readable | no-world-readable>;
}
flag all;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
ike {
gateway gateway-name {
address [(ip-address | hostname)] |
dead-peer-detection {
always-send;
interval seconds;
threshold number;
}
dynamic {
connections-limit number;
distinguished-name {
container container-string;
wildcard wildcard-string;
}
hostname domain-name;
ike-user-type (group-ike-id | shared-ike-id);
inet ip-address;
user-at-hostname user-at-hostname;
}
external-interface external-interface-name;
ike-policy policy-name;
local-identity (distinguished-name string | hostname hostname
| inet ipv4-ip-address | user-at-hostname e-mail-address);
nat-keepalive seconds;
no-nat-traversal;
xauth {
access-profile profile-name;
}
}
policy policy-name {
certificate {
local-certificate certificate-id;
peer-certificate-type (pkcs7 | x509-signature);
trusted-ca (ca-index | use-all);
}
description description;
mode (aggressive | main);
pre-shared-key (ascii-text | hexadecimal);
proposal-set <basic | compatible | standard>;
}
proposal proposal-name {
authentication-algorithm (md5 | sha1 | sha-256);
authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures);
description description;
dh-group (group1 | group2 | group5);
encryption-algorithm (des-cbc | 3des-cbc | aes-128-cbc | aes-192-cbc
| aes-256-cbc);
}
respond-bad-spi number;
traceoptions {
file filename {
<files number>;
<match regular-expression>;
<size maximum-file-size>;
}
flag {
all;
certificates;
database;
general;
ike;
parse;
policy-manager;
routing-socket;
timer;
snmp;
}
}
}
ipsec {
policy policy-name {
description description;
perfect-forward-secrecy keys (group1 | group2 | group5);
proposal-set (basic | compatible | standard);
}
proposal proposal - name {
description description;
encryption-algorithm (des-cbc | 3des-cbc | aes-128-cbc | aes-192-cbc
|aes-256-cbc);
lifetime-kilobytes kilobytes;
lifetime-seconds seconds;
protocol (ah | esp);
}
traceoptions {
flag {
all;
next-hop-tunnel-binding;
packet-drops;
packet-processing;
security-associations;
}
}
vpn vpn-name {
bind-interface interface-name;
df-bit (clear | copy | set);
establish-tunnels (immediately | on-traffic);
ike {
gateway gateway-name;
idle-time seconds;
install-interval seconds;
ipsec-policy ipsec-policy-name;
no-anti-replay;
proxy-identity {
local ipv4-prefix;
remote ipv4-prefix;
service service-name;
}
}
manual {
authentication {
algorithm (hmac-md5-96 | hmac-sha1-96);
key (ascii-text key | hexadecimal key);
}
encryption {
algorithm (3des-cbc | aes-128-cbc | aes-192-cbc
| aes-256-cbc | des-cbc);
key (ascii-text key | hexadecimal key);
}
external-interface external-interface-name;
gateway ip-address;
protocol (ah | esp);
spi spi value;
}
vpn-monitor {
destination-ip ip-address;
optimized;
source-interface interface-name;
}
}
vpn-monitor-options {
interval seconds;
threshold number;
}
}
nat {
destination {
pool pool-name {
address <ip-address> (to ip-address | port port-number):
routing-instance routing-instance-name;
}
rule-set rule-set-name {
from interface [interface-name] |
routing-instance [routing-instance-name] | zone [zone-name];
rule rule-name {
match {
destination-address destination-address;
destination-port port-number;
source-address [source-address];
}
then {
destination-nat (off | pool pool-name);
}
}
}
}
proxy-arp {
interface interface-name {
address ip-address to ip-address;
}
}
source {
address-persistent;
pool pool-name {
address ip-address to ip-address;
host-address-base ip-address;
overflow-pool (interface | pool-name);
port no-translation | range high ip-address low ip-address;
routing-instance routing-instance-name;
}
pool-utilization-alarm {
clear-threshold threshold-value;
raise-threshold threshold-value;
}
rule-set rule-set-name {
from interface [interface-name] |
routing-instance [routing-instance-name] | zone [zone-name];
rule rule-name {
match {
destination-address [destination-address];
source-address [source-address];
}
then {
source-nat (off | interface | pool pool-name);
}
}
to interface [interface-name] |
routing-instance [routing-instance-name] | zone [zone-name];
}
}
static {
rule-set rule-set-name {
from interface [interface-name] |
routing-instance [routing-instance-name] | zone [zone-name];
rule rule-name {
match {
destination-address [destination-address];
}
then {
static-nat prefix <addr-prefix>
<routing-instance routing-instance-name>;
}
}
}
}
traceoptions {
file filename {
<files number>;
<match regular-expression>;
<size maximum-file-size>;
<world-readable | no-world-readable>;
}
flag {
all;
destination-nat-pfe;
destination-nat-re;
destination-nat-rt;
source-nat-pfe;
source-nat-re;
source-nat-rt;
static-nat-pfe;
static-nat-re;
static-nat-rt;
}
no-remote-trace;
}
}
NOTE: The preceding NAT statements apply to J-series Services Routers only.
nat {
destination-nat destination-nat-name {
address prefix <port port-number>;
address-range high ip-address low ip-address;
}
interface interface-name {
allow-incoming;
proxy-arp {
address prefix;
address-range high ip-address low ip-address;
}
source-nat {
pool pool-name {
address prefix;
address-range high ip-address low ip-address;
allow-incoming;
host-address-low ip-address;
no-port-translation;
overflow-pool (interface | pool-name );
}
}
static-nat ip-prefix {
host ip-prefix;
virtual-router vr-name;
}
}
source-nat {
address-persistent;
pool-set pool-set-name {
pool pool-name;
}
pool-utilization-alarm {
clear-threshold clear-threshold;
raise-threshold raise-threshold;
}
}
traceoptions {
file filename {
<files number>;
<match regular-expression>;
<size maximum-file-size>;
<world-readable | no-world-readable>;
}
flag {
all;
configuration;
flow;
routing-protocol;
routing-socket;
}
}
}
NOTE: The preceding NAT statements apply to SRX-series Services Gateways only.
pki {
auto-re-enrollment {
certificate-id certificate-id-name {
ca-profile-name ca-profile-name;
challenge-password password;
re-enroll-trigger-time-percentage percentage;
re-generate-keypair;
}
}
ca-profile ca-profile-name {
administrator {
e-mail-address e-mail-address;
}
ca-identity ca-identity;
enrollment {
retry number;
retry-interval seconds ;
url url-name;
}
revocation-check {
crl {
disable {
on-download-failure;
}
refresh-interval hours;
url url-name;
}
disable;
}
}
traceoptions {
file filename <files number> <match regular-expression>
<size maximum-file-size> <world-readable | no-world-readable>;
flag flag;
}
}
policies {
default-policy {
(deny-all | permit-all);
}
from-zone zone-name to-zone zone-name {
policy policy-name {
match {
application [application-name-or-set];
destination-address {
address-name;
}
source-address {
address-name;
}
}
scheduler-name scheduler-name;
then {
count {
alarm {
per-minute-threshold number;
per-second-threshold number;
}
}
(deny | reject);
permit {
application-services (wx-redirect | wx-reverse-redirect);
destination-address {
drop-translated;
drop-untranslated;
}
destination-nat destination-name;
firewall-authentication {
pass-through {
access-profile profile-name>;
client-match match-name>;
web-redirect;
}
web-authentication {
client-match user-or-group;
}
}
source-nat (pool pool-name | pool-set pool-set-name | interface);
tunnel {
ipsec-vpn vpn-name;
pair-policy pair-policy;
}
}
log {
session-close;
session-init;
}
}
}
}
policy-rematch;
traceoptions {
file filename <files number> <match regular-express>
<size maximum-file-size> <world-readable | no-world-readable>;
flag flag;
}
}
screen {
ids-option screen-name{
alarm-without-drop;
icmp {
flood {
threshold number;
}
fragment;
ip-sweep {
threshold number;
}
large;
ping-death;
}
ip {
bad-option;
block-frag;
loose-source-route-option;
record-route-option;
security-option;
source-route-option;
spoofing;
stream-option;
strict-source-route-option;
tear-drop;
timestamp-option;
unknown-protocol;
}
limit-session {
destination-ip-based number;
source-ip-based number;
}
tcp {
fin-no-ack;
land;
port-scan {
threshold number;
}
syn-ack-ack-proxy {
threshold number;
}
syn-fin;
syn-flood {
alarm-thresholdnumber;
attack-thresholdnumber;
destination-threshold number;
source-threshold number;
timeout seconds;
}
syn-frag;
tcp-no-flag;
winnuke;
}
udp {
flood {
threshold number;
}
}
}
traceoptions {
file filename <files number> <match regular-expression>
<size maximum-file-size> <world-readable | no-world-readable>;
flag flag;
}
}
ssh-known-hosts {
fetch-from-server fetch-from-server;
host hostname {
dsa-key base64-encoded-dsa-key;
rsa-key base64-encoded-dsa-key;
rsa1-key base64-encoded-dsa-key;
}
load-key-file key-file;
}
traceoptions {
file filename {
<files number>;
<match regular-expression>;
<size maximum-file-size>;
<world-readable | no-world-readable>;
}
flag flag;
no-remote-trace;
rate-limit rate;
}
zones {
functional-zone {
management {
host-inbound-traffic {
protocols {
protocol-name;
protocol-name <except>;
}
system-services {
service-name;
service-name <except>;
}
}
interfaces interface-name {
host-inbound-traffic {
protocols {
protocol-name;
protocol-name <except>;
}
system-services {
service-name;
service-name <except>;
}
}
}
screen screen-name;
}
}
security-zone zone-name {
address-book {
address address-name (ip-prefix | dns-name dns-address-name);
address-set address-set-name {
address address-name;
}
}
host-inbound-traffic {
protocols {
protocol-name;
protocol-name <except>;
}
system-services {
service-name;
service-name <except>;
}
}
interfaces interface-name {
host-inbound-traffic {
protocols {
protocol-name;
protocol-name <except>;
}
system-services {
service-name;
service-name <except>;
}
}
}
screen screen-name;
tcp-rst;
}
}
}
}
}
[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]