Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Application Security User Guide for Security Devices SSL Proxy

Application Security User Guide for Security Devices

keyboard_arrow_up
close
keyboard_arrow_left
Application Security User Guide for Security Devices
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Configuring SSL Proxy

date_range 28-May-24
arrow_backward
arrow_forward

SRX Series Firewall support SSL forward proxy and SSL reverse proxy.

Configuring SSL Forward Proxy

SSL Proxy Configuration Overview

Configuring SSL proxy includes:

  • Configuring the root CA certificate

  • Loading a CA profile group

  • Configure SSL proxy profile and associate root CA certificate and CA profile group

  • Create a security policy by defining input traffic match criteria

  • Applying an SSL proxy profile to a security policy

  • Optional steps such as creating allowlists and SSL proxy logging

Configuring a Root CA Certificate

A CA can issue multiple certificates in the form of a tree structure. A root certificate is the topmost certificate of the tree, the private key of which is used to sign other certificates. All certificates immediately below the root certificate inherit the signature or trustworthiness of the root certificate. This is somewhat like the notarizing of an identity.

You can configure a root CA certificate by first obtaining a root CA certificate (by either generating a self-signed one or importing one) and then applying it to an SSL proxy profile. You can obtain a root CA certificate by using the Junos OS CLI

Generate a Root CA Certificate with CLI

To define a self-signed certificate in CLI, you must provide the following details:

  • Certificate identifier (generated in the previous step)

  • Fully qualified domain name (FQDN) for the certificate

  • e-mail address of the entity owning the certificate

  • Common name and the organization involved

Generate a root CA certificate using the Junos OS CLI:

  1. From operational mode, generate a PKI public/private key pair for a local digital certificate.
    content_copy zoom_out_map
    user@host>request security pki generate-key-pair certificate-id certificate-id size size type type

    Here, you can select the one of the following combinations:

    • 1024 bits (RSA/DSA only)

    • 2048 bits (RSA/DSA only)

    • 256 bits (ECDSA only)

    • 384 bits (ECDSA only)

    • 4096 bits (RSA/DSA only)

    • 521 bits (ECDSA only)

    Example:

    content_copy zoom_out_map
    user@host>request security pki generate-key-pair certificate-id SECURITY-cert size 2048 type rsa
    Or
    content_copy zoom_out_map
    user@host>request security pki generate-key-pair certificate-id SECURITY-cert size 521 type ecdsa
  2. Define a self-signed certificate.
    content_copy zoom_out_map
    user@host> request security pki local-certificate generate-self-signed certificate-id certificate-id domain-name domain-name subject subject email email-id add-ca-constraint

    Example:

    content_copy zoom_out_map
    user@host> request security pki local-certificate generate-self-signed certificate-id SECURITY-cert domain-name labs.abc.net subject DC=mydomain.net,L=Sunnyvale,O=Mydomain,OU=LAB,CN=SECURITY email lab@labs.abc.net add-ca-constraint

    By configuring the add-ca-constraint option, you make sure that the certificate can be used for signing other certificates.

  3. From configuration mode, apply the loaded certificate as root-ca in the SSL proxy profile.
    content_copy zoom_out_map
    [edit]
user@host# set services ssl proxy profile profile-name root-ca certificate-id

    Example:

    content_copy zoom_out_map
    [edit]
user@host# set services ssl proxy profile SECURITY-SSL-PROXY root-ca SECURITY-cert
  4. Import the root CA as a trusted CA into client browsers. This is required for the client browsers to trust the certificates signed by the SRX Series Firewall. See Importing a Root CA Certificate into a Browser.

Configuring a CA Profile Group

The CA profile defines the certificate information for authentication. It includes the public key that SSL proxy uses when generating a new certificate. Junos OS allows you to create a group of CA profiles and load multiple certificates in one action, view information about all certificates in a group, and delete unwanted CA groups.

You can load a group of CA profiles by obtaining a list of trusted CA certificates, defining a CA group, and attaching the CA group to the SSL proxy profile.

  1. Obtain a list of trusted CA certificates by using one of the following methods. When a connection is initiated, the connecting device (such as a Web browser) checks whether the certificate is issued by a trusted CA. Without these certificates, browsers cannot validate the identity of most websites and mark them as untrusted sites.

    • Junos OS provides a default list of trusted CA certificates that you can load on your system. The Junos OS package contains the default CA certificates as a PEM file (for example, trusted_CA.pem). After you download the Junos OS package, the default certificates are available on your system.

      From operational mode, load the default trusted CA certificates (the group name identifies the CA profile group):

      content_copy zoom_out_map
      user@host> request security pki ca-certificate ca-profile-group load ca-group-name group-name filename default

      Example:

      content_copy zoom_out_map
      user@host> request security pki ca-certificate ca-profile-group load ca-group-name SECURITY-CA-GROUP filename default

      The SRX Series Firewall support dynamic update of default trusted CA certificates. The latest default trusted CA certificates are stored and periodically updated on Juniper CDN server (http://signatures.juniper.net/cacert). Automatic download of trusted CA bundle is enabled by default in Junos OS device. This eliminates the need for managing these certificates manually in the event of compromise. To use this feature, see Dynamic Updated of Trusted CA Certificates.

      We recommend using this method.

    • Alternatively, you can define your own list of trusted CA certificates and import them on your system. You get the list of trusted CAs in a single PEM file (for example IE-all.pem) and save the PEM file in a specific location (for example, /var/tmp).

      From operational mode, load the trusted list to the device (the group name identifies the CA profile group):

      content_copy zoom_out_map
      user@host> request security pki ca-certificate ca-profile-group load ca-group-name group-name filename /var/tmp/IE-all.pem

      Example:

      content_copy zoom_out_map
      user@host> request security pki ca-certificate ca-profile-group load ca-group-name SECURITY-CA-GROUP filename /var/tmp/custom-file.pem

    • Download the latest CA bundle list from another 3rd party such as Mozilla (https://curl.haxx.se/docs/caextract.html). The list of trusted Certificate Authority can change over time, ensure that you use the latest CA bundle.

    • Import your own trusted CA certificates using the Public Key Infrastructure (PKI). The PKI helps verify and authenticate the validity of the trusted CA certificates. You create CA profile groups that include trusted CA certificates, then import the group on your device for server authentication.

  2. Attach the trusted CA or trusted CA group to the SSL proxy profile. You can attach all trusted CA or one trusted CA at a time:

    • Attach all CA profile groups:

      content_copy zoom_out_map
      [edit]
user@host# set services ssl proxy profile profile-name trusted-ca all

      Example

      content_copy zoom_out_map
      [edit]
user@host# set services ssl proxy profile SECURITY-SSL-PROXY trusted-ca all

    • Attach one CA profile group (the group name identifies the CA profile group).

      content_copy zoom_out_map
      [edit]
user@host# set services ssl proxy profile profile-name trusted-ca ca-name

      Example

      content_copy zoom_out_map
      [edit]
user@host# set services ssl proxy profile SECURITY-SSL-PROXY trusted-ca orgA-ca-profile

You can easily display information about all certificates in a CA profile group:

content_copy zoom_out_map
user@host> show security pki ca-certificate ca-profile-group group-name

You can delete a CA profile group. Remember that deleting a CA profile group deletes all certificates that belong to that group:

content_copy zoom_out_map
user@host> clear security pki ca-certificate ca-profile-group group-name

Importing a Root CA Certificate into a Browser

In order to have your browser or system automatically trust all certificates signed by the root CA configured in the SSL proxy profile, you must instruct your platform or browser to trust the CA root certificate.

To import a root CA certificate:

  1. Generate a PEM format file for the configured root CA.
    content_copy zoom_out_map
    request security pki local-certificate export certificate-id root-ca type pem filename path/file-name.pem
  2. Import a root CA certificate into a browser.

    From Internet Explorer (version 8.0):

    1. From the Tools menu, select Internet Options.
    2. On the Content tab, click Certificates.
    3. Select the Trusted Root Certification Authorities tab and click Import.
    4. In the Certificate Import Wizard, navigate to the required root CA certificate and select it.

    From Firefox (version 39.0):

    1. From the Tools menu, select Options.
    2. From the Advanced menu, select the Certificates tab and click View Certificate.
    3. In the Certificate Manager window, select the Authorities tab and click Import.
    4. Navigate to the required root CA certificate and select it.

    From Google Chrome (45.0):

    1. From the Settings menu, select Show Advanced Settings.
    2. From the Advanced menu, select the Certificates tab and click View Certificate.
    3. Under HTTPS/SSL, click Manage Certificates.
    4. In the Certificate window, select Trusted Root Certification Authorities and click Import.
    5. In the Certificate Import Wizard, navigate to the required root CA certificate and select it.

Applying an SSL Proxy Profile to a Security Policy

SSL proxy is enabled as an application service within a security policy. In a security policy, you specify the traffic that you want the SSL proxy enabled on as match criteria and then specify the SSL proxy CA profile to be applied to the traffic.

To enable SSL proxy in a security policy:

This example assumes that you have already creates security zones trust and untrust and creating a security policy for the traffic from trust zone to untrust zone.

  1. Create a security policy and specify the match criteria for the policy. As match criteria, specify the traffic for which you want to enable SSL proxy.
    content_copy zoom_out_map
    [edit]
user@host# set security policies from-zone trust to-zone untrust policy policy-name match source-address source-address
user@host# set security policies from-zone trust to-zone untrust policy policy-name match destination-address destination-address
user@host# set security policies from-zone trust to-zone untrust policy policy-name match application application

    Example:

    content_copy zoom_out_map
    [edit]
user@host# set security policies from-zone trust to-zone untrust policy SECURITY_POLICY match source-address any
user@host# set security policies from-zone trust to-zone untrust policy SECURITY_POLICY match destination-address any
user@host# set security policies from-zone trust to-zone untrust policy SECURITY_POLICY match application any
  2. Apply the SSL proxy profile to the security policy.
    content_copy zoom_out_map
    [edit]
user@host# set security policies from-zone trust to-zone untrust policy SECURITY_POLICY then permit application-services ssl-proxy profile-name SECURITY-SSL-PROXY

Configuring SSL Proxy Logging

When configuring SSL proxy, you can choose to set the option to receive some or all of the logs. SSL proxy logs contain the logical system name, SSL proxy allowlists, policy information, SSL proxy information, and other information that helps you troubleshoot when there is an error.

You can configure logging of all or specific events, such as error, warning, and information events. You can also configure logging of sessions that are allowlisted, dropped, ignored, or allowed after an error occurs.

content_copy zoom_out_map
[edit]
user@host# set services ssl proxy profile profile-name actions log all
user@host# set services ssl proxy profile profile-name actions log sessions-whitelisted
user@host# set services ssl proxy profile profile-name actions log sessions-allowed
user@host# set services ssl proxy profile profile-name actions log errors

You can use enable-flow-tracing option to enable debug tracing.

Configuring Certificate Authority Profiles

A certificate authority (CA) profile configuration contains information specific to a CA. You can have multiple CA profiles on an SRX Series Firewall. For example, you might have one profile for orgA and one for orgB. Each profile is associated with a CA certificate. If you want to load a new CA certificate without removing the older one then create a new CA profile (for example, Microsoft-2008). You can group multiple CA profiles in one trusted CA group for a given topology.

In this example, you create a CA profile called ca-profile-security with CA identity microsoft-2008. You then create proxy profile to the CA profile.

  1. From configuration mode, configure the CA profile used for loading the certificate.
    content_copy zoom_out_map
    [edit]
user@host# set security pki ca-profile profile-name ca-identity ca-identity

    Example:

    content_copy zoom_out_map
    user@host# set security pki ca-profile ca-profile-security ca-identity example.com
  2. Commit the configuration.
    content_copy zoom_out_map
    [edit]
user@host# commit
  3. From operational mode, load the certificate using PKI commands.
    content_copy zoom_out_map
    user@host> request security pki ca-certificate load ca-profile profile-name filename filename

    Example:

    content_copy zoom_out_map
    user@host> request security pki ca-certificate load ca-profile ca-profile-security filename srx-123.crt
  4. From configuration mode, disable the revocation check (if required).
    content_copy zoom_out_map
    [edit]
user@host# set security pki ca-profile profile-name ca-identity ca-identity revocation-check disable

    Example:

    content_copy zoom_out_map
    [edit]
user@host# set security pki ca-profile ca-profile-security ca-identity example.com revocation-check disable
  5. From configuration mode, configure the loaded certificate as a trusted CA in the SSL proxy profile.
    content_copy zoom_out_map
    [edit]
user@host# set services ssl proxy profile ssl-proxy-profile-name trusted-ca ca-profile-name

    Example:

    content_copy zoom_out_map
    [edit]
user@host# set services ssl proxy profile ssl-proxy-sample trusted-ca ca-profile-security
    Note:

    More than one trusted CA can be configured for a profile.

  6. (Optional) If you have multiple trusted CA certificates, you do not have to specify each trusted CA separately. You can load all the trusted CA certificates using the following command from configuration mode.
    content_copy zoom_out_map
    [edit]
user@host# set services ssl proxy profile ssl-proxy-profile-name root-ca ssl-inspect-ca
user@host# set services ssl proxy profile ssl-proxy-profile-name trusted-ca all
    Note:

    Alternatively, you can import a set of trusted CAs from your browser into the SRX Series Firewall.

Exporting Certificates to a Specified Location

When a self-signed certificate is generated using a PKI command, the newly generated certificate is stored in a predefined location (var/db/certs/common/local).

Use the following command to export the certificate to a specific location (within the device). You can specify the certificate ID, the filename, and the type of file format (DER/PEM):

content_copy zoom_out_map
user@host> request security pki local-certificate export certificate-id certificate-id filename filename  type der

Ignoring Server Authentication

Junos OS allows you to configure an option to ignore server authentication completely. If you configure your system to ignore authentication, then any errors encountered during server certificate verification at the time of the SSL handshake are ignored. Commonly ignored errors include the inability to verify CA signature, incorrect certificate expiration dates, and so forth. If this option is not set, all the sessions where the server sends self-signed certificates are dropped when errors are encountered.

We do not recommend using this option for authentication because configuring it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause of dropped SSL sessions.

From configuration mode, specify to ignore server authentication:

content_copy zoom_out_map
[edit]
user@host# set services ssl proxy profile profile-name actions ignore-server-auth-failure

SSL Reverse Proxy

Overview

The proxy model implementation for server protection (often called reverse proxy) is supported on SRX Series Firewalls to provide improved handshaking and support for more protocol versions. You can enable Layer 7 services (application security, IPS, Content Security, ATP Cloud) on the traffic decrypted by SSL reverse proxy.

Starting in Junos OS Release 15.1X49-D80 and 17.3R1, SSL reverse proxy is supported on SRX5000 line, SRX4100, SRX4200, SRX1500 devices.

Starting in Junos OS Release 15.1X49-D80 and 17.3R1, we recommend using the SSL reverse proxy and Intrusion Detection and Prevention (IDP) instead of using the IDP SSL inspection functionality.

Starting from Junos OS 15.1X49-D80 and 17.3R1, IDP SSL Inspection is deprecated—rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration.

The following table provides the changes applicable on SRX Series Firewalls post 15.1X48-D80 and 17.3R1 releases.

Table 1: Comparing Reverse Proxy Before and After Junos OS Release 15.1X49-D80

Feature

Prior to 15.1X49-D80

15.1X49-D80 and 17.3R1 later

Proxy model

Runs only in tap mode Instead of participating in SSL handshake, it listens to the SSL handshake, computes session keys and then decrypts the SSL traffic.

Terminates client SSL on the SRX Series Firewall and initiates a new SSL connection with a server. Decrypts SSL traffic from the client/server and encrypts again (after inspection) before sending to the server/client.

Protocol version

Does not support TLS Version 1.1 and 1.2.

Supports all current protocol versions.

Key exchange methods

  • Supports RSA

  • Does not support DHE.

  • Supports RSA

  • Support DHE or ECDHE

Echo system

Tightly coupled with IDP engine and its detector.

Uses existing SSL forward proxy with TCP proxy underneath.

Security services

Decrypted SSL traffic can be inspected only by IDP.

Just like forward proxy, decrypted SSL traffic is available for all security services.

Ciphers supported

Limited set of ciphers are supported.

All commonly used ciphers are supported.

You must configure either root-ca or server-certificate in an SSL proxy profile. Otherwise the commit check fails. See the following table for supported configurations details.

Table 2: Supported SSL Proxy Configurations

server-certificate configured

root-ca configured

Profile type

No

No

Commit check fails. You must configure either server-certificate or root-ca.

Yes

Yes

Commit check fails. Configuring both server-certificate and root-ca in the same profile is not supported.

No

Yes

Forward proxy

Yes

No

Reverse proxy

Configuring multiple instances of forward and reverse proxy profiles are supported. But for a given firewall policy, only one profile (either a forward or reverse proxy profile) can be configured. Configuring both forward and reverse proxy on the same device is also supported.

You cannot configure the previous reverse proxy implementation with the new reverse proxy implementation for a given firewall policy. If both are configured, you will receive a commit check failure message.

The following are the minimum steps to configure reverse proxy:

  1. Load the server certificates and their keys into the SRX Series Firewall certificate repository using the CLI command request security pki local-certificate load filename filename key key certificate-id certificate-id passphrase exmample@1234. For example:
    content_copy zoom_out_map
    user@host> request security pki local-certificate load filename /cf0/cert1.pem key /cf0/key1.pem certificate-id server1_cert_id passphrase example@1234
  2. Attach the server certificate identifier to the SSL Proxy profile using the CLI command set services ssl proxy profile profile server-certificate certificate-id passphrase exmample@1234. For example

    user@host# set services ssl proxy profile server-protection-profile server-certificate server2_cert_id

  3. Use the show services ssl CLI command to verify your configuration. For example:
    content_copy zoom_out_map
    user@host# show services ssl
profile server-protection-profile {			
     server-certificate [server1_cert_id , server2_cert_id];
     actions {
           logs {
              all; 
              }
            }     
     }

The SSL forward proxy and reverse proxy require a profile to be configured at the firewall rule level. In addition, you must also configure server certificates with private keys for reverse proxy. During an SSL handshake, the SSL proxy performs a lookup for a matching server private key in its server private key hash table database. If the lookup is successful, the handshake continues. Otherwise, SSL proxy terminates the hand shake. Reverse proxy does not prohibit server certificates. It forwards the actual server certificate/chain as is to the client without modifying it. Intercepting the server certificate occurs only with forward proxy.

Configuring the SSL Reverse Proxy

This example shows how to configure reverse proxy to enable server protection. For server protection, additionally, server certificate(s) with private key(s) must be configured.

A reverse proxy protects servers by hiding the details of the servers from the clients, there by adding an extra layer of security.

To configure an SSL reverse proxy, you must:

  • Load the server certificate(s) and their key(s) into SRX Series Firewall’s certificate repository.

  • Attach the server certificate identifier(s) to the SSL proxy profile.

  • Apply SSL proxy profile as application services in a security policy.

To configure SSL reverse proxy:

  1. Load the signing certificate and the respective key for the SSL proxy profile in PKI memory.
    content_copy zoom_out_map
    user@host>  request security pki local-certificate load filename /cf0/cert1.pem   key /cf0/key1.pem certificate-id server1_cert_id
  2. Attach the server certificate to the SSL proxy profile.
    content_copy zoom_out_map
    user@host# set services ssl proxy profile server-protection-profile server-certificate server1_cert_id
  3. Create a security policy and specify the match criteria for the policy. As match criteria, specify the traffic for which you want to enable SSL proxy.
    content_copy zoom_out_map
    user@host# set security policies from-zone untrust to-zone trust policy 1 match source-address any
user@host# set security policies from-zone untrust to-zone trust policy 1 match destination-address any
user@host# set security policies from-zone untrust to-zone trust policy 1 match application any
  4. Apply the SSL proxy profile to the security policy. This example assumes that security zones are created as per requirements.
    content_copy zoom_out_map
    user@host# set security policies from-zone untrust to-zone trust policy 1 then permit application-services ssl-proxy server-protection-profile

Verifying the SSL Reverse Proxy Configuration on the Device

Purpose

Viewing the SSL reverse proxy statistics on the SRX Series Firewall.

Action

You can view the SSL proxy statistics by using the show services ssl proxy statistics command.

content_copy zoom_out_map
root@host> show services ssl proxy statistics
		PIC:spu-1 fpc[0] pic[1] ------
		        sessions matched                          0
		        sessions whitelisted                      0
		        sessions bypassed:non-ssl                 0
		        sessions bypassed:mem overflow            0
		        sessions bypassed:low memory              0
		        sessions created                          0
		        sessions ignored                          0
		        sessions active                           0
		        sessions dropped                          0

Configure SSL Proxy with Content Security

SRX Series Firewalls supports client protection (forward proxy) and server protection (reverse proxy). You can configure SSL proxy profile for forward proxy and reverse proxy with Content Security enabled.

Configure SSL Forward Proxy with Content Security

In this procedure, you configure an SSL forward proxy profile with Content Security. When you configure Content Security, the SSL proxy acts as an SSL server by terminating the SSL session from the client and establishing a new SSL session to the server. The SRX Series Firewall decrypts and then reencrypts all SSL proxy traffic. Content Security can use the decrypted content from SSL proxy.

Generate local certificate as root-ca.

  1. From operational mode, generate a key pair for a local digital certificate.
    content_copy zoom_out_map
    user@host> request security pki generate-key-pair certificate-id certificate-id size size type type
  2. Generate local certificate using the key pair generated above.
    content_copy zoom_out_map
    user@host> request security pki local-certificate generate-self-signed certificate-id certificate-id domain-name domain-name subject subject email email-id
  3. From configuration mode, apply the loaded certificate as root-ca in the SSL proxy profile.
    content_copy zoom_out_map
    [edit]
user@host# set services ssl proxy profile profile-name root-ca value 
user@host# set services ssl proxy profile profile-name actions ignore-server-auth-failure
  4. Attach SSL profile and Content Security policy to security policy.
    content_copy zoom_out_map
    [edit security policies from-zone trust to-zone untrust]
user@host# set policy policy-name match source-address any
user@host# set policy policy-name match destination-address any
user@host# set policy policy-name match application any
user@host# set policy policy-name then permit application-services ssl-proxy profile-name profile-name
user@host# set policy policy-name then application-services utm-policy utm-policy

Configure SSL Reverse Proxy with Content Security

In this procedure, you configure an SSL reverse proxy profile with Content Security.

  1. Load the server certificates and their keys into the SRX Series Firewall certificate repository.
    content_copy zoom_out_map
    user@host> request security pki local-certificate load filename /var/tmp/certs/server-cert.pem key /var/tmp/certs/server-key.pem certificate-id certificate-id
  2. From configuration mode, attach the server certificate identifier to the SSL Proxy profile.
    content_copy zoom_out_map
    user@host# set services ssl proxy profile profile-name server-certificate server-cert-id
  3. Attach SSL profile and Content Security policy to security policy for the traffic from an untrust zone to the trust zone.
    content_copy zoom_out_map
    [edit security policies from-zone untrust to-zone trust]
user@host# set policy policy-name match source-address any
user@host# set policy policy-name match destination-address server-ip-address
user@host# set policy policy-name match application any
user@host# set policy policy-name then permit application-services ssl-proxy profile-name profile-name
user@host# set policy policy-name then application-services utm-policy utm-policy

See Also

Creating an Allowlist of Exempted Destinations for SSL Proxy

SSL encryption and decryption might consume memory resources on the SRX Series Firewalls. To limit this, you can selectively bypass SSL proxy processing for some sessions such as sessions that transacts with familiar trusted servers or domains. You can also exempt the sessions with financial and banking sites due to legal requirements.

To exempt the sessions from SSL proxy, you can create an allowlist by adding IP addresses or domain names of the servers. Allowlists include addresses that you want to exempt from undergoing SSL proxy processing.

Use the following steps to create allowlist:

  • Specify IP addresses and domain name in your global address book.

  • Refer the global address book in SSL proxy profile.

You can configure the following types of the IP addresses in global address book.

  • IPv4 addresses (plain text). For example:

    content_copy zoom_out_map
    set security address-book global address address-4 192.0.2.117

  • IPv4 address range. For example:

    content_copy zoom_out_map
    set security address-book global address address-2 range-address 192.0.2.117 to 192.0.2.199

  • IPv4 wildcard. For example:

    content_copy zoom_out_map
    set security address-book global address address-3 wildcard-address 203.0.113.0/24

  • DNS name. For example:

    content_copy zoom_out_map
    set security address-book global address address-1 dns-name www.abc.com

  • IPv6 address. For example:

    content_copy zoom_out_map
    set security address-book global address address-5 FE80::/10

Allowlists do not support the following types of IP addresses:

  • Translated IP addresses. Sessions are allowlisted based on the actual IP address and not on the translated IP address. Because of this, in the allowlist configuration of the SSL proxy profile, the actual IP address should be provided and not the translated IP address.

  • Noncontiguous netmasks. For example:

    • IP address -203.0.113.0 and mask 255.255.255.0 that is 203.0.113.0/24 is supported.

    • IP address - 203.0.113.9 and mask 255.0.255.0 is not supported.

Following example shows you how to use allowlists in SSL proxy profile.

In this example, you exempt all sessions to www.mycompany.com. For this, you first specify the domain in the address book and then configure the address in the SSL proxy profile.

  1. Configure the domain in the address book.
    content_copy zoom_out_map
    [edit]
user@host# set security address-book global address address-1 dns-name www.mycompany.com
  2. Specify the global address book address in the SSL proxy profile.
    content_copy zoom_out_map
    [edit]
user@host# set services ssl proxy profile profile-1 whitelist address-1

Creating an Allowlist of Exempted URL Categories for SSL Proxy

You can configure the URL categories supported in Content Security module to exempt from SSL inspection on SRX Series Firewall. To use URL categories from Content Security, SRX Series Firewall integrates the SSL proxy profile with the EWF feature. With this now, you can configure a list of URL categories under an SSL proxy profile as allowlist along with address-books. You can configure the list from the predefined set of URL categories or custom URL categories supported by Content Security.

The security device uses the Server Name Indication (SNI) field extracted by the Content Security module to determine the URL category. The SSL proxy uses this information to determines whether to accept, and proxy, or to ignore the session.

This feature is supported on all SRX Series Firewalls and vSRX Virtual Firewalls

Starting with Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, SSL proxy allowlisting feature includes URL categories supported by Content Security.

Starting with Junos OS Release 17.4R1, SSL proxy allowlisting feature extends support to custom URL categories supported by Content Security.

Following examples show how to configure the URL categories in SSL proxy profile:

Creating an Allowlist of Exempted URL Categories

Use the following steps to configure the predefined URL categories in an SSL proxy profile.

  1. The predefined URL categories depends on Content Security. To enable URL-based allowlisting in SSL proxy, the following basic URL configurations are required:
    content_copy zoom_out_map
    [edit]
user@host# set security utm utm-policy UTM-POLICY-1 web-filtering http-profile junos-wf-enhanced-default
  2. Specify the predefined URL category in SSL proxy profile. In this example, you are using the URL category Enhanced_Financial_Data_and_Services.
    content_copy zoom_out_map
    [edit]
user@host# set services ssl proxy profile pr1 whitelist-url-categories Enhanced_Financial_Data_and_Services
  3. Create the security policy by specifying the match conditions and attach the Content Security policy to the security policy to use URL categories in SSL allowlist.
    content_copy zoom_out_map
    user@host# set security policies from-zone trust to-zone untrust policy p1 match source-address any
user@host# set security policies from-zone trust to-zone untrust policy p1 match destination-address any
user@host# set security policies from-zone trust to-zone untrust policy p1 match application any
user@host# set security policies from-zone trust to-zone untrust policy p1 permit application-services utm-policy UTM-POLICY-1
user@host# set security policies from-zone trust to-zone untrust policy p1 permit application-services ssl-proxy profile-name pr1

Creating an Allowlist of Exempted Custom URL Categories

Use the following steps to configure custom URL categories in an SSL proxy profile.

  1. Create a custom URL category.
    content_copy zoom_out_map
    [edit]
user@host# set security utm custom-objects url-pattern URL-1 value www.example.com 
user@host# set security utm custom-objects custom-url-category CATEGORY-1 value URL-1
user@host# set security utm feature-profile web-filtering juniper-local profile PROFILE-1 category CATEGORY-1 action permit
  2. Configure a Content Security policy for the Web-filtering HTTP protocol and associate the profile you created in previous step to the Content Security policy.
    content_copy zoom_out_map
    [edit]
user@host# set security utm utm-policy UTM-POLICY-1 web-filtering http-profile PROFILE-1
  3. Specify the custom URL category you created in previous step in SSL proxy profile.
    content_copy zoom_out_map
    user@host# set services ssl proxy profile pr1 whitelist-url-categories CATEGORY-1
  4. Create a security policy by specifying the match conditions and attach the Content Security policy to the security policy to use URL categories in SSL allowlist.
    content_copy zoom_out_map
    [edit]
user@host# set security policies from-zone trust to-zone untrust policy p1 match source-address any
user@host# set security policies from-zone trust to-zone untrust policy p1 match destination-address any
user@host# set security policies from-zone trust to-zone untrust policy p1 match application any
user@host# set security policies from-zone trust to-zone untrust policy p1 permit application-services utm-policy UTM-POLICY-1
user@host# set security policies from-zone trust to-zone untrust policy p1 permit application-services ssl-proxy profile-name pr1

Related Documentation

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
17.4R1
Starting with Junos OS Release 17.4R1, SSL proxy allowlisting feature extends support to custom URL categories supported by Content Security.
15.1X49-D80
Starting in Junos OS Release 15.1X49-D80 and 17.3R1, SSL reverse proxy is supported on SRX5000 line, SRX4100, SRX4200, SRX1500 devices
15.1X49-D80
Starting in Junos OS Release 15.1X49-D80 and 17.3R1, we recommend using the SSL reverse proxy and Intrusion Detection and Prevention (IDP) instead of using the IDP SSL inspection functionality.
15.1X49-D80
Starting from Junos OS 15.1X49-D80 and 17.3R1, IDP SSL Inspection is deprecated—rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration.
15.1X49-D80
Starting with Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, SSL proxy allowlisting feature includes URL categories supported by Content Security.
arrow_backward PREVIOUS Cipher Suites for SSL Proxy
NEXT arrow_forward Unified Policies for SSL Proxy
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top