application-firewall
Syntax
application-firewall {
profile profile-name {
block-message type {
custom-text content custom-html-text;
custom-redirect-url content custom-redirect-url;
}
}
rule-sets rule-set-name {
default-rule {
(deny [block-message] | permit | reject [block-message]);
}
profile profile-name;
rule rule-name {
match {
dynamic-application [system-application];
dynamic-application-groups [system-application-group];
ssl-encryption (any | yes | no);
}
then {
(deny [block-message] | permit | reject [block-message]);
}
}
}
traceoptions {
file {
filename;
files number;
match regular-expression;
(world-readable | no-world-readable);
size maximum-file-size;
}
flag flag;
no-remote-trace;
}
}
Hierarchy Level
[edit security]
Description
Specify the profile options, rule set and rule specifications, and trace options to be used for application firewall implementations.
You can configure the application firewall by defining a collection of rule sets. These rule sets can be defined independently and shared across network security policies. A rule set defines the rules that match the application ID detected, based on the application signature.
The application firewall support in the security policies provides additional security control for dynamic applications.
Starting in Junos OS Release 18.2R1, the application firewall
(AppFW) functionality is deprecated. As a part of this change, the [edit security application-firewall] hierarchy and all the
configuration options under this hierarchy are deprecated— rather
than immediately removed—to provide backward compatibility and
an opportunity to bring your configuration into compliance with the
new configuration.
Options
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release
11.1. Updated with the ssl-encryption and reject options in Junos OS Release 12.1X44-D10. Updated with the block-message option in Junos OS Release 12.1X45-D10.
The tenant option is introduced for Junos OS Release
18.4R1.