Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

default-rule

Syntax

Hierarchy Level

Description

Configure the default rule that defines the actions to be performed on a packet that does not match any defined rule.

An application firewall permits, rejects, or denies traffic based on the application of the traffic. The firewall consists of one or more rule sets with rules that specify match criteria, including dynamic applications, and the action to be taken for matching traffic. The application firewall rule set must contain a single default rule. The default rule defines the action to be taken for any traffic that does not match one of the rules.

Starting in Junos OS Release 18.2R1 application firewall (AppFW) functionality is deprecated. As a part of this change, the [edit security application-firewall] hierarchy and all the configuration options under this hierarchy are deprecated— rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration.

Options

  • deny—Block the traffic at the firewall. The device drops the packet. No message is returned to the sender.

    • block-message—(Optional) In application firewall rules, provide information to the user regarding blocked traffic. Depending on the content of the profile option for this rule set, including the block-message option displays a default message or customized message, or redirects the user for denied HTTP or HTTPS traffic. All other traffic is dropped silently.

  • permit—Permit traffic at the firewall.

  • reject—Block the traffic at the firewall. For TCP traffic, by default the device drops the packet and returns a TCP reset (RST) message to the source host and to the server in some cases. For UDP and other protocol traffic, by default the device drops the packet and returns an ICMP “destination unreachable, port unreachable” message to both the client and the server.

    • block-message—(Optional) In application firewall rules, provide information to the user regarding blocked traffic. Depending on the content of the profile option for this rule set, including the block-message option displays a default message or customized message, or redirects the user for rejected HTTP or HTTPS traffic. All other traffic is dropped as specified in the default action for the reject option.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 11.1. Statement updated in Junos OS Release 12.1X44-D10 with the reject option. The block-message option added in Junos OS Release 12.1X45-D10.

Related Documentation