Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

rule (Application Firewall)

Syntax

Hierarchy Level

Description

Specify rules for application firewall.

You need to create rules to permit, reject, or deny traffic for dynamic applications to configure application firewall rule sets within the security policy. The application firewall support in the policies provides additional security control for dynamic applications.

Starting in Junos OS Release 18.2R1 application firewall (AppFW) functionality is deprecated. As a part of this change, the [edit security application-firewall] hierarchy and all the configuration options under this hierarchy are deprecated— rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration.

Options

match

Specify security rule match-criteria

dynamic-application

Select dynamic applications as match criteria.
dynamic-application-group

Select dynamic applications group as match criteria.
ssl-encryption

Select SSL encryption rules as match criteria.

  • Values:

    • any—Encrypted and non-encrypted rule.

    • no—Non-encrypted rule.

    • yes—Encrypted rule.
then

Specify the action to be performed when traffic matches the associated match criteria.

deny

Block the traffic at the firewall. The device drops the packet. By default, no message is returned to the sender.

block-message block-message

(Optional) In application firewall rules, provide information to the user regarding blocked traffic. Depending on the content of the profile option for this rule set, including the block-message option displays a default message or customized message, or redirects the user for denied HTTP or HTTPS traffic. All other traffic is dropped silently.
reject

Block the traffic at the firewall. For TCP traffic, by default the device drops the packet and returns a TCP reset (RST) message to the source host. For UDP and other protocol traffic, by default the device drops the packet and returns an ICMP “destination unreachable, port unreachable” message to both the client and the server.

block-message block-message

(Optional) In application firewall rules, provide information to the user regarding blocked traffic. Depending on the content of the profile option for this rule set, including the block-message option displays a default message or customized message, or redirects the user for denied HTTP or HTTPS traffic. All other traffic is dropped silently.
permit

Permit traffic at the firewall.

Required Privilege Level

security

Release Information

Statement introduced in Junos OS Release 11.1. Statement updated in Junos OS Release 12.1X44-D10 to include the ssl-encryption and reject options. The block-message options added in Junos OS Release 12.1X45-D10.

Related Documentation