rule-sets (Security Application Firewall)
Syntax
rule-sets rule-set-name {
default-rule {
(deny [block-message] | permit | reject [block-message]);
}
profile profile-name;
rule rule-name {
match {
dynamic-application [system-application];
dynamic-application-groups [system-application-group];
ssl-encryption (any | yes | no);
}
then {
deny {
block-message block-message;
}
permit permit;
reject {
block-message block-message;
}
}
}
}
Hierarchy Level
[edit security application-firewall]
Description
Configure the set of rules for the application firewall.
The application firewall is defined by a collection of rule sets. These rule sets can be defined independently and shared across network security policies. A rule set defines the rules that specify match criteria, including dynamic applications, and the action to be taken for matching traffic.
To implement an application firewall, you need to:
Define one or more application firewall rule sets.
Create rules for each rule set that permit, reject, or deny traffic based on the application ID.
Configure a security policy to invoke the application firewall service and specify the rule set to be applied to permitted traffic.
The application firewall support in the policies provides additional security control for dynamic applications.
Starting in Junos OS Release 18.2R1, the application firewall
(AppFW) functionality is deprecated. As a part of this change, the [edit security application-firewall] hierarchy and all the
configuration options under this hierarchy are deprecated— rather
than immediately removed—to provide backward compatibility and
an opportunity to bring your configuration into compliance with the
new configuration.
Options
| rule-set-name | Name of the rule set. |
| profile profile-name | Profile for block message. |
| default-rule | Specify default rule. |
| rule | Specify security rule match-criteria |
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release
11.1. Statement updated in Junos OS Release 12.1X44-D10 to include
the ssl-encryption and reject options. The block-message options added in Junos OS Release 12.1X45-D10.