Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Junos OS Security Policies User Guide for Security Devices Explicit Web Proxy

Security Policies User Guide for Security Devices

keyboard_arrow_up
close
keyboard_arrow_left
Security Policies User Guide for Security Devices
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Explicit Web Proxy

date_range 24-Mar-25
arrow_backward
arrow_forward

Explicit Web Proxy

Explicit Proxy provides a method for steering traffic from any client device to the SRX Series Firewall. The SRX Series Firewall accepts connections from clients, resolves DNS, forwards connections to the specified destination servers, and then gets the response from the server on behalf of the client. In such configuration, the firewall acts an intermediary between clients and servers. Here, all communication between client and server goes through the firewall that is configured as proxy server.

You can configure your SRX Series Firewall interface as explicit web proxy for applying proxy for IPv4 and IPv6 HTTP and HTTPS traffic.

To deploy explicit proxy, manually configure the browser’s settings on client device to send requests to SRX SeriesFirewall. In most standard browsers, you can specify the proxy address and port.

SRX Series Firewalls support explicit proxy configuration to obtain the user or device identity information from active directory, identity-management server, LDAP server, and physical SRX Series Firewalls.

How Explicit Proxy Works?

In this example, a client initiates HTTP connection to reach www.example.com. Client device first connects with SRX Series Firewall acting as explicit proxy on (172.16.10.254 and port 31280).

Figure 1: Explicit Web Proxy Explicit Web Proxy

The client network connects to the SRX Series Firewall on ge-0/0/1 interface with IP address 172.16.10.254. SRX Series Firewall connects to Internet using the interface ge-0/0/0 with IP address 192.0.2.0.

Prerequisite

  • Ensure that the client configure proxy settings on the client browser.

For each session initiated by the client browser, the SRX Series Firewall creates two sessions:

S1: Session originating from client browser to explicit web proxy

S2: Session originating from explicit web proxy to actual destination server.

Table 1 provides details on the explicit web proxy sessions.

Table 1: Explicit Proxy Session Details
Session Type Source IP/Port Destination IP/Port Policy Comments
Client to SRX Series Firewall (S1) Client IP / dynamic port range SRX Series Firewall interface IP (172.16.10.254) / fixed port (31280) Security policy/unified policy (explicitly configured on SRX Series Firewall) Client traffic directly comes to the SRX Series Firewall interface where explicit proxy profile is configured.
SRX Series Firewall to actual destination server (S2) SRX Series Firewallegress interface IP (192.0.2.0)/ dynamic port range End server as resolved by DNS or in explicit proxy request Implicitly inherited from S1 SRX Series Firewall establishes the connection with actual server.

Benefits

  • Explicit web proxy secures network by controlling and filtering the inbound and outbound traffic.
  • Explicit web proxy performs DNS resolution on client's behalf.

Steps to Configure Explicit Proxy on SRX Series Firewall

To manage explicit proxy for connections to your network, you must:

  1. Configure the explicit proxy profile.
  2. Configure explicit proxy on an interface. This interface must be connected to client network. The client browsers use this IP address to forward requests to the SRX Series device. You can configure and attach multiple explicit proxy profiles to a particular IP address in the interface. However, you must ensure that there must not be overlapping ports between the explicit proxy profiles.
  3. Use security policies to control the explicit web proxy traffic.
  4. Configure default-policy for the explicit proxy.

Configure Explicit Proxy

  1. Configure explicit web proxy profile exp-proxy-profile to reach the interface ge-0/0/0.

    content_copy zoom_out_map
    user@host# set services web-proxy explicit-proxy profile exp-proxy-profile listening-port 31280 
user@host# set services web-proxy explicit-proxy profile exp-proxy-profile preferred-egress-source-ip default-egress-ip

    The default-egress-ip is the egress source IP address associated with outgoing interface.

  2. Configure interface that is used to enable explicit web proxy.

    content_copy zoom_out_map
    user@host# set interfaces ge-0/0/1 unit 0 explicit-proxy profile exp-proxy-profile

Configure Security Policy

You must configure and enforce security policies to manage the traffic for the explicit proxy. Explicit proxy profile needs a set of unique security policies or unified policies. The firewall determines which profile to leverage for a policy lookup based on the ingress interface and port combination. Once the firewall identifies the explicit proxy profile for a flow, it performs a policy lookup.

SRX Series Firewall uses the following sequence for the policy lookup:

  • Source IP address, source-port, protocol, and source identity
  • DNS-based destination IP resolution
  • URL category detection
  • Dynamic Layer 7 application match
  • DNS-based destination resolved IP reputation
  • Hardcoded destination IP address or reputation of hardcoded destination IP address

You can configure the explicit proxy profile rule-base using the following statement:

You can notice that this policy, similar to the global policies, does not need security zones.

To attach a security policy with explicit proxy profile, the profile name mentioned in policy configuration must match with the name of the explicit proxy profile configured under web-proxy services (set services web-proxy explicit-proxy profile <profile-name>).

  • Define a security policy to control the explicit web proxy traffic.

    content_copy zoom_out_map
    set security policies explicit-proxy profile exp-proxy-profile policy exp-proxy-policy match source-address any
set security policies explicit-proxy profile exp-proxy-profile policy exp-proxy-policy match destination-address any
set security policies explicit-proxy profile exp-proxy-profile policy exp-proxy-policy match application any
set security policies explicit-proxy profile exp-proxy-profile policy exp-proxy-policy match dynamic-application any
set security policies explicit-proxy profile exp-proxy-profile policy exp-proxy-policy then log session-close
commit

Default Policy for Explicit Proxy

In case the traffic matches to any of the explicit proxy profiles but does not match any of the policies under the explicit proxy profile, the firewall applies the default policy action. You can configure the default policy in the explicit proxy profile.

In case no matching explicit proxy profile found for a given traffic, the firewall performs the policy lookup based on configured zone and global policies.

You can configure only one default policy per explicit proxy profile.

Limitations

For explicit proxy profile policies, the match condition does not support:

  • Source or destination zone
  • Source and destination Layer 3 VPN VRF group

Post-match application services do not support:

  • Secure web proxy
  • GPRS Tunneling protocol
  • GPRS stream control transport protocol (SCTP)
  • Unified Access control enforcement of policy (UAC)
  • WAN acceleration (Legacy WX)
  • Legacy Intrusion detection and prevention.
  • APBR

See Also

Use Case Scenarios

Configure SSL Proxy

Secure Sockets Layer (SSL) Proxy provides deep packet inspection and decryption of outbound SSL or Transport Layer Security (TLS) traffic for security inspection and policy enforcement on Web traffic received.

Ensure to enable SSL proxy to decrypt sessions so that the advanced security services are applied for inspection, detection, and mitigation. For details, see SSL Proxy Configuration Overview.

  • Apply the SSL proxy profile, SSL_FP to the explicit web proxy profile, exp-proxy-profile to permit the traffic.

    content_copy zoom_out_map
    set services web-proxy explicit-proxy profile exp-proxy-profile ssl-proxy profile-name SSL_FP
Commit

Configure Content Security Filtering

Content Security provides comprehensive security solution that integrates multiple features like antivirus, anti-spam, content filtering, and web filtering on the received web traffic.

You can apply advanced security service profiles for the features IDP, ATP, AppQos, and so on to the proxy traffic. For details, see Content Security.

  • Specify the Content Security policy to be applied on the traffic that matches the conditions specified in the security policy.

    content_copy zoom_out_map
    set security policies explicit-proxy profile exp-proxy-profile policy exp-proxy-policy match source-address any
set security policies explicit-proxy profile exp-proxy-profile policy exp-proxy-policy match destination-address any
set security policies explicit-proxy profile exp-proxy-profile policy exp-proxy-policy match application any
set security policies explicit-proxy profile exp-proxy-profile policy exp-proxy-policy match dynamic-application any
set security policies explicit-proxy profile exp-proxy-profile policy exp-proxy-policy then permit application-services utm-policy CON-SEC-POL
set security policies explicit-proxy profile exp-proxy-profile policy exp-proxy-policy then log session-close
commit

Configure Identity Aware Firewall

Identity Aware Firewall enforces network access policies based on individual user identities, allow or block traffic according to predefined rules associated with each user on the received web traffic.

You can use identity sources such as Active Directory, JIMS, UAC, Aruba Clearpass and so on to authenticate users. For more information on identity source, see Identity-Sources.

  • Configure a security policy to use identify parameters that match with the source-identity specification.

    content_copy zoom_out_map
    set security policies explicit-proxy profile exp-proxy-profile policy exp-proxy-policy match source-address any
set security policies explicit-proxy profile exp-proxy-profile policy exp-proxy-policy match destination-address any
set security policies explicit-proxy profile exp-proxy-profile policy exp-proxy-policy match application any
set security policies explicit-proxy profile exp-proxy-profile policy exp-proxy-policy match source-identity any
set security policies explicit-proxy profile exp-proxy-profile policy exp-proxy-policy match dynamix-application any
set security policies explicit-proxy profile exp-proxy-profile policy exp-proxy-policy then permit application-services utm-policy ORG_EWF_POL
set security policies explicit-proxy profile exp-proxy-profile policy exp-proxy-policy then log session-close
commit
Note:

All the use case features are enabled independently with multiple policies or can be combined on the same policy to expand the threat inspection capabilities.

arrow_backward PREVIOUS Geneve Packet Flow Tunnel Inspection
NEXT arrow_forward Configuring Security Policies for a VRF Routing Instance
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top