Add a Rule
You are here: Security Policies & Objects > Security Policies.
To reference the UTM policies and the AppQoS profiles in a security policy rules, create UTM polices and AppQoS profiles before creating or editing security policy rules if required. To create UTM policies, go to Security Services > UTM > UTM Policies and to create AppQoS profiles, go to Network > Application QoS.
To add a rule:
Field |
Action |
---|---|
Rule Name |
Enter a name for the new rule or policy. |
Rule Description |
Enter a description for the security policy. |
Global Policy |
Enable this option to specify that the policy defined is a global policy and zones are not required. |
Source Zone |
To add sources:
|
Destination Zone |
To add a destination:
|
Action |
Select an action to take when traffic matches the criteria:
|
Advanced
Services
Click +. The Select Advanced Services page appears. Note:
|
|
SSL proxy |
Select the SSL proxy policy to associate with this rule from the list. |
UTM |
Select the UTM policy you want to associate with this rule from the list. The list displays all the UTM policies available. If you want to create a new UTM policy, click Add New. The Create UTM Policies page appears. For more information on creating a new UTM policy, see Add a UTM Policy. |
IPS policy |
Select the IPS policy from the list. |
Threat prevention policy |
Select the configured threat prevention policy from the list. |
ICAP redirect profile |
Select the configured ICAP redirect profile name from the list. |
IPsec VPN |
Select the IPsec VPN tunnel from the list. Note:
If you select Dynamic applications in the destination, IPsec VPN option is not supported. |
Pair policy name |
Enter the name of the policy with the same IPsec VPN in the opposite direction to create a pair policy. Note:
If you select Dynamic applications in the destination, Pair Policy Name option is not supported. |
Application QoS profile |
Select the configured AppQoS profile from the list. If you want to create a new AppQoS profile, click Add New. The Add AppQoS Profile page appears. For more information on creating a new AppQoS profile, see Add an Application QoS Profile. |
Threat profiling |
Starting in Juons OS Release 21.4R1, you can enable this option to generate threat profiling feeds. Note:
Feeds are only displayed if you have enrolled to Juniper ATP
Cloud. You can also download the feeds using the command,
You can add source and destination addresses, and source and destination identities to the threat feeds. After the feeds are generated, you can configure other security policies to use the feeds to match designated traffic and perform policy actions.
|
Packet capture |
Enable to capture unknown application traffic specific to a security policy rule. By default, this option is disabled. Once enabled, you can view the packet capture (PCAP) file details or download the PCAP file on the Monitor > Log > Sessions page. |
Rule
Options
Click on Rule Options. The SELECT RULE OPTIONS page appears. |
|
Logging | |
Session initiate |
Enable this option to log an event when a session is created. |
Session close |
Enable this option to log an event when the session closes. |
Count |
Enable this option to collect statistics of the number of packets, bytes, and sessions that pass through the firewall with this policy. Specifies statistical counts. An alarm is triggered whenever traffic exceeds specified packet and byte thresholds. Note:
Alarm threshold fields are disabled if Enable Count is not enabled. |
Authentication Note:
|
|
Push auth entry to JIMS |
Enable this option to push authentication entries from firewall authentication, that are in auth-success state, to Juniper Identity Management Server (JIMS). This will enable the SRX Series Firewall to query JIMS to get IP/user mapping and device information. This is not a mandatory option. You can select it when at least one domain is configured on local Active Directory or configure identity management. |
Type |
Select the firewall authentication type from the list. The options available are: None, Pass-through, User-firewall, and Web-authentication. |
Access profile |
Select an access profile from the list. Note:
This option is not supported if you select the authentication type as Web-authentication. |
Client name |
Enter the client username or client user group name. Note:
This option is not supported if you select the authentication type as User-firewall. |
Domain |
Select a domain name that must be in a client name from the list. Note:
This option is supported only if you select the authentication type as User-firewall. |
Web redirect (http) |
Enable this option to redirect HTTP requests to the device’s internal webserver by sending a redirect HTTP response to the client system to reconnect to the webserver for user authentication. Note:
This option is not supported if you select the authentication type as Web-authentication. |
Captive portal |
Enable this option to redirect a client HTTP or HTTPS request to the internal HTTPS webserver of the device. The HTTPS client requests are redirected when SSL termination profile is configured. Note:
This option is not supported if you select the authentication type as Web-authentication. |
Interface |
Select an interface for the webserver where the client HTTP or HTTPS request is redirected. Note:
You cannot edit this once the policy is created. To edit the interface, go to Network > Connectivity > Interfaces. |
IPv4 address |
Enter IPv4 address of the webserver where the client HTTP or HTTPS request is redirected. Note:
You cannot edit this once the policy is created. To edit the interface, go to Network > Connectivity > Interfaces. |
SSL termination profile |
Select an SSL termination profile from the list which contains the SSL terminated connection settings. SSL termination is a process where the SRX Series device acts as an SSL proxy server, terminates the SSL session from the client. To add a new SSL termination profile:
|
Auth only browser |
Enable this option to drop non-browser HTTP traffic to allow for captive portal to be presented to unauthenticated users who request access using a browser. Note:
This option is not supported if you select the authentication type as Web-authentication. |
User agents |
Enter a user-agent value which is used to verify that the user’s browser traffic is HTTP/HTTPS traffic. Note:
This option is not supported if you select the authentication type as Web-authentication. |
Advanced Settings | |
Destination address translation |
Select the action to be taken on a destination address translation from the list. The options available are: None, Drop Translated, and Drop Untranslated. |
Redirect options |
Select a redirect action from the list. The options available are: None, Redirect Wx, and Reverse Redirect Wx. Note:
This option is not supported for SRX5000 line of devices. |
TCP Session Options | |
Sequence number check |
Enable or disable checking of sequence numbers in TCP segments during stateful inspections at policy rule level. By default, the check happens at the global level. To avoid commit failure, turn off Sequence number check under Global Options > Flow > TCP Session. |
SYN flag check |
Enable or disable the checking of the TCP SYN bit before creating a session at policy rule level. By default, the check happens at the global level. To avoid commit failure, turn off SYN flag check under Global Options > Flow > TCP Session. |
Schedule | |
Schedule |
Click Schedule and select one of the configured schedules from the list. To add a new schedule, click Add New Schedule. The Add New Schedule page appears. For more information on creating a new schedule, see Table 4. |
Field |
Action |
---|---|
Name |
Enter a name for the address. The name must be a unique string that must begin with an alphanumeric character and can include colons, periods, dashes, and underscores; no spaces allowed; 63-character maximum. |
IP type |
Select IPv4 or IPv6. |
IPv4 | |
IPv4 address |
Enter a valid IPv4 address. |
Subnet |
Enter a subnet mask for the IPv4 address. |
IPv6 | |
IPv6 address |
Enter a valid IPv6 address. |
Subnet prefix |
Enter a subnet prefix for the IPv6 address. |
Field |
Action |
---|---|
Global Settings | |
Name |
Enter a unique name for the application. |
Description |
Enter description of the application. |
Application protocol |
Select an option from the list for application protocol. |
Match IP protocol |
Select an option from the list to match IP protocol. |
Source port |
Select an option from the list for source port. |
Destination port |
Select an option from the list for destination port. |
ICMP type |
Select an option from the list for ICMP message type. |
ICMP code |
Select an option from the list for ICMP message code. |
RPC program numbers |
Enter a value for RPC program numbers. The format of the value must be W or X-Y. Where, W, X, and Y are integers between 0 and 65535. |
Inactivity timeout |
Select an option from the list for application specific inactivity timeout. |
UUID |
Enter a value for DCE RPC objects. Note:
The format of the value must be 12345678-1234-1234-1234-123456789012. |
Custom application group |
Select an application set name from the list. |
Terms
Click +. The Create Term page appears. |
|
Name |
Enter a name for the term. |
ALG |
Select an option from the list for ALG. |
Match IP protocol |
Select an option from the list to match IP protocol. |
Source port |
Select an option from the list for source port. |
Destination port |
Select an option from the list for destination port. |
ICMP type |
Select an option from the list for ICMP message type. |
ICMP code |
Select an option from the list for ICMP message code. |
RPC program numbers |
Enter a value for RPC program numbers. Note:
The format of the value must be W or X-Y. Where, W, X, and Y are integers between 0 and 65535. |
Inactivity timeout |
Select an option from the list for application specific inactivity timeout. |
UUID |
Enter a value for DCE RPC objects. Note:
The format of the value must be 12345678-1234-1234-1234-123456789012. |
Field |
Action |
---|---|
Name |
Enter the name for the schedule. |
Description |
Enter a description for the schedule. |
Repeats |
Select an option from the list to repeat the schedule:
|
All Day |
Enable this option to schedule an event for an entire day. This option is available only for Never and Daily repeat type schedule. |
Start date |
Select the schedule start date in the YYYY-MM-DD format. This option is available only for Never repeat type schedule. |
Stop date |
Select the schedule stop date in the YYYY-MM-DD format. This option is available only for Never repeat type schedule. |
Start time |
Enter the start time for the schedule in HH:MM:SS 24 hours format. This option is available only for Daily repeat type schedule. |
Stop time |
Enter the end time for the schedule in HH:MM:SS 24 hours format. This option is available only for Daily repeat type schedule. |
Repeat on |
Select the days and time on which you want to repeat the schedule. To set time for the selected day(s):
This option is available only for Weekly repeat type schedule. |
Schedule criteria |
Select any of the following options:
This option is available only for Daily and Weekly repeat type schedule. |