Add a Rule to a Security Policy

You are here: Security Policies & Objects > Security Policies.

Note:

To reference the Content Security policies and the AppQoS profiles in a security policy rules, create Content Security polices and AppQoS profiles before creating or editing security policy rules if required. To create Content Security policies, go to Security Services > Content Security > Content Security Policies and to create AppQoS profiles, go to Network > Application QoS.

To add a rule to a security policy:

Click + available on the upper-right corner of the Security Policies page.

The inline editable fields will appear.
Complete the configuration according to the guidelines provided in Table 1.
Click the tick icon on the upper right of the row once done with the configuration.

Note:
Scroll back the horizontal bar if the inline tick and the cancel icons are not available when creating a new rule.
Click Save to save the changes or click Discard to discard the changes.
Note:
You must perform Step 3 and Step 4 before performing any further actions in the J-Web UI.

Table 1: Fields on the Security Policies Page
Field	Action
Rule Name	Enter a name for the new rule or policy.
Rule Description	Enter a description for the security policy.
Global Policy	Enable this option to specify that the policy defined is a global policy and zones are not required.
Source Zone	To add sources: Click +. The Select Sources page appears. Enter the following details: Zone—Select the source zone from the list to which you want the rule to be associated. Addresses—Select any or Specific. Note: You can select the IP feeds to define the matching criteria for a policy. Also, you can view source type (Address, Address group, Wild card, Range, IP feeds) in the new Type column. Feeds are only displayed if you have enrolled to Juniper ATP Cloud. You can also download the feeds using the command, `request services security-intelligence download`. To select a specific address or IP feed, select the addresses or IP feeds from the Available column and then click the right arrow to move it to the Selected column. You can select Exclude Selected to exclude only the selected address from the list. To create a new address, click +. The Create Address page appears. For more information on fields, see Table 2. Source identity—Select the user identity from the Available column and then click the right arrow to move it to the Selected column. To create a source identity, click +. Enter a new username or identity in the Create Source Identity page and click OK. Source identity feed—You can select user identity threat feed to define the matching criteria for a policy. Select the user identity threat feed from the Available column and then click the right arrow to move it to the Selected column. Maximum user identity threat feed count is 1024. That is, sum of source identity feed and destination identity feed per policy. Note: Feeds are only displayed if you have enrolled to Juniper ATP Cloud. You can also download the feeds using the command, `request services security-intelligence download`.
Destination Zone	To add a destination: Click +. The Select Destination page appears. Enter the following details: Zone—Select the destination zone from the list to which you want the rule to be associated. Addresses—Select any or Specific. Note: You can select the IP feeds to define the matching criteria for a policy. Also, you can view source type (Address, Address group, Wild card, Range, IP feeds) in the new Type column. Feeds are only displayed if you have enrolled to Juniper ATP Cloud. You can also download the feeds using the command, `request services security-intelligence download`. To select a specific address or IP feed, select the addresses or IP feeds from the Available column and then click the right arrow to move it to the Selected column. You can select Exclude Selected to exclude only the selected address from the list. To create a new address, click +. For more information on fields, see Table 2. Dynamic applications—Select Any, Specific, or None. Note: The Dynamic Applications option is not supported for tenants. To select a specific application, select the application from the Available column and then click the right arrow to move it to the Selected column. Note: The select all check box is only available when you search for specific dynamic applications. To create a new application, click +. The Create Application Signature page appears. For more information on fields, see Add Application Signatures. Note: For logical systems, you cannot create a dynamic application inline. Services—Select Any, Specific, or None. To select a specific service, select the service from the Available column and then click the right arrow to move it to the Selected column. To create a new service, click +. The Create Service page appears. For more information on fields, see Table 3. URL category—Select any, Specific, or None to match criteria for a web filtering category. To select a specific URL category, select the URL category from the Available column and then click the right arrow to move it to the Selected column. Note: This option is not available for logical systems and tenants. Destination identity feed—You can select user identity threat feed to define the matching criteria for a policy. Select the user identity threat feed from the Available column and then click the right arrow to move it to the Selected column. Maximum user identity threat feed count is 1024. That is, sum of source identity feed and destination identity feed per policy. Note: Feeds are only displayed if you have enrolled to Juniper ATP Cloud. You can also download the feeds using the command, `request services security-intelligence download`.
Action	Select an action to take when traffic matches the criteria: Permit—Allows packet to pass through the firewall. Deny—Block and drop the packet, but do not send notification back to the source. Reject—Block and drop the packet and send a notice to the source host.
Advanced Services Click +. The Select Advanced Services page appears. Note: When the action is Reject: You can configure only the SSL Proxy and Redirect Profile options. You can configure only the SSL Proxy option if the dynamic application is None. Advanced Security option is not supported for logical systems and tenants. When the action is Permit: For logical systems, only IPS, IPS policy, Content Security, threat prevention policy, ICAP redirect profile, and AppQOS options are supported. For tenant systems, only threat prevention policy and AppQOS are supported.
SSL proxy	Select the SSL proxy policy to associate with this rule from the list.
Content Security	Select the Content Security policy you want to associate with this rule from the list. The list displays all the Content Security policies available. If you want to create a new Content Security policy, click Add New. The Create a Content Security Policy page appears. For more information on creating a new Content Security policy, see Create a Content Security Policy.
IPS policy	Select the IPS policy from the list.
Threat prevention policy	Select the configured threat prevention policy from the list.
ICAP redirect profile	Select the configured ICAP redirect profile name from the list.
AAMW	Select an anti-malware profile from the list that you want to associate with the security policy. Note: Starting in Junos OS 22.2R1 Release, you can associate an anti-malware profile with the security polices.
SecIntel profile group	Select a SecIntel profile group from the list that you want to associate with the security policy. Note: Starting in Junos OS 22.2R1 Release, you can associate a SecIntel profile group with the security polices.
IPsec VPN	Select the IPsec VPN tunnel from the list. Note: If you select Dynamic applications in the destination, IPsec VPN option is not supported.
Pair policy name	Enter the name of the policy with the same IPsec VPN in the opposite direction to create a pair policy. Note: If you select Dynamic applications in the destination, Pair Policy Name option is not supported.
Application QoS profile	Select the configured AppQoS profile from the list. If you want to create a new AppQoS profile, click Add New. The Add AppQoS Profile page appears. For more information on creating a new AppQoS profile, see Add an Application QoS Profile.
Threat profiling	Starting in Juons OS Release 21.4R1, you can enable this option to generate threat profiling feeds. Note: Feeds are only displayed if you have enrolled to Juniper ATP Cloud. You can also download the feeds using the command, `request services security-intelligence download`. You can add source and destination addresses, and source and destination identities to the threat feeds. After the feeds are generated, you can configure other security policies to use the feeds to match designated traffic and perform policy actions. Add source IP to feed—Select the threat feed from the list to add it to the source IP address. Add source identity to feed—Select the threat feed from the list to add it to the source user identity. Add destination IP to feed—Select the threat feed from the list to add it to the destination IP address. Add destination identity to feed—Select the threat feed from the list to add it to the destination user identity.
Packet capture	Enable to capture unknown application traffic specific to a security policy rule. By default, this option is disabled. Once enabled, you can view the packet capture (PCAP) file details or download the PCAP file on the Monitor > Log > Sessions page.
Rule Options Click on Rule Options. The SELECT RULE OPTIONS page appears.
Logging
Session initiate	Enable this option to log an event when a session is created.
Session close	Enable this option to log an event when the session closes.
Count	Enable this option to collect statistics of the number of packets, bytes, and sessions that pass through the firewall with this policy. Specifies statistical counts. An alarm is triggered whenever traffic exceeds specified packet and byte thresholds. Note: Alarm threshold fields are disabled if Enable Count is not enabled.
Authentication Note: If you select Dynamic applications in the destination, Authentication option is not supported. This option is not supported for logical systems and tenant systems.
Push auth entry to JIMS	Enable this option to push authentication entries from firewall authentication, that are in auth-success state, to Juniper Identity Management Server (JIMS). This will enable the SRX Series Firewall to query JIMS to get IP/user mapping and device information. This is not a mandatory option. You can select it when at least one domain is configured on local Active Directory or configure identity management.
Type	Select the firewall authentication type from the list. The options available are: None, Pass-through, User-firewall, and Web-authentication.
Access profile	Select an access profile from the list. Note: This option is not supported if you select the authentication type as Web-authentication.
Client name	Enter the client username or client user group name. Note: This option is not supported if you select the authentication type as User-firewall.
Domain	Select a domain name that must be in a client name from the list. Note: This option is supported only if you select the authentication type as User-firewall.
Web redirect (http)	Enable this option to redirect HTTP requests to the device’s internal webserver by sending a redirect HTTP response to the client system to reconnect to the webserver for user authentication. Note: This option is not supported if you select the authentication type as Web-authentication.
Captive portal	Enable this option to redirect a client HTTP or HTTPS request to the internal HTTPS webserver of the device. The HTTPS client requests are redirected when SSL termination profile is configured. Note: This option is not supported if you select the authentication type as Web-authentication.
Interface	Select an interface for the webserver where the client HTTP or HTTPS request is redirected. Note: You cannot edit this once the policy is created. To edit the interface, go to Network > Connectivity > Interfaces.
IPv4 address	Enter IPv4 address of the webserver where the client HTTP or HTTPS request is redirected. Note: You cannot edit this once the policy is created. To edit the interface, go to Network > Connectivity > Interfaces.
SSL termination profile	Select an SSL termination profile from the list which contains the SSL terminated connection settings. SSL termination is a process where the SRX Series Firewall acts as an SSL proxy server, terminates the SSL session from the client. To add a new SSL termination profile: Click Add. The Create SSL Termination Profile page appears. Enter the following details: Name—Enter SSL termination profile name; 63-character maximum. Server certificate—Select a server certificate from the list that is used to authenticate the server identity. To add a certificate, click Add. For more information on adding a device certificate, see Add a Device Certificate. To import a certificate, click Import. For more information on importing a device certificate, see, Import a Device Certificate.
Auth only browser	Enable this option to drop non-browser HTTP traffic to allow for captive portal to be presented to unauthenticated users who request access using a browser. Note: This option is not supported if you select the authentication type as Web-authentication.
User agents	Enter a user-agent value which is used to verify that the user’s browser traffic is HTTP/HTTPS traffic. Note: This option is not supported if you select the authentication type as Web-authentication.
Advanced Settings
Destination address translation	Select the action to be taken on a destination address translation from the list. The options available are: None, Drop Translated, and Drop Untranslated.
Redirect options	Select a redirect action from the list. The options available are: None, Redirect Wx, and Reverse Redirect Wx. Note: This option is not supported for SRX5000 line of devices.
TCP Session Options
Sequence number check	Enable or disable checking of sequence numbers in TCP segments during stateful inspections at policy rule level. By default, the check happens at the global level. To avoid commit failure, turn off Sequence number check under Global Options > Flow > TCP Session.
SYN flag check	Enable or disable the checking of the TCP SYN bit before creating a session at policy rule level. By default, the check happens at the global level. To avoid commit failure, turn off SYN flag check under Global Options > Flow > TCP Session.
Schedule
Schedule	Click Schedule and select one of the configured schedules from the list. To add a new schedule, click Add New Schedule. The Add New Schedule page appears. For more information on creating a new schedule, see Table 4.

Table 2: Fields on the Create Address Page
Field	Action
Name	Enter a name for the address. The name must be a unique string that must begin with an alphanumeric character and can include colons, periods, dashes, and underscores; no spaces allowed; 63-character maximum.
IP type	Select IPv4 or IPv6.
IPv4
IPv4 address	Enter a valid IPv4 address.
Subnet	Enter a subnet mask for the IPv4 address.
IPv6
IPv6 address	Enter a valid IPv6 address.
Subnet prefix	Enter a subnet prefix for the IPv6 address.

Table 3: Fields on the Create Service Page
Field	Action
Global Settings
Name	Enter a unique name for the application.
Description	Enter description of the application.
Application protocol	Select an option from the list for application protocol.
Match IP protocol	Select an option from the list to match IP protocol.
Source port	Select an option from the list for source port.
Destination port	Select an option from the list for destination port.
ICMP type	Select an option from the list for ICMP message type.
ICMP code	Select an option from the list for ICMP message code.
RPC program numbers	Enter a value for RPC program numbers. The format of the value must be W or X-Y. Where, W, X, and Y are integers between 0 and 65535.
Inactivity timeout	Select an option from the list for application specific inactivity timeout.
UUID	Enter a value for DCE RPC objects. Note: The format of the value must be 12345678-1234-1234-1234-123456789012.
Custom application group	Select an application set name from the list.
Terms Click +. The Create Term page appears.
Name	Enter a name for the term.
ALG	Select an option from the list for ALG.
Match IP protocol	Select an option from the list to match IP protocol.
Source port	Select an option from the list for source port.
Destination port	Select an option from the list for destination port.
ICMP type	Select an option from the list for ICMP message type.
ICMP code	Select an option from the list for ICMP message code.
RPC program numbers	Enter a value for RPC program numbers. Note: The format of the value must be W or X-Y. Where, W, X, and Y are integers between 0 and 65535.
Inactivity timeout	Select an option from the list for application specific inactivity timeout.
UUID	Enter a value for DCE RPC objects. Note: The format of the value must be 12345678-1234-1234-1234-123456789012.

Table 4: Fields on the Add New Schedule Page
Field	Action
Name	Enter the name for the schedule.
Description	Enter a description for the schedule.
Repeats	Select an option from the list to repeat the schedule: Never Daily Weekly
All Day	Enable this option to schedule an event for an entire day. This option is available only for Never and Daily repeat type schedule.
Start date	Select the schedule start date in the YYYY-MM-DD format. This option is available only for Never repeat type schedule.
Stop date	Select the schedule stop date in the YYYY-MM-DD format. This option is available only for Never repeat type schedule.
Start time	Enter the start time for the schedule in HH:MM:SS 24 hours format. This option is available only for Daily repeat type schedule.
Stop time	Enter the end time for the schedule in HH:MM:SS 24 hours format. This option is available only for Daily repeat type schedule.
Repeat on	Select the days and time on which you want to repeat the schedule. To set time for the selected day(s): Click Set Time or Set Time to Selected Days. The Set Time to Selected Days page appears. Enter the following details: Name—Displays the day(s) you have selected. All day—Enable this option for the event to run for the entire day. Start time—Enter the start time in HH:MM:SS 24 hours format. Stop time—Enter the stop time in HH:MM:SS 24 hours format. Click OK to save changes. This option is available only for Weekly repeat type schedule.
Schedule criteria	Select any of the following options: Schedule Never Stops—Schedule can be active forever (recurrent), but only as specified by the daily or weekly schedule. Schedule Specify Window—Schedule can be active during a single time slot, as specified by a start date and a stop date. Enter the following details: Schedule starts—Enter the schedule start date in the YYYY-MM-DD format. Schedule ends—Enter the schedule start date in the YYYY-MM-DD format. This option is available only for Daily and Weekly repeat type schedule.

Add a Rule to a Security Policy

Related Documentation