Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configure Application Policies on SRX Series Firewalls

Application policies are security policies in Juniper WAN Assurance design, where you define which network and users can access which applications, and according to which traffic steering policy. To define application policies, you must create networks, applications, and traffic-steering profiles. You then use these details as matching criteria to allow access to or or block access from applications or destinations.

In the Juniper Mist™ cloud portal, the Networks or Users setting determines the source zone. The Applications + Traffic Steering setting determines the destination zone. Traffic-steering paths determine the destination zone in Juniper Networks® SRX Series Firewalls, so ensure that you assign traffic steering profiles to the application policies.

Notes about the application policies:

  • You can define application policies in one of three ways: at the organization-level, inside a WAN edge template or inside a hub profile.

  • When you define an application policy at the organization-level, you can import and use the policy in multiple WAN edge templates or in hub profiles. That is, you can follow the “define once, use multiple times” model.

  • When you define an application policy directly inside a WAN edge or hub profile, the scope of the policy is limited to that WAN edge template or hub profile only. You cannot re-use the policy in other templates or profiles.

  • Mist evaluates and applies policies in the order of their appearance in the policies list.

Configure Application Policies

To configure application policies:

  1. In the Juniper Mist cloud portal, select Organization > WAN > Application Policy to create a policy at the organization-level.
    If you want to create the policy at a WAN edge template or at a hub profile level, select Organization > WAN > WAN Edge Templates or Hub Profile and select the required template or profile.
  2. Scroll down to the Application Policies section, and click Add Application Policy.
    Note:

    You can import a global policy into the WAN edge template or hub profile by clicking the Import Application Policy option.

    The Juniper Mist cloud portal displays the imported policies in gray to differentiate from local policies defined in the template or profile.
  3. Click the new field under the Name column, give the policy a name, and then click the blue check mark to apply your changes.

    The following figure (Figure 1) shows the options that are available to you when you configure an application policy.

    Figure 1: Application Policy Configuration Options Application Policy Configuration Options
    The following table (Table 1) explains the configuration options available for an application policy.
    Table 1: Application Policies Options
    Field Description
    No.

    Abbreviation for number. This entry indicates the position of the application policy. Mist evaluates and applies policies by their position, meaning the order in which they are listed in this field.

    Name Name of the application policy. You can use upto 32 characters for naming the application including alphanumerics, underscores, and dashes.
    Network/User

    Networks and users of the network. Networks are sources of the request in your network. You can select a network from the available list of networks. If you have associated an user to the network, the Mist portal displays the detail as user.network format in the drop-down menu.
    Action

    Policy actions. Select one of these policy actions:

    • Allow

    • Block
    Application / Destination

    Destination end point. Applications determine the destinations used in a policy

    You can select applications from the list of already defined applications.
    IDP

    (Optional) Intrusion Detection and Prevention (IDP) profiles. Select one of the IDP profiles:

    • Standard—Standard profile is the default profile and represents the set of IDP signatures and rules recommended by Juniper Networks. The actions include:

      Close the client and server TCP connection.

      Drop current packet and all subsequent packets

    • Strict—Strict profile contains a similar set of IDP signatures and rules as the standard profile. However, when the system detects an attack, profile actively blocks any malicious traffic or other attacks detected in the network.

    • Alert

      —Alert profile generates alert only and does not take any additional action. Alerts profiles are suitable only for low severity attacks. The IDP signature and rules are the same as in the standard profile.
    • None—No IDP profile applied.

    The IDP profile that you apply in your application policy performs traffic inspection to detect and prevent intrusions on the allowed traffic.
    Traffic Steering

    Traffic-steering profiles. Traffic-steering profile defines the traffic path or paths.

    Steering profiles are required for deploying the policy to the WAN edge spoke device or to a hub device.
    Hit Count Application policy hit count (allow/block/filter) displays the number of times traffic has hit a given Application Policy.
    Note:

    The No. (order number) and Traffic Steering fields are not available for organization-level application policies. When you define an application policy directly inside a WAN edge or hub profile, you need to specify the order number and traffic-steering options.

  4. Complete the configuration according to the details available in Table 2.
    Table 2: Application Policy Examples
    S.No. Rule Name Network Action Destination Steering
    1 Spoke-to-Hub-DMZ ALL.SPOKE-LAN1 Pass HUB1-LAN1 HUB-LAN
    2 Hub-DMZ-to-Spokes HUB1-LAN1 Pass SPOKE-LAN1 Overlay
    3 Spoke-to-Spoke-on-Hub-Hairpin ALL.SPOKE-LAN1 Pass SPOKE-LAN1 Overlay
    4 Hub-DMZ-to-Internet HUB1-LAN1 Pass ANY LBO
    5 Spokes-Traffic-CBO-on-Hub ALL.SPOKE-LAN1 Pass ANY LBO
  5. Click Save.

    Figure 2 shows the list of newly created application policies.

    Figure 2: Application Policies Summary Application Policies Summary

Reorder and Delete Application Policies

Reordering application policy allows you to move the policies around after they have been created.

Mist evaluates policies and executes policies in the order of their appearance in the policies list, you should be aware of the following:

  • Policy order is important. Because policy evaluation starts from the top of the list,

  • New policies go to the end of the policy list.

Select a policy and use Up Arrow or Down Arrow to change the order. You can change the policy order anytime.

Figure 3: Changing Policy Order Changing Policy Order

To delete an application policy, select the application policy you want to delete, and then click Delete that appears on the top right side of the pane.

Using Same IP Addresses and Prefixes in Networks and Applications

In the application policies configuration, Network/Users belong to the source zone, and Applications/Destination belong to the destination zone.

You can use the same IP addresses and prefixes for both networks and applications when you define them for different purposes; that is, they act as a source in one policy and as a destination in another policy.

Consider the policies in Figure 4.

Figure 4: Application Policies Details Application Policies Details

Here, you have a Network/Users SPOKE-LAN1 that has an IP address 192.168.200.0/24 for a spoke LAN interface. The screenshot shows that the following policies are using the same network in different ways:

  • Spoke-to-Spoke-via-Hub—This policy allows inbound and outbound spoke-to-spoke traffic through a hub. Here, we defined SPOKE-LAN1 as both a network and as an application.

  • Spoke-to-Hub-DMZ—This policy allows spoke-to-hub traffic. Here, we defined SPOKE-LAN1 as a network.

  • Hub-DMZ-to-Spoke—This policy allows hub-to-spoke traffic. Here, we defined SPOKE-LAN1 as an application.

See Also