Firewall Policies Overview
Security Director provides you with two types of firewall policies:
Device Policy—Type of firewall policy that is created per device. This type of policy is used when you want to push a unique firewall policy configuration per device. You can create device rules for a device firewall policy.
Security Director views a logical system or a tenant system like it does any other security device, and it takes ownership of the security configuration of the logical system or tenant system. In Security Director, each logical system or tenant system is managed as a unique security device.
During a device assignment for a device policy, only devices from the current domain are listed.
Note:If Security Director discovers the root logical system, the root lsys discovers all other user lsys inside the device.
Security Director allows a device to have a device-specify policy and to be part of multiple group policies. Rules for a device are updated in the following order:
Rules within Policies Applied Before 'Device Specific Policies'
Rules within Device-Specific Policies
Rules within Policies Applied After 'Device Specific Policies'
Rules within Policies Applied Before 'Device Specific Policies' take priority and cannot be overridden. However, you can override rules within Policies Applied After 'Device Specific Policies' by adding an overriding rule in the Device-Specific Policies. In an enterprise scenario, “common-must-enforce” rules can be assigned to a device from the Policies Applied Before ‘Device Specific Policies’, and “common-nice-to-have” rules can be assigned to a device from the Policies Applied After ‘Device Specific Policies’.
Note:An exception can be added on a per device basis in “Device-Specific Policies” . For a complete list of rules applied to a device, select Configure > Firewall Policy > Devices. Select a device to view rules associated with that device.
All devices policy enables rules to be enforced globally to all the devices managed by Security Director. All devices policy is part of the Global domain and is visible in all the child domains if the view parent is enabled.
Group—Type of firewall policy that is shared with multiple devices. This type of policy is used when you want to update a specific firewall policy configuration to a large set of devices. You can select the policy placement to be before device specific or after device specific. When a group firewall policy is updated on the devices, the rules are updated in the following order:
Rules within Policies Applied Before 'Device Specific Policies'
Rules within Device-Specific Policies
Rules within Policies Applied After 'Device Specific Policies'
During a device assignment for a group policy, only devices from the current and child domains (with view parent enabled) are listed. Devices in the child domain with view parent disabled are not listed. Not all the group policies of the Global domain are visible in the child domain. Group policies of the Global domain (including All device policy) are not visible to the child domain, if the view parent of that child domain is disabled. Only the group policies of the Global domain, which has devices from the child domain assigned to it, are visible in the child domain. If there is a group policy in global domain with devices from both D1 and the Global domains assigned to it, only this group policy of the Global domain is visible in the D1 domain along with only the D1 domain devices. No other devices, that is the Device-Exception policy, of the Global domain is visible in the D1 domain.
You cannot edit a group policy of the Global domain from the child domain. This is true for All Devices policy as well. Modifying the policy, deletion of the policy, managing a snapshot, snapshot policy and acquiring the policy lock is also not allowed. Similarly, you cannot perform these actions on the Device-Exception policy of the D1 domain from the Global domain. You can prioritize group policies from the current domain. Group policies from the other domains are not listed.
Group policies applied before (Pre) or after (Post) Device Specific Policies via Security Director:
Works separately for Global-based and Zone-based policies.
Do not alter the Junos-SRX policy precedence order as stated in Policy Ordering Overview.
The basic settings of a firewall policy are obtained from the policy profile. The basic settings include log options, firewall authentication schemes, and traffic redirection options.
Firewall policies are displayed in a tabular view. You can select a policy and apply rules either inline or using the + icon. For more information, see Creating Firewall Policy Rules.
Starting in Junos Space Security Director Release 19.3R1, you can assign IPS policy to the standard firewall policy rule. The CLI is generated for the IPS policy along with the standard firewall policy (to which the IPS policy is assigned) for devices with Junos OS Release 18.2 onward. Since the IPS policy name is directly used in the firewall policy rule, the [edit security idp active-policy policy-name] statement is deprecated in Junos OS Release 18.2 onward. You can import and convert the deprecated active policy CLI into a new CLI from Security Director. You can import the IPS policy for the deprecated active-policy for Junos OS version 18.2 and later. After the IPS policy is imported, the rules associated with the firewall policy for the device is updated with IPS policy details. On subsequent update from Security Director, you can see the new firewall policy CLIs, in preview, to attach IDP and the same can be updated to device.
In a device with Junos OS Release 18.2, you must assign same IPS policy to all the rules in the firewall policy, otherwise commit fails.
In a device with Junos OS Release 18.3 onward, you can assign different IPS policy to the rules in the firewall policy. You must set a default IDP policy, otherwise commit fails.