close

keyboard_arrow_left

Table of Contents Expand all

play_arrow Junos Space Security Director
- play_arrow Overview
play_arrow Dashboard
- play_arrow Overview
  - Dashboard Overview
play_arrow Monitor
- play_arrow Events and Logs-All Events
  - Events and Logs Overview
  - Creating Alerts
  - Creating Reports
  - Creating Filters
  - Grouping Events
  - Using Events and Logs Settings
  - Selecting Events and Logs Table Columns
  - Viewing Threats
  - Viewing Data for Selected Devices
  - Using the Detailed Log View
  - Using the Raw Log View
  - Showing Exact Match
  - Using Filter on Cell Data
  - Using Exclude Cell Data
  - Showing Firewall Policy
  - Showing Source NAT Policy
  - Showing Destination NAT Policy
  - Downloading Packets Captured
  - Showing Attack Details
  - Using Filters
- play_arrow Events and Logs-Firewall
  - Firewall Events and Logs Overview
- play_arrow Events and Logs-Web Filtering
  - Web Filtering Events and Log Overview
- play_arrow Events and Logs-VPN
  - VPN Events and Logs Overview
- play_arrow Events and Logs-Content Filtering
  - Content Filtering Events and Logs Overview
- play_arrow Events and Logs-Antispam
  - Antispam Events and Logs Overview
- play_arrow Events and Logs-Antivirus
  - Antivirus Events and Logs Overview
- play_arrow Events and Logs-IPS
  - IPS Events and Logs Overview
- play_arrow Events and Logs-Screen
  - Screen Events and Logs Overview
- play_arrow Events and Logs-ATP Cloud
  - ATP Cloud Events and Logs Overview
- play_arrow Events and Logs-Apptrack
  - Apptrack Events and Logs Overview
- play_arrow Threat Prevention-Hosts
  - Infected Hosts Overview
  - Infected Host Details
- play_arrow Threat Prevention-C&C Servers
  - Command and Control Servers Overview
  - Command and Control Server Details
- play_arrow Threat Prevention-HTTP File Download
  - HTTP File Download Overview
  - HTTP File Download Details
- play_arrow Threat Prevention-Email Quarantine and Scanning
  - SMTP Quarantine Overview
  - Email Attachments Scanning Overview
  - Email Attachments Scanning Details
- play_arrow Threat Prevention-IMAP Block
  - IMAP Block Overview
- play_arrow Threat Prevention-Manual Upload
  - File Scanning Limits
- play_arrow Threat Prevention-Feed Status
  - Device Feed Status Details
- play_arrow Threat Prevention-All Hosts Status
  - All Hosts Status Details
- play_arrow Threat Prevention-DDoS Feeds Status
  - DDoS Feeds Status Details
- play_arrow Applications
  - About the Application Visibility Page
  - Application Visibility Overview
  - Block Applications
  - Block Users
  - Block Source IP Addresses
- play_arrow Live Threat Map
  - Threat Map Overview
  - Blocking Threat Events
- play_arrow Threat Monitoring
  - Threat Monitoring Overview
- play_arrow Alerts and Alarms - Overview
  - Alerts and Alarms Overview
- play_arrow Alerts and Alarms-Alerts
  - Deleting an Alert
  - Searching Alerts
  - Using Generated Alerts
- play_arrow Alerts and Alarms-Alert Definitions
  - Creating Alert Definitions
  - Editing Alert Definitions
  - Cloning Alert Definition
  - Deleting Alert Definitions
  - Searching Alert Definitions
  - Alert Definitions Main Page Fields
- play_arrow Alerts and Alarms-Alarms
  - Using Device Alarms
  - Device Alarms Main Page Fields
- play_arrow VPN
  - IPsec VPN Monitoring Overview
  - About the Overview Page
  - Managing Monitored and Unmonitored VPNs
  - About the Monitored Tunnels Page
  - About the Devices Page
- play_arrow Insights
  - How to Monitor Incidents
  - How to Monitor Mitigation
- play_arrow Job Management
  - Using Job Management in Security Director
  - Overview of Jobs in Security Director
  - Archiving and Purging Jobs in Security Director
  - Viewing the Details of a Job in Security Director
  - Canceling Jobs in Security Director
  - Reassigning Jobs in Security Director
  - Rescheduling and Modifying the Recurrence of Jobs in Security Director
  - Retrying a Failed Job on Devices in Security Director
  - Exporting the Details of a Job in Security Director
  - Job Management Main Page Fields
- play_arrow Audit Logs
  - Using Audit Logs in Security Director
  - Understanding Audit Logs in Security Director
  - Purging or Archiving and Purging Audit Logs in Security Director
  - Exporting Audit Logs in Security Director
  - Viewing the Details of an Audit Log in Security Director
  - Audit Logs Main Page Fields
- play_arrow Packet Capture
  - Packet Capture Overview
  - About the Packets Captured Page
  - Setting the Purge Policy
- play_arrow NSX Inventory-Security Groups
  - About the Security Groups Page
  - View Members of a Security Group
- play_arrow vCenter Server Inventory-Virtual Machines
  - About the Virtual Machines Page
  - View Network Details of a Virtual Machine
  - View Security Groups of a Virtual Machine
- play_arrow Data Plane Packet Capture
  - About the Data Plane Packet Capture Page
  - Capture Data Plane Packets
play_arrow Devices
play_arrow Configure
- play_arrow Firewall Policy-Standard Policies
  - Firewall Policies Overview
  - Policy Ordering Overview
  - Creating Firewall Policies
  - Firewall Policies Best Practices
  - Creating Firewall Policy Rules
  - Rule Base Overview
  - Firewall Policy Locking Modes
  - Rule Operations on Filtered Rules Overview
  - Create and Manage Policy Versions
  - Assigning Devices to Policies
  - Comparing Policies
  - Export Policies
  - Creating Custom Columns
  - Promoting to Group Policy
  - Converting Standard Policy to Unified Policy
  - Probe Latest Policy Hits
  - Disable Firewall Policy Rules Based on Hits Over a Specified Duration
  - Viewing and Synchronizing Out-of-Band Firewall Policy Changes Manually
  - Importing Policies
  - Delete and Replace Policies and Objects
  - Unassigning Devices from Policies
  - Edit and Clone Policies and Objects
  - Publishing Policies
  - Showing Duplicate Policies and Objects
  - Show and Delete Unused Policies and Objects
  - Updating Policies on Devices
  - Firewall Policies Main Page Fields
  - Firewall Policy Rules Main Page Fields
- play_arrow Firewall Policy-Unified Policies
  - About the Unified Policies Page
  - Unified Policy Overview
  - Creating Unified Firewall Policies
  - Creating Unified Firewall Policy Rules
  - Configuring a Default SSL Proxy Profile
  - Configure a Default IDP Policy
- play_arrow Firewall Policy-Devices
  - Devices with Firewall Policies Main Page Fields
- play_arrow Firewall Policy-Schedules
  - Schedules Overview
  - Creating Schedules
  - Schedules Main Page Fields
- play_arrow Firewall Policy-Profiles
  - Understanding Firewall Policy Profiles
  - Understanding Captive Portal Support for Unauthenticated Browser Users
  - Creating Firewall Policy Profiles
  - Edit and Clone Policies and Objects
  - Delete and Replace Policies and Objects
  - Assigning Policies and Profiles to Domains
  - Firewall Policy Profiles Main Page Fields
- play_arrow Firewall Policy-Templates
  - Understanding Firewall Policy Templates
  - Creating Firewall Policy Templates
  - Edit and Clone Policies and Objects
  - Delete and Replace Policies and Objects
  - Firewall Policy Templates Main Page Fields
- play_arrow Firewall Policy-Secure Web Proxy
  - About the Secure Web Proxy Page
  - Create a Secure Web Proxy Profile
  - Edit, Clone, and Delete a Secure Web Proxy Profile
  - Assign Secure Web Proxy Profile to a Domain
  - Find Secure Web Proxy Profile Usage Details
- play_arrow Firewall Policy-DNS Security & ETI Profile
  - DNS Security and Encrypted Traffic Insights Overview
  - About the DNS Security and ETI Profile Page
  - Create a DNS Security and ETI Profile
  - Clone, Edit, and Delete DNS Security and ETI Profile
- play_arrow Firewall Policy-DNS Security & ETI Policy
  - About the DNS Security and ETI Policy Page
  - Create a DNS Security and ETI Policy
  - Edit and Delete DNS Security and ETI Policy
- play_arrow Firewall Policy-DNS Sinkhole
  - About the DNS Sinkhole Page
  - Create a Sinkhole
  - Assign Devices to a Sinkhole
  - Unassign Devices from a Sinkhole
  - Clone a Sinkhole
  - Assign a Sinkhole to a Domain
  - Publish a DNS Sinkhole Policy
  - Update a DNS Sinkhole Policy
  - Edit and Delete a Sinkhole
- play_arrow Environment
  - Environment Variables and Conditions Overview
  - About the Environment Page
  - Creating a New Environment Variable
  - Editing and Deleting Environment Variables
  - Creating a New Environment Condition
  - Editing and Deleting Environment Conditions
- play_arrow Application Firewall Policy-Policies
  - Understanding Application Firewall Policies
  - Creating Application Firewall Policies
  - Delete and Replace Policies and Objects
  - Edit and Clone Policies and Objects
  - Show and Delete Unused Policies and Objects
  - Finding Usages for Policies and Objects
  - Application Firewall Policies Main Page Fields
- play_arrow Application Firewall Policy-Signatures
  - Understanding Custom Application Signatures
  - Creating Application Signatures
  - Editing, Cloning, and Deleting Custom Application Signatures
  - Creating Application Signature Groups
  - Application Signatures Main Page Fields
- play_arrow Application Firewall Policy-Redirect Profiles
  - About the Redirect Profiles Page
  - Adding a Redirect Profile
  - Cloning, Editing, and Deleting Redirect Profiles
- play_arrow SSL Profiles
  - SSL Forward Proxy Overview
  - Creating SSL Forward Proxy Profiles
  - SSL Forward Proxy Profile Main Page Fields
  - SSL Reverse Proxy Overview
  - Creating SSL Reverse Proxy Profiles
- play_arrow User Firewall Management-Active Directory
  - About the Active Directory Profile Page
  - Creating Active Directory Profiles
  - Deploying the Active Directory Profile to SRX Series Devices
  - Editing and Deleting Active Directory Profiles
- play_arrow User Firewall Management-Access Profile
  - Access Profile Overview
  - About the Access Profile Page
  - Creating Access Profiles
  - Deploying the Access Profile to SRX Series Devices
  - Editing and Deleting Access Profiles
- play_arrow User Firewall Management-Address Pools
  - About the Address Pool Page
  - Create Address Pool
  - Edit and Delete Address Pool
- play_arrow User Firewall Management-Identity Management
  - Juniper Identity Management Service Overview
  - About the Identity Management Profile Page
  - Creating Identity Management Profiles
  - Editing, Cloning, and Deleting Identity Management Profiles
  - Updating the Identity Management Profile to SRX Series Devices
- play_arrow User Firewall Management-End User Profile
  - End User Profile Overview
  - About the End User Profile Page
  - Creating an End User Profile
  - Edit and Delete End User Profile
  - End User Profile Operations
- play_arrow IPS Policy-Policies
  - Understanding IPS Policies
  - Creating IPS Policies
  - Creating IPS Policy Rules
  - Publishing Policies
  - Updating Policies on Devices
  - Assigning Devices to Policies
  - Create and Manage Policy Versions
  - Creating Rule Name Template
  - Export Policies
  - Unassigning Devices to Policies
  - Viewing and Synchronizing Out-of-Band IPS Policy Changes Manually
  - Edit and Clone Policies and Objects
  - Delete and Replace Policies and Objects
  - Assigning Policies and Profiles to Domains
  - IPS Policies Main Page Fields
- play_arrow IPS Policy-Devices
  - Understanding IPS Policies
  - Devices with IPS Policies Main Page Fields
- play_arrow IPS Policy-Signatures
  - Understanding IPS Signatures
  - Creating IPS Signatures
  - Creating IPS Signature Static Groups
  - Creating IPS Signature Dynamic Groups
  - Edit and Clone Policies and Objects
  - Delete and Replace Policies and Objects
  - IPS Policy Signatures Main Page Fields
- play_arrow IPS Policy-Templates
  - Understanding IPS Policy Templates
  - Creating IPS Policy Templates
  - Edit and Clone Policies and Objects
  - Delete and Replace Policies and Objects
  - IPS Policy Templates Main Page Fields
- play_arrow NAT Policy-Policies
  - NAT Overview
  - NAT Global Address Book Overview
  - Creating NAT Policies
  - Publishing Policies
  - NAT Policy Rules Main Page Field
  - Creating NAT Rules
  - Updating Policies on Devices
  - Edit and Clone Policies and Objects
  - Delete and Replace Policies and Objects
  - Assigning Policies and Profiles to Domains
  - Comparing Policies
  - Create and Manage Policy Versions
  - Export Policies
  - Assigning Devices to Policies
  - Unassigning Devices to Policies
  - Creating Rule Name Template
  - Viewing and Synchronizing Out-of-Band NAT Policy Changes Manually
  - Configuring NAT Rule Sets
  - Auto Grouping
  - NAT Policies Main Page Fields
- play_arrow NAT Policy-Devices
  - Devices with NAT Policies Main Page Fields
- play_arrow NAT Policy-Pools
  - Creating NAT Pools
  - Edit and Clone Policies and Objects
  - Delete and Replace Policies and Objects
  - Show and Delete Unused Policies and Objects
  - Showing Duplicate Policies and Objects
  - Assigning Policies and Profiles to Domains
  - NAT Pools Main Page Fields
- play_arrow NAT Policy-Port Sets
  - Creating Port Sets
  - Delete and Replace Policies and Objects
  - Edit and Clone Policies and Objects
  - Show and Delete Unused Policies and Objects
  - Showing Duplicate Policies and Objects
  - Assigning Policies and Profiles to Domains
  - Port Sets Main Page Fields
- play_arrow Content Security Policy-Policies
  - Content Security Overview
  - Creating Content Security Policies
  - Comparing Policies
  - Delete and Replace Policies and Objects
  - Viewing Policy and Shared Object Details
  - Assigning Policies and Profiles to Domains
  - Showing Duplicate Policies and Objects
  - Edit and Clone Policies and Objects
  - Show and Delete Unused Policies and Objects
  - Content Security Policies Main Page Fields
- play_arrow Content Security Policy-Web Filtering Profiles
  - Creating Web Filtering Profiles
  - Selecting a Web Filtering Solution
  - Web Filtering Profile Main Page Fields
- play_arrow Content Security Policy-Category Update
  - About the Category Update Page
  - Configuring the Download URL Settings
  - Downloading and Installing URL Categories
  - Uploading and Installing URL Categories
  - Installing URL Categories on SRX Series Devices
- play_arrow Content Security Policy-Antivirus Profiles
  - Creating Antivirus Profiles
  - Antivirus Profile Main Page Fields
- play_arrow Content Security Policy-Antispam Profiles
  - Creating Antispam Profiles
  - Antispam Profile Main Page Fields
- play_arrow Content Security Policy-Content Filtering Profiles
  - Creating Content Filtering Profiles
  - Content Filtering Profile Main Page Fields
- play_arrow Content Security Policy-Global Device Profiles
  - Creating Device Profiles
  - Device Profiles Main Page Fields
- play_arrow Content Security Policy-Default Configuration
  - About the Default Configuration Page
  - Create a Default Content Security Configuration
  - Edit and Clone the Default Configuration
  - View and Delete Unused Default Configuration
- play_arrow Content Security Policy-URL Patterns
  - Creating URL Patterns
- play_arrow Content Security Policy-Custom URL Categories
  - Creating Custom URL Category Lists
- play_arrow Application Routing Policies
  - Understanding Application-Based Routing
  - About the Application Routing Policies Page
  - Configuring Advanced Policy-Based Routing Policy
  - About the Rules Page (Advanced Policy-Based Routing)
  - Creating Advanced Policy-Based Routing Rules
  - About the App Based Routing Page
  - Edit and Clone Policies and Objects
  - Assigning Devices to Policies
  - Customizing Profile Names
  - Publishing Policies
  - Updating Policies on Devices
- play_arrow Threat Prevention - Policies
  - Creating Threat Prevention Policies
  - Threat Prevention Policy Overview
  - Threat Policy Analysis Overview
  - Implementing Threat Policy on VMWare NSX
- play_arrow Threat Prevention - Feed Sources
  - About the Feed Sources Page
  - Juniper ATP Cloud Realm Overview
  - Juniper ATP Cloud Malware Management Overview
  - Juniper ATP Cloud Email Management Overview
  - File Inspection Profiles Overview
  - Juniper ATP Cloud Email Management: SMTP Settings
  - Configure IMAP Settings
  - Creating Juniper ATP Cloud Realms and Enrolling Devices or Associating Sites
  - Modifying Juniper ATP Cloud Realm
  - Creating File Inspection Profiles
  - Creating Allowlist for Juniper ATP Cloud Email and Malware Management
  - Creating Blocklists for Juniper ATP Cloud Email and Malware Management
  - Add ATP Appliance Server
  - Edit or Delete a ATP Appliance Server
  - Custom Feed Sources Overview
  - Creating Custom Feeds
  - Example: Creating a Dynamic Address Custom Feed and Firewall Policy
  - Configuring Settings for Custom Feeds
- play_arrow IPsec VPN-VPNs
  - IPsec VPN Overview
  - Create a Site-to-Site VPN
  - Create a Hub-and-Spoke (Establishment All Peers) VPN
  - Create a Hub-and-Spoke (Establishment by Spokes) VPN
  - Create a Hub-and-Spoke Auto Discovery VPN
  - Create a Full Mesh VPN
  - Create a Remote Access VPN—Juniper Secure Connect
  - Create a Remote Access VPN—NCP Exclusive Client
  - IPsec VPN Global Settings
  - Understanding IPsec VPN Modes
  - Comparison of Policy-Based VPNs and Route-Based VPNs
  - Understanding IPsec VPN Routing
  - Understanding IKE Authentication
  - Publishing IPsec VPNs
  - Updating IPSec VPN
  - Modify IPsec VPN Settings
  - Viewing Tunnels
  - Importing IPsec VPNs
  - Deleting IPSec VPN
  - IPsec VPN Main Page Fields
- play_arrow IPsec VPN-Extranet Devices
  - Creating Extranet Devices
  - Find Usage for Extranet Devices
  - Extranet Devices Main Page Fields
- play_arrow IPsec VPN-Profiles
  - VPN Profiles Overview
  - Creating VPN Profiles
  - Edit and Clone IPsec VPN profiles
  - Assigning Policies and Profiles to Domains
  - VPN Profiles Main Page Fields
- play_arrow Insights
  - About the Log Parsers Page
  - Create a New Log Parser
  - Edit and Delete a Log Parser
  - About the Log Sources Page
  - Add a Log Source
  - Edit and Delete a Log Source
  - View Log Statistics
  - About the Event Scoring Rules Page
  - Create an Event Scoring Rule
  - Edit and Delete Event Scoring Rules
  - About the Incident Scoring Rules Page
  - Create an Incident Scoring Rule
  - Edit and Delete Incident Scoring Rules
- play_arrow Shared Objects-Geo IP
  - Creating Geo IP Policies
  - Geo IP Overview
  - Delete and Replace Policies and Objects
- play_arrow Shared Objects-Policy Enforcement Groups
  - Creating Policy Enforcement Groups
  - Policy Enforcement Groups Overview
- play_arrow Shared Objects-Addresses
  - Addresses and Address Groups Overview
  - Creating Addresses and Address Groups
  - Import and Export CSV Files
  - Assigning Addresses and Address Groups to Domains
  - Showing Duplicate Policies and Objects
  - Delete and Replace Policies and Objects
  - Addresses Main Page Fields
- play_arrow Shared Objects-Services
  - Services and Service Groups Overview
  - Creating Services and Service Groups
  - Import and Export CSV Files
  - Delete and Replace Policies and Objects
  - Showing Duplicate Policies and Objects
- play_arrow Shared Objects-Variables
  - Variables Overview
  - Creating Variables
  - Editing Variables
  - Import and Export CSV Files
  - Showing Duplicate Policies and Objects
- play_arrow Shared Objects-Zone Sets
  - Understanding Zone Sets
  - Creating Zone Sets
  - Edit and Clone Policies and Objects
  - Delete and Replace Policies and Objects
  - Finding Usages for Policies and Objects
  - Show and Delete Unused Policies and Objects
  - Showing Duplicate Policies and Objects
  - Viewing Policy and Shared Object Details
  - Zone Sets Main Page Fields
- play_arrow Shared Objects-Metadata
  - Metadata-Based Policy Enforcement Overview
  - About the Metadata Page
  - Creating a Metadata
- play_arrow Change Management-Change Requests
  - Change Control Workflow Overview
  - Creating a Firewall or NAT Policy Change Request
  - About the Changes Submitted Page
  - Approving and Updating Changes Submitted
  - Creating and Updating a Firewall Policy Using Change Control Workflow
  - Editing, Denying, and Deleting Change Requests
  - About the Changes Not Submitted Page
  - Discarding Policy Changes
  - Viewing Submitted and Unsubmitted Policy Changes
- play_arrow Change Management-Change Request History
  - About the Change Request History Page
- play_arrow Overview of Policy Enforcer and Juniper ATP Cloud
  - Policy Enforcer Overview
  - Benefits of Policy Enforcer
  - Juniper ATP Cloud Overview
- play_arrow Concepts and Configuration Types to Understand Before You Begin (Policy Enforcer and Juniper ATP Cloud)
  - Policy Enforcer Components and Dependencies
  - Policy Enforcer Configuration Concepts
  - Juniper ATP Cloud Configuration Type Overview
  - Features By Juniper ATP Cloud Configuration Type
  - Available UI Pages by Juniper ATP Cloud Configuration Type
  - Comparing the Juniper Connected Security and non-Juniper Connected Security Configuration Steps
- play_arrow Installing Policy Enforcer
  - Policy Enforcer Installation Overview
  - Deploying and Configuring the Policy Enforcer with OVA files
  - Installing Policy Enforcer with KVM
  - Policy Enforcer Ports
  - Identifying the Policy Enforcer Virtual Machine In Security Director
  - Obtaining a Juniper ATP Cloud License
  - Creating a Juniper ATP Cloud Web Portal Login Account
  - Loading a Root CA
  - Upgrading Your Policy Enforcer Software
- play_arrow Configuring Policy Enforcer Settings and Connectors
  - Policy Enforcer Settings
  - Policy Enforcer Connector Overview
  - Creating a Policy Enforcer Connector for Public and Private Clouds
  - Creating a Policy Enforcer Connector for Third-Party Switches
  - Editing and Deleting a Connector
  - Viewing VPC or Projects Details
  - Integrating ForeScout CounterACT with Juniper Networks Connected Security
  - ClearPass Configuration for Third-Party Plug-in
  - Cisco ISE Configuration for Third-Party Plug-in
  - Integrating Pulse Policy Secure with Juniper Networks Connected Security
  - Policy Enforcer Backup and Restore
- play_arrow Guided Setup-ATP Cloud with SDSN
  - Using Guided Setup for Juniper ATP Cloud with Juniper Connected Security
- play_arrow Guided Setup-ATP Cloud
  - Using Guided Setup for Juniper ATP Cloud
- play_arrow Guided Setup for No ATP Cloud (No Selection)
  - Using Guided Setup for No Juniper ATP Cloud (No Selection)
- play_arrow Manual Configuration- ATP Cloud with SDSN
  - Configuring Juniper ATP Cloud with Juniper Connected Security (Without Guided Setup) Overview
- play_arrow Manual Configuration-ATP Cloud
  - Configuring Juniper ATP Cloud (No Juniper Connected Security and No Guided Setup) Overview
  - Creating Juniper ATP Cloud Realms and Enrolling Devices or Associating Sites
- play_arrow Cloud Feeds Only Threat Prevention
  - Configuring Cloud Feeds Only
- play_arrow Configuring No ATP Cloud (No Selection) (without Guided Setup)
  - Configuring No ATP Cloud (No Selection) (without Guided Setup) Overview
- play_arrow Migration Instructions for Spotlight Secure Customers
  - Moving From Spotlight Secure to Policy Enforcer
play_arrow Reports
- play_arrow Reports
play_arrow Administration
- play_arrow My Profile
  - Modifying Your User Profile in Security Director
- play_arrow Users and Roles-Users
- play_arrow Users and Roles-Roles
- play_arrow Users and Roles-Domains
- play_arrow Users and Roles-Remote Profiles
- play_arrow Logging Management
  - Logging and Reporting Overview
- play_arrow Logging Management-Logging Nodes
- play_arrow Logging Management-Statistics & Troubleshooting
  - Using the Log Statistics and Troubleshooting
- play_arrow Logging Management-Logging Devices
  - Logging Devices Main Page Fields
  - Creating Security Logs
- play_arrow Monitor Settings
  - About the Monitor Settings Page
  - Monitor Settings Overview
- play_arrow Signature Database
- play_arrow License Management
  - About the License Notification Settings Page
  - Notification Settings
- play_arrow Migrating Content from NSM to Security Director
  - NSM Migration
- play_arrow Policy Sync Settings
  - About the Policy Sync Settings Page
  - Out-of-Band Changes Overview
- play_arrow Insights Management

list Table of Contents

English

SSL Forward Proxy Overview

date_range 16-Oct-23

arrow_backward

arrow_forward

Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL, also called Transport Layer Security (TLS), ensures the secure transmission of data between a client and a server through a combination of privacy, authentication, confidentiality, and data integrity. SSL relies on certificates and private-public key exchange pairs for this level of security.

Server authentication guards against fraudulent transmissions by enabling a Web browser to validate the identity of a Web server. Confidentiality mechanisms ensure that communications are private. SSL enforces confidentiality by encrypting data to prevent unauthorized users from eavesdropping on electronic communications. Finally, message integrity ensures that the contents of a communication have not been tampered with.

SSL forward proxy is a transparent proxy; that is, it performs SSL encryption and decryption between the client and the server, but neither the server nor the client can detect its presence. SSL forward proxy ensures that it has the keys to encrypt and decrypt the payload:

For the server, SSL forward proxy acts as a client—Because SSL forward proxy generates the shared pre-primary key, it determines the keys to encrypt and decrypt.
For the client, SSL forward proxy acts as a server—SSL forward proxy first authenticates the original server and replaces the public key in the original server certificate with a key that is known to it. It then generates a new certificate by replacing the original issuer of the certificate with its own identity and signs this new certificate with its own public key (provided as a part of the proxy profile configuration). When the client accepts such a certificate, it sends a shared pre-primary key encrypted with the public key on the certificate. Because SSL forward proxy replaced the original key with its own key, it is able to receive the shared pre-primary key. Decryption and encryption take place in each direction (client and server), and the keys are different for both encryption and decryption.

Figure 1 depicts how SSL inspection (on an existing SRX Series IPS module) is typically used to protect servers. SSL inspection requires access to private keys used by the servers so that the SRX Series device can decrypt the encrypted traffic.

Figure 1: SSL Inspection on an Existing SRX Series Firewall

Figure 2 shows how SSL forward proxy works on an encrypted payload. When application firewall (AppFW), intrusion prevention system (IPS), or application tracking (AppTrack) is configured, SSL forward proxy acts as an SSL server terminating the SSL session from the client and a new SSL session is established to the server. The device decrypts and then re-encrypts all SSL forward proxy traffic. SSL forward proxy uses the following services:

SSL-T-SSL terminator on the client side.
SSL-I-SSL initiator on the server side.
Configured AppFW, IPS, or AppTrack services use the decrypted SSL sessions.

Note:

If none of the services (AppFW, IPS, or AppTrack) are configured, then SSL forward proxy services are bypassed even if an SSL proxy profile is attached to a firewall policy. IPS does not perform SSL inspection on a session if SSL forward proxy is enabled for that session. That is, if both SSL inspection and SSL forward proxy are enabled on a session, SSL forward proxy always takes precedence.

Figure 2: SSL Proxy on an Encrypted Payload

Supported Ciphers in Proxy Mode

An SSL cipher comprises encryption ciphers, authentication method, and compression. Table 1 displays a list of supported ciphers. NULL ciphers are excluded.

The following SSL protocols are supported:

SSLv3
TLS1

Table 1: Supported Ciphers in Proxy Mode
SSL Cipher	Key Exchange Algorithm	Data Encryption	Message Integrity
RSA_WITH_RC4_128_MD5	RSA key exchange	128-bit RC4	Message Digest 5 (MD5) hash
RSA_WITH_RC4_128_SHA	RSA key exchange	128-bit RC4	Secure Hash Algorithm (SHA) hash
RSA_WITH_DES_CBC_SHA	RSA key exchange	DES CBC	SHA hash
RSA_WITH_3DES_EDE_CBC_SHA	RSA key exchange	3DES EDE/CBC	SHA hash
RSA_WITH_AES_128_CBC_SHA	RSA key exchange	128-bit AES/CBC	SHA hash
RSA_WITH_AES_256_CBC_SHA	RSA key exchange	256-bit AES/CBC	SHA hash
RSA_EXPORT_WITH_RC4_40_MD5	RSA-export	40-bit RC4	MD5 hash
RSA_EXPORT_WITH_DES40_CBC_SHA	RSA-export	40-bit DES/CBC	SHA hash
RSA_EXPORT1024_WITH_DES_CBC_SHA	RSA 1024 bit export	DES/CBC	SHA hash
RSA_EXPORT1024_WITH_RC4_56_MD5	RSA 1024 bit export	56-bit RC4	MD5 hash
RSA_EXPORT1024_WITH_RC4_56_SHA	RSA 1024 bit export	56-bit RC4	SHA hash
RSA-WITH-AES-256-GCM-SHA384	RSA key exchange	256-bit AES/GCM	SHA384 hash
RSA-WITH-AES-256-CBC-SHA256	RSA key exchange	256-bit AES/CBC	SHA256 hash
RSA-WITH-AES-128-GCM-SHA256	RSA key exchange	128-bit AES/GCM	SHA256 hash
RSA-WITH-AES-128-CBC-SHA256	RSA key exchange	128-bit AES/CBC	SHA256 hash

Server Authentication

Implicit trust between the client and the device (because the client accepts the certificate generated by the device) is an important aspect of SSL proxy. It is extremely important that server authentication is not compromised; however, in reality, self-signed certificates and certificates with anomalies are in abundance. Anomalies can include expired certificates, instances of common name not matching a domain name, and so forth.

Server authentication is governed by selecting the Ignore Server Authentication option in the SSL forward proxy profile.

If the Ignore Server Authentication option is not selected, the following scenarios occur:

If authentication succeeds, a new certificate is generated by replacing the keys and changing the issuer name to the issuer name that is configured in the root CA certificate in the proxy profile.
If authentication fails, the connection is dropped.

If the Ignore Server Authentication option is defined as an action in the SSL forward proxy profile, the following scenarios occur:

If the certificate is self-signed, a new certificate is generated by replacing the keys only. The issuer name is not changed. This ensures that the client browser displays a warning that the certificate is not valid.
If the certificate has expired or if the common name does not match the domain name, a new certificate is generated by replacing the keys and changing the issuer name to SSL-PROXY: DUMMY_CERT:GENERATED DUE TO SRVR AUTH FAILURE. This ensures that the client browser displays a warning that the certificate is not valid.

Trusted CA List

SSL forward proxy ensures secure transmission of data between a client and a server. Before establishing a secure connection, SSL forward proxy checks certificate authority (CA) certificates to verify signatures on server certificates. For this reason, a reasonable list of trusted CA certificates is required to effectively authenticate servers.

Ignore Server Authentication

You can use the Ignore Server Authentication option to ignore server authentication completely. In this case, SSL forward proxy ignores errors encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry).

We do not recommend this option for authentication, because configuring it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause for dropped SSL sessions.

Root CA

In a public key infrastructure (PKI) hierarchy, the root CA is at the top of the trust path. The root CA identifies the server certificate as a trusted certificate.

Session Resumption

An SSL session refers to the set of parameters and encryption keys created by performing a full handshake. A connection is the conversation or active data transfer that occurs within the session. The computational overhead of a complete SSL handshake and generation of primary keys is considerable. In short-lived sessions, the time taken for the SSL handshake can be more than the time for data transfer. To improve throughput and still maintain an appropriate level of security, SSL session resumption provides a session caching mechanism so that session information, such as the pre-primary secret key and agreed-upon ciphers, can be cached for both the client and server. The cached information is identified by a session ID. In subsequent connections both parties agree to use the session ID to retrieve the information rather than create a new pre-primary secret key. Session resumption shortens the handshake process and accelerates SSL transactions.

SSL Proxy Logs

When logging is enabled in an SSL proxy profile, SSL proxy can generate the messages shown in Table 2.

Table 2: SSL Proxy Logs
Log Type	Description
SSL_PROXY_SSL_SESSION_DROP	Logs generated when a session is dropped by SSL proxy.
SSL_PROXY_SSL_SESSION_ALLOW	Logs generated when a session is processed by SSL proxy even after encountering some minor errors.
SSL_PROXY_SESSION_IGNORE	Logs generated if non-SSL sessions are initially mistaken as SSL sessions.
SSL_PROXY_SESSION_ALLOWLIST	Logs generated when a session is allowlisted.
SSL_PROXY_ERROR	Logs used for reporting errors.
SSL_PROXY_WARNING	Logs used for reporting warnings.
SSL_PROXY_INFO	Logs used for reporting general information.

All logs contain similar information; the message field contains the reason for the log generation. One of three prefixes shown in Table 3 identifies the source of the message. Other fields are descriptively labeled.

Table 3: SSL Proxy Log Prefixes
Prefix	Description
system	Logs generated due to errors related to the device or an action taken as part of the SSL proxy profile. Most logs fall into this category.
openssl error	Logs generated during the handshaking process if an error is detected by the openssl library.
certificate error	Logs generated during the handshaking process if an error is detected in the certificate (x509 related errors).

Perfect Forward Secrecy

Perfect Forward Secrecy is a specific key agreement protocol that provides assurance that your session keys are not compromised even if the private key of the server is compromised. By generating a unique session key for every session a user initiates, even if a single session keys gets compromised does not affect any data other than that exchanged in a specific session protected by that particular key.

The Elliptic Curve DHE (ECDHE) cipher suits are supported to enable the perfect forward secrecy on SSL forward proxy. The SSL forward proxy still uses RSA for authentication. However, it uses EC Diffie-Hellman ephemeral key exchange to agree on a shared secret.

ECDHE cipher suites are faster than the DHE counterparts and therefore, the SSL forward proxy supports only ECDHE cipher suits. The ECDHE cipher suits are based on the elliptic curve cryptography which allows you to achieve the same level of security than RSA with smaller keys. For example, a 224 bit elliptic curve is as secure as a 2048 bit RSA key.

Table 4 shows the supported ECDHE cipher suits.

Table 4: Supported ECDHE Cipher Suits
SSL Cipher	Key Exchange Algorithm	Data Encryption	Message Integrity
ECDHE-RSA-WITH-AES-256-GCM-SHA384	ECDHE RSA	256-bit AES/GCM	SHA 384 hash
ECDHE-RSA-WITH-AES-256-CBC-SHA384	ECDHE RSA	256-bit AES/CBC	SHA 384 hash
ECDHE-RSA-WITH-AES-256-CBC-SHA	ECDHE RSA	256-bit AES/CBC	SHA hash
ECDHE-RSA-WITH-AES-3DES-EDE-CBC-SHA	ECDHE RSA	3DES AES/EDE/CBC	SHA hash
ECDHE-RSA-WITH-AES-128-GCM-SHA256	ECDHE RSA	128-bit AES/GCM	SHA 256 hash
ECDHE-RSA-WITH-AES-128-CBC-SHA256	ECDHE RSA	128-bit AES/CBC	SHA 256 hash
ECDHE-RSA-WITH-AES-128-CBC-SHA	ECDHE RSA	128-bit AES/CBC	SHA hash

arrow_backward PREVIOUS Cloning, Editing, and Deleting Redirect Profiles

NEXT arrow_forward Creating SSL Forward Proxy Profiles

Junos Space Security Director User Guide

ON THIS PAGE

SSL Forward Proxy Overview

Supported Ciphers in Proxy Mode

Server Authentication

Trusted CA List

Ignore Server Authentication

Root CA

Session Resumption

SSL Proxy Logs

Perfect Forward Secrecy

Stay in touch

Helped me install or use the product
Accelerated my deployment

Discuss the product with a co-worker
Make a purchase inquiry

Junos Space Security Director User Guide

ON THIS PAGE

SSL Forward Proxy Overview

Supported Ciphers in Proxy Mode

Server Authentication

Trusted CA List

Ignore Server Authentication

Root CA

Session Resumption

SSL Proxy Logs

Perfect Forward Secrecy

Related Documentation

Stay in touch