Creating Application Firewall Policies

Before You Begin

Read the Understanding Application Firewall Policies topic.
Have a basic understanding of firewall rules.
Have a basic understanding of an application (or application set) that indicates that the policy applies to traffic that matches it.
Review the application firewall policies main page for an understanding of your current data set. See Application Firewall Policies Main Page Fields for field descriptions.

Use the Application Firewall Policies page to configure an application firewall policy and to specify the rule set to be applied to it.

An application firewall:

Permits, rejects, or denies traffic based on the application of the traffic.
Consists of one or more rule sets that specify match criteria and the action to be taken for matching traffic.
Identifies not only HTTP but also any application running on top of it, letting you properly enforce policies. For example, an application firewall rule could block HTTP traffic from Facebook but allow Web access to HTTP traffic from MS Outlook.

To configure an application firewall policy, you must create a policy and then add rules to it. To create an application firewall policy:

Select Configure > Application Firewall Policy > Policies.
Click the + icon.
Complete the configuration according to the guidelines provided in the Table 1.
Click OK.

To add rules to the application firewall policy:

Click Add Rules for the policy you created.
Click +.
Complete the configuration according to the guidelines provided in the Table 2.
Click OK.

A new application firewall policy with your configurations is created. You can add rules to this policy to provide additional security.

Table 1: Application Firewall Policies Settings
Settings	Guidelines
Name	Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters.
Description	Enter a description for the policy; maximum length is 1024 characters.

Table 2: Add Rule Settings
Settings	Guidelines
Rule Name	Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters.
Application Signatures	Select an option to add or delete an application signature. Select one or more available application signatures to add to the rules.
Encryption	Select an option to specify different actions for encrypted and unencrypted SSL traffic: Any—Matches both encrypted and unencrypted SSL traffic. Yes—Matches encrypted SSL traffic only. No—Matches unencrypted SSL traffic only.
Action	Select an option for any traffic that matches the application firewall rule set: Permit—Allows the traffic at the firewall. Deny—Blocks traffic, closes the session, and logs the event from an application firewall. By default, no message is returned to the client. But you can choose to send a message. Reject—Drops traffic with a message to the client, closes the session, and logs the event from an application firewall.
Notify user on blocking (Deny or Reject)	Select whether or not to notify clients when drop or reject actions are logged from an application firewall: Yes—Displays a default message or customized message, or redirects the clients for denied HTTP or HTTPS traffic. All other traffic is dropped silently. No—No message is sent to the client.
Default Action—Default Action for other applications (not matching any rule)	Select an option for any traffic that does not match any defined application firewall rule: Permit—Allows the traffic at the firewall. Deny—Blocks the traffic and the device drops the packet. By default, no message is returned to the client but you can choose to send a message. Reject—Drops the traffic. By default the device drops the packet and returns a TCP reset (RST) message to the source host and to the server in some cases. For UDP or other protocol traffic, an ICMP unreachable message is returned to both client and server.
Block Message—Block Message Type	Select an option to provide a text explanation to the client, redirect the client to an informative webpage, or do nothing after a reject or deny action from an application firewall: Not Configured—No message is returned to the client. Custom Message—Enter text to display with splash screen to inform the client that the traffic has been blocked. Redirect URL—Enter URL to redirect the client to a custom webpage instead of the default splash screen. For example: https://www.juniper.net/.

Creating Application Firewall Policies

Related Documentation