Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Creating Firewall Policies

Before You Begin

  • Read the Firewall Policies Overview topic.

  • Review the firewall policies main page for an understanding of your current data set. See Firewall Policies Main Page Fields for field descriptions.

  • Create source (from-zone) and destination (to-zone) zones.

  • Create addresses and address sets.

  • Create services (applications) and service sets (application sets).

Use the Create Firewall Policies page to configure group or device policies that determine all the network resources within your organization and that identify the required security level for those resources.

To create a firewall policy:

  1. Select Configure > Firewall Policy > Standard Policies.

    The Standard Policies page is displayed.

  2. Click the + icon.
  3. Complete the configuration according to the guidelines provided in Table 1.
  4. Click OK. A firewall policy is created. You can click on the policy to assign rules inline or select the policy and click the + icon to configure policy rules. See Creating Firewall Policy Rules.

A new policy is created according to your configuration. You can use this policy to assign rules, profiles, and schedules, To enable a policy, you must assign it to a domain. See Assigning Policies and Profiles to Domains.

Table 1: Firewall Policy Settings

Setting

Guideline
General Information

Name

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. Maximum length is 255 characters.

Description

Enter a description for the group policy rules; maximum length is 255 characters. Comments entered in this field are sent to the device.

Policy Options

Profile

Select a profile for the policy:

  • Log Session Init—Record entries for session start events. A traffic log that records session start events does not include bytes sent and received or session duration, but you can use the log to verify when the session was initially created.

  • Log Session Close—Record entries for session close events. A traffic log that records session close information also lists a reason for the end of the session.

  • All Logging Enabled—Logs are created for both session initiation and session closing. Logs can be used for troubleshooting.

  • All Logging Disabled—Logs are not recorded for both session initiation and session closing.

Type

Select the type of policy you want to create:

  • Group Policy—Firewall policy that is shared with multiple devices. This type of policy is used when you want to update a specific firewall policy configuration to a large set of devices. You can create group prerules, group postrules, and device rules for a group policy.

  • Device Policy—Firewall policy that is created per device. This type of policy is used when you want to push a unique firewall policy configuration per device. You can create device rules for a device firewall policy. During a device assignment for a device policy, only devices from the current domain are listed.
Device Selection

Devices

Starting Junos Space Security Director Release 16.2, both SRX Series devices and MX Series routers are listed. When a policy is published to a device, device-specific rules are published to the appropriate SRX Series devices or MX Series routers.

Select the devices on which the group policy will be published. For a group policy, you can include both SRX Series devices and MX Series routers. Select devices from the Available column and click the right arrow to move these devices to the Selected column. For device only policy, select the device with which you want to associate the policy.

Note:

You can also search for devices by entering the device name, device IP address, or device tags in the Search fields in the Devices area. Once the searched devices appear, you can move them to the Selected pane.

Note:

Starting in Junos Space Security Director Release 20.1R1, logical system (LSYS) is supported on devices running Junos OS Release 18.3 and later.

Starting in Junos Space Security Director Release 21.2R1, tenant system (TSYS) is supported on devices running Junos OS Release 18.3 and later for SRX Series devices and Junos OS Release 20.1 and later for vSRX Virtual Firewall Series devices.
Policy Sequence

Policy Placement

(For Group Policy only). Select Before Device Specific Policies or After Device Specific Policies. This decides the policy order when the devices policy configuration information is updated on the devices.

Policy Sequence No.

(For Group Policy only). Select this option to specify the order number for the policy. Policy lookup is performed in the order that the policies are configured. The first policy that matches the traffic is used. For more information, see Policy Ordering Overview.

Related Documentation

Release History Table
Release
Description
16.2
Starting Junos Space Security Director Release 16.2, both SRX Series devices and MX Series routers are listed.