Creating Firewall Policy Profiles
Before You Begin
Read the Understanding Firewall Policy Profiles topic.
Create zones.
Create an application (or application set) that indicates that the policy applies to traffic of that type.
Create the policy.
Create schedulers if you plan to use them for your policies.
Review the policy profiles main page for an understanding of your current data set. See Firewall Policy Profiles Main Page Fields for field descriptions.
Use this page to create an object that specifies the basic settings of a security policy. You can configure the following basic settings using a policy profile:
Log options
Firewall authentication schemes
Traffic redirection options
When a policy profile is created, Junos Space creates an object in the Junos Space database to represent the policy profile. You can use this object to create security policies.
The security policies enforce rules for transit traffic, in terms of what traffic can pass through the firewall, and the actions that need to take place on traffic as it passes through the firewall. Also, you can control the traffic flow from zone to zone by defining the kinds of traffic permitted to pass from specified sources to specified destinations at scheduled times.
To configure a policy profile:
- Select Configure > Firewall Policy > Profiles.
- Click the + icon.
- Complete the configuration according to the guidelines provided in the Table 1.
- Click OK.
A new policy profile with the predefined policy configurations is created. You can use this object in security policies.
Settings |
Guidelines |
---|---|
Name |
Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters. |
Description |
Enter a description for the policy profile; maximum length is 1024 characters. |
Template |
Select a Security Director device template to use the predefined device-deployable configuration by replacing the variables with actual values and evaluating the control logic statements. |
Logging |
|
Session Initiate |
Select this option to enable logging of events when sessions are created. |
Session Close |
Select this option to enable logging of events when sessions are closed. When logging is enabled, the system logs at session close time by default. |
Count |
Select this option to enable counting. Once enabled, the number of packets, bytes, and sessions that enter the device for a given policy are counted. You can configure counts in an individual policy. |
Alarm Threshold |
|
Bytes to be Logged |
Enter the alarm threshold, in bytes per second, of all network traffic the policy allows to pass through the device in both directions from client to server and server to client. The range is from 0 through 4,294,967,295. |
Count Value |
Enter the alarm threshold, in kilobytes per minute, of all network traffic the policy allows to pass through the device in both directions from client to server and server to client. The range is from 0 through 4,294,967,295. |
Authentication |
|
Authentication Type |
Select an option to restrict or permit users individually or in groups:
|
Authentication Type - Pass Through |
|
Client Name |
Enter the names of the users or user groups in a profile for whom this policy allows access. If you do not specify any users or user groups, then any user who is successfully authenticated is allowed access. |
Client Direction |
Enable an option to redirect HTTP request:
|
Access Profile Name |
Enter a name for the access profile to be used for authentication. |
Auth Only Browser |
Enable this option to configure the firewall authentication to ignore non browser HTTP/HTTPS traffic. This ensures that the unauthenticated users issuing access requests through HTTP/HTTPS browsers are presented with a captive portal interface to allow them to authenticate. By default, firewall authentication responds to all HTTP/HTTPS traffic. |
Auth User Agent |
Specify a user agent value to be matched against values specified in the browser’s User-Agent header field that identifies the traffic as HTTP/HTTPS browser traffic. You can specify only one user agent value for a security policy configuration. The value must not contain spaces. The length of the string must be 17 characters or less. For example, you can specify Opera to be verified against the browser’s User-Agent field for a match. You can either use this parameter for the Pass Through or User Firewall authentication types or in conjunction with the Auth Only Browser parameter. |
Authentication Type - Web |
|
Client Name |
Enter the names of the users or user groups who have already been Web authenticated and for whom this policy allows access. Web authentication must be enabled on one of the addresses on the interface to which the HTTP request is redirected. |
Authentication Type - User Firewall |
|
Domain Name |
Enter a domain name for firewall authentication in the event that the Windows Management Instrumentation client (WMIC) is not available to get IP-to-user mapping for the integrated user firewall feature. The maximum length is 63 characters. |
Access Profile Name |
Enter a name for the access profile to be used for authentication. |
Auth Only Browser |
Enable this option to configure the firewall authentication to ignore non browser HTTP/HTTPS traffic. This ensures that the unauthenticated users issuing access requests through HTTP/HTTPS browsers are presented with a captive portal interface to allow them to authenticate. By default, firewall authentication responds to all HTTP/HTTPS traffic. |
Auth User Agent |
Specify a user agent value to be matched against values specified in the browser’s User-Agent header field that identifies the traffic as HTTP/HTTPS browser traffic. You can specify only one user agent value for a security policy configuration. The value must not contain spaces. The length of the string must be 17 characters or less. For example, you can specify Opera to be verified against the browser’s User-Agent field for a match. You can either use this parameter for the Pass Through or User Firewall authentication types or in conjunction with the Auth Only Browser parameter. |
Authentication Type - User Infranet |
|
Redirect URL |
Enter a URL for the webpage to which the client is directed. For example: https://www.juniper.net/. |
Redirect Options |
Select an option to redirect encrypted or unencrypted traffic:
|
Advance Settings |
|
Services Offload |
Select from the following options:
Note:
Both logical systems and tenant systems support the disable services offload feature. |
Destination Address Translation |
Select an option to specify whether the traffic permitted by the policy is limited to packets where the destination IP address has been translated by means of a destination NAT rule or to packets where the destination IP address has not been translated:
|
Redirect Options |
Select an option to define the acceleration policy for WX redirection of packets to the WXC Integrated Service Module (ISM 200) for WAN acceleration:
During the redirection process, the direction of the WX packet and its type determine further processing of the packet. |
TCP-Session Options |
|
TCP-SYN |
Enable this option for the device to reject TCP segments with non-SYN flags set unless they belong to an established session. |
TCP Sequence |
Enable this option to monitor the TCP byte sequence counter and to validate the trusted acknowledgment number against the untrusted sequence number. |
Window Scale |
Enable this option to increase the network transmission speed. |
Initial TCP MSS |
Select the TCP maximum segment size (MSS) for packets arriving at the ingress interface (initial direction). If the value in the packet is higher than the one you select, the configured value overrides the TCP MSS value in the incoming packet. The range is 64 through 65535. |
Reverse TCP MSS |
Select the TCP maximum segment size (MSS) for packets that match a specific policy and travel in the reverse direction of a session. If the value in the packet is higher than the one you select, the configured value replaces the TCP MSS value. The range is 64 through 65535. |