Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Creating Firewall Policy Profiles

Before You Begin

  • Read the Understanding Firewall Policy Profiles topic.

  • Create zones.

  • Create an application (or application set) that indicates that the policy applies to traffic of that type.

  • Create the policy.

  • Create schedulers if you plan to use them for your policies.

  • Review the policy profiles main page for an understanding of your current data set. See Firewall Policy Profiles Main Page Fields for field descriptions.

Use this page to create an object that specifies the basic settings of a security policy. You can configure the following basic settings using a policy profile:

  • Log options

  • Firewall authentication schemes

  • Traffic redirection options

When a policy profile is created, Junos Space creates an object in the Junos Space database to represent the policy profile. You can use this object to create security policies.

The security policies enforce rules for transit traffic, in terms of what traffic can pass through the firewall, and the actions that need to take place on traffic as it passes through the firewall. Also, you can control the traffic flow from zone to zone by defining the kinds of traffic permitted to pass from specified sources to specified destinations at scheduled times.

To configure a policy profile:

  1. Select Configure > Firewall Policy > Profiles.
  2. Click the + icon.
  3. Complete the configuration according to the guidelines provided in the Table 1.
  4. Click OK.

A new policy profile with the predefined policy configurations is created. You can use this object in security policies.

Table 1: Firewall Policy Profile Settings

Settings

Guidelines

Name

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters.

Description

Enter a description for the policy profile; maximum length is 1024 characters.

Template

Select a Security Director device template to use the predefined device-deployable configuration by replacing the variables with actual values and evaluating the control logic statements.

Logging

Session Initiate

Select this option to enable logging of events when sessions are created.

Session Close

Select this option to enable logging of events when sessions are closed.

When logging is enabled, the system logs at session close time by default.

Count

Select this option to enable counting. Once enabled, the number of packets, bytes, and sessions that enter the device for a given policy are counted.

You can configure counts in an individual policy.

Alarm Threshold

Bytes to be Logged

Enter the alarm threshold, in bytes per second, of all network traffic the policy allows to pass through the device in both directions from client to server and server to client.

The range is from 0 through 4,294,967,295.

Count Value

Enter the alarm threshold, in kilobytes per minute, of all network traffic the policy allows to pass through the device in both directions from client to server and server to client.

The range is from 0 through 4,294,967,295.

Authentication

Authentication Type

Select an option to restrict or permit users individually or in groups:

  • None—Allows user without any authentication to restrict or permit clients.

  • Pass Through—Allows user to use an FTP, Telnet, or HTTP client to access the IP address of the protected resource in another zone. Subsequent traffic from the user or host is allowed or denied based on the result of this authentication.

  • Web—Policy allows access to users who have previously been authenticated by Web authentication.

  • User Firewall—Uses the username and role information to determine whether to permit or deny a user's session or traffic.

  • Infranet—Pushes the user and role information for all authenticated users from the Access Control Service.

Authentication Type - Pass Through

Client Name

Enter the names of the users or user groups in a profile for whom this policy allows access. If you do not specify any users or user groups, then any user who is successfully authenticated is allowed access.

Client Direction

Enable an option to redirect HTTP request:

  • Redirect to web—Redirects an HTTP request to the device and redirect the client system to a webpage for authentication. This allows users an easier authentication process because they need to know only the name or IP address of the resource they are trying to access.

  • Redirect to HTTPS—Redirects unauthenticated HTTP requests to the internal HTTPS webserver of the device.

Access Profile Name

Enter a name for the access profile to be used for authentication.

Auth Only Browser

Enable this option to configure the firewall authentication to ignore non browser HTTP/HTTPS traffic.

This ensures that the unauthenticated users issuing access requests through HTTP/HTTPS browsers are presented with a captive portal interface to allow them to authenticate. By default, firewall authentication responds to all HTTP/HTTPS traffic.

Auth User Agent

Specify a user agent value to be matched against values specified in the browser’s User-Agent header field that identifies the traffic as HTTP/HTTPS browser traffic. You can specify only one user agent value for a security policy configuration. The value must not contain spaces. The length of the string must be 17 characters or less. For example, you can specify Opera to be verified against the browser’s User-Agent field for a match.

You can either use this parameter for the Pass Through or User Firewall authentication types or in conjunction with the Auth Only Browser parameter.

Authentication Type - Web

Client Name

Enter the names of the users or user groups who have already been Web authenticated and for whom this policy allows access. Web authentication must be enabled on one of the addresses on the interface to which the HTTP request is redirected.

Authentication Type - User Firewall

Domain Name

Enter a domain name for firewall authentication in the event that the Windows Management Instrumentation client (WMIC) is not available to get IP-to-user mapping for the integrated user firewall feature.

The maximum length is 63 characters.

Access Profile Name

Enter a name for the access profile to be used for authentication.

Auth Only Browser

Enable this option to configure the firewall authentication to ignore non browser HTTP/HTTPS traffic.

This ensures that the unauthenticated users issuing access requests through HTTP/HTTPS browsers are presented with a captive portal interface to allow them to authenticate. By default, firewall authentication responds to all HTTP/HTTPS traffic.

Auth User Agent

Specify a user agent value to be matched against values specified in the browser’s User-Agent header field that identifies the traffic as HTTP/HTTPS browser traffic. You can specify only one user agent value for a security policy configuration. The value must not contain spaces. The length of the string must be 17 characters or less. For example, you can specify Opera to be verified against the browser’s User-Agent field for a match.

You can either use this parameter for the Pass Through or User Firewall authentication types or in conjunction with the Auth Only Browser parameter.

Authentication Type - User Infranet

Redirect URL

Enter a URL for the webpage to which the client is directed. For example: https://www.juniper.net/.

Redirect Options

Select an option to redirect encrypted or unencrypted traffic:

  • None—To not redirect any traffic

  • All Traffic—To redirect the encrypted traffic

  • Unauthenticated Traffic—To redirect the unencrypted traffic

Advance Settings

Services Offload

Select from the following options:

  • None—Select to delete the configured service from the device.

  • Enable—Select to enable services offload. When services offload is enabled, only the first packets of a session go to the SPU. The rest of the packets in services offload mode do not go to the SPU; therefore, some security features such as stateful screen are not supported. You can offload services only for TCP and UDP packets.

  • Disable—Select to disable services offload.

Note:

Both logical systems and tenant systems support the disable services offload feature.

Destination Address Translation

Select an option to specify whether the traffic permitted by the policy is limited to packets where the destination IP address has been translated by means of a destination NAT rule or to packets where the destination IP address has not been translated:

  • Drop Untranslated—You do not want to translate the destination address. Traffic permitted by the policy is limited to packets where the destination IP address has not been translated.

  • Drop Translated—You want to translate the destination address. Traffic permitted by the policy is limited to packets where the destination IP address has been translated by means of a destination NAT rule.

Redirect Options

Select an option to define the acceleration policy for WX redirection of packets to the WXC Integrated Service Module (ISM 200) for WAN acceleration:

  • None—You want traffic to be redirected

  • Redirect WX—You want to enable Wx redirection for packets that arrive from the LAN

  • Reverse Redirect WX—You want to enable WX redirection for the reverse flow of packets that arrive from the WAN.

During the redirection process, the direction of the WX packet and its type determine further processing of the packet.

TCP-Session Options

TCP-SYN

Enable this option for the device to reject TCP segments with non-SYN flags set unless they belong to an established session.

TCP Sequence

Enable this option to monitor the TCP byte sequence counter and to validate the trusted acknowledgment number against the untrusted sequence number.

Window Scale

Enable this option to increase the network transmission speed.

Initial TCP MSS

Select the TCP maximum segment size (MSS) for packets arriving at the ingress interface (initial direction). If the value in the packet is higher than the one you select, the configured value overrides the TCP MSS value in the incoming packet.

The range is 64 through 65535.

Reverse TCP MSS

Select the TCP maximum segment size (MSS) for packets that match a specific policy and travel in the reverse direction of a session. If the value in the packet is higher than the one you select, the configured value replaces the TCP MSS value.

The range is 64 through 65535.