Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Juniper Security Director® is the next generation on-premises security management product for SRX Series Firewalls and vSRX. For more details, visit Juniper Security Director documentation page or contact your sales team.

close
header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Junos Space Security Director Junos Space Security Director User Guide Configure Firewall Policy-Standard Policies

Junos Space Security Director User Guide

keyboard_arrow_up
close
keyboard_arrow_left
Junos Space Security Director User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

Creating Firewall Policy Rules

date_range 07-Nov-23
arrow_backward
arrow_forward

Before You Begin

  • Read the Overview Firewall Policies topic.

  • Review the Firewall Rules main page for an understanding of your current data set. See Firewall Policy Rules Main Page Fields for field descriptions.

Use the Create Rule page to configure firewall rules that control transit traffic within a context (source zone to destination zone). The traffic is classified by matching its source and destination zones, the source and destination addresses, and the application that the traffic carries in its protocol headers with the policy database.

Security Director allows a device to have a device-specific policy and to be part of multiple group policies. Rules for a device are updated in this order:

  • Rules within Policies Applied Before 'Device Specific Policies'

  • Rules within Device-Specific Policies

  • Rules within Policies Applied After 'Device Specific Policies'

Rules within Policies Applied Before 'Device Specific Policies' take priority and cannot be overridden. However, you can override rules within Policies Applied After 'Device Specific Policies' by adding an overriding rule in the Device-Specific Policies. In an enterprise scenario, “common-must-enforce” rules can be assigned to a device from the Policies Applied Before ‘Device Specific Policies’, and “common-nice-to-have” rules can be assigned to a device from the Policies Applied After ‘Device Specific Policies’.

Note:

An exception can be added on a per device basis in “Device-Specific Policies” . For a complete list of rules applied to a device, select Configure > Firewall Policy > Devices. Select a device to view rules associated with that device.

To configure a firewall policy rule:

  1. Select Configure > Firewall Policy.
  2. Select the policy for which you want to define rules and click the + icon.

    The Create Rules page appears.

    Note:

    To edit and create rules inline, click the policy to make the fields editable.

  3. Complete the configuration according to the guidelines provided in Table 1.
  4. Click OK.

    The rules you configured are associated with the selected policy.

Table 1: Firewall Policy Rules Setting

Setting

Guideline

General Information

Rule Name

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the; maximum length is 63 characters.

Description

Enter a description for the policy rules; maximum length is 1024 characters. Comments entered in this field are sent to the device.

Identify the traffic that the rule applies to

(Source) Zone

For SRX Series devices, specify a source zone (from-zone) to define the context for the policy. Zone policies are applied on traffic entering one security zone (source zone) to another security zone (destination zone). This combination of a source zone and a destination zone is called a context.

Starting in Junos Space Security Director Release 16.2, for MX Series routers, the source zone field acts as an ingress interface from where the packet enters. The match direction is input, if the packet is entering the interface. The match direction is output, if the packet is leaving the interface. Configure the ingress key by selecting the aggregated multiservices (AMS) value.

Starting in Junos Space Security Director Release 16.2, polymorphic zones can be used as source zone and destination zone, when you assign SRX Series devices and MX Series routers to the same group policy.

(Source) Address(es)

Enter one or more address names or address set names. Click Select to add source addresses.

On the Source Address page:

  • Include Any Address—Add any address to the firewall rule.

  • Include Specific—Add the selected source address to the rule.

    When you add an NSX manager, the security groups are synchronized and the corresponding dynamic address groups (DAG) are created in Security Director database. For your NSX manager, select the required DAGs from the list.

  • Exclude Specific—Exempt the selected source addresses from the rule.

  • By Metadata Filter—Choose the matching address of a user-defined metadata as the source address.

    • Metadata Filter—Click the field to select the required metadata from the list. The matching addresses are filtered and listed in the Matched Address field.

    • Matched Addresses—Lists the addresses matching the selected metadata. This address is used as a source address.

      For every metadata expression, a unique dynamic address group (DAG) is created. This DAG has the feed server URL pointing to the feed server URL of Security Director.

      Office 365 is now included in the list of third party feeds to push Microsoft Office 365 services endpoint information (IP addresses) to the SRX Series device. This feed works differently from other feeds and requires certain configuration parameters, including a pre-defined name of “ipfilter_office365”. You must enable the Office 365 feed in Juniper ATP Cloud. To understand how to enable the Office 365 feed in Juniper ATP Cloud and create a DAG on the SRX Series device that refers to the ipfilter_office365 feed, see Enabling Third Party Threat Feeds.

      Configure the feed server URL by using the following CLI command to each SRX Series device or vSRX that acts on the metadata based policies.

      set security dynamic-address feed-server <SD IP Address> hostname <SD IP Address>

See Creating Addresses and Address Groups.

(Source) User ID

Specify the source identity (users and roles) to be used as match criteria for the policy. You can have different policy rules based on user roles and user groups.

Click Select to specify source identities to permit or deny. On the User ID page, you can select a user identity from the available list or you can add a new identity by clicking Add New User ID.

To delete a user identity from the Security Director database, click Delete User ID and select a value from the drop-down list, which is not configured in any policy. If you try to delete a user identity which is configured in a policy, a message with its reference ID and user ID are displayed.

Note:

The user IDs which are only created in Security Director are displayed in the drop-down list.

(Source) End User Profile

Select an end user profile from the list. The firewall policy rule is applied to it.

When traffic from device A arrives at an SRX Series device, the SRX Series obtains the IP address of device A from the first traffic packet and uses it to search the device identity authentication table for a matching device identity entry. Then it matches that device identity profile with a security policy whose End User Profile field specifies the device identity profile name. If a match is found, the security policy is applied to traffic issuing from device A.

(Destination) Zone

For SRX Series devices, specify a destination zone (to-zone) to define the context for the policy. Zone policies are applied on traffic entering one security zone (source zone) to another security zone (destination zone). This combination of a source zone and a destination zone is called a context.

Starting in Junos Space Security Director Release 16.2, for MX Series routers, this field acts as an egress interface from where the packet enters. The match direction is input, if the packet is entering the interface. The match direction is output, if the packet is leaving the interface. Configure the egress key by selecting the aggregated multiservices (AMS) value.

Polymorphic zones can be used as source zone and destination zone, when you assign SRX Series devices and MX Series routers to the same group policy.

(Destination) Address(es)

Select one or more address names or address sets. Click Select to add destination addresses.

On the Destination Address page:

  • Select the Include option to add the selected destination addresses or any address to the rule.

  • Select the Exclude option to exempt the selected destination addresses from the rule.

  • Select the By Metadata Filter option to choose the matching address of a user-defined metadata as the destination address.

    • Metadata Filter—Click the field to select the required metadata from the list. The matching addresses are filtered and listed in the Matched Address field.

    • Matched Addresses—Lists the addresses matching the selected metadata. This address is used as a destination address.

      For every metadata expression, a unique dynamic address group(DAG) is created. This DAG has the feed server URL pointing to the feed server URL of Security Director.

      Office 365 is now included in the list of third party feeds to push Microsoft Office 365 services endpoint information (IP addresses) to the SRX Series device. This feed works differently from other feeds and requires certain configuration parameters, including a pre-defined name of “ipfilter_office365”. You must enable the Office 365 feed in Juniper ATP Cloud. To understand how to enable the Office 365 feed in Juniper ATP Cloud and create a DAG on the SRX Series device that refers to the ipfilter_office365 feed, see Enabling Third Party Threat Feeds.

      Configure the feed server URL by using the following CLI command to each SRX Series device or vSRX that acts on the metadata based policies.

      set security dynamic-address feed-server <SD IP Address> hostname <SD IP Address>

See Creating Addresses and Address Groups.

(Destination) URL Category

Select one or more predefined or custom URL category as a match criterion. URL category is supported on devices running Junos OS Release 18.4R3 and later.

Click Select to select a URL category. Select one or more predefined or custom URL categories from the Available list and move them to the Selected list. Click OK.

(Service Protocols) Services

Select one or more service (application) names. Select the Include, Any Service to disable the any option in the services list builder. Clear the Any Service check box to permit or deny services from the services list builder available column. Click Add New Service to create a service. See Creating Services and Service Groups.

Application Signatures

Click the + icon to add the application signatures. You can add both predefined and custom application signatures.

Advanced Security

Rule Action

Action applies to all traffic that matches the specified criteria.

  • Deny—Device silently drops all packets for the session and does not send any active control messages such as TCP Resets or ICMP unreachable.

  • Reject—Device sends a TCP reset if the protocol is TCP, and device sends an ICMP reset if the protocols are UDP, ICMP, or any other IP protocol. This option is useful when facing trusted resources so that the applications do not waste time waiting for timeouts and instead get the active message.

  • Permit—Device permits traffic using the type of firewall authentication you applied to the policy.

  • Tunnel—Device permits traffic using the type of VPN tunneling options you applied to the policy.

Advanced Security

Firewall policies provide a core layer of security that ensures that network traffic is restricted to only that which a policy dictates through its match criteria.

Firewall policies provide a core layer of security that ensures that network traffic is restricted to only that which a policy dictates through its match criteria. When the traditional policy is not enough, select application identification components to create an advanced security profile for the policy:

  • App Firewall—Select this option to enforce traditional firewall controls on the traffic while layering application firewall to ensure that applications conform not only to the port information but also to what is transmitted between a client and a server. You can permit, deny, and reject applications. There is also a special redirect feature for HTTP and HTTPS.

    Click the Add New link to create application firewall policy and click Add New APPFW Rule to create rules. See Creating Application Firewall Policies.

  • SSL Forward Proxy—Select this option to enable an application-level protocol that provides encryption technology for the Internet.

    Click Add Forward Proxy to create SSL Forward Proxy Profiles. See Creating SSL Forward Proxy Profiles.

    Click Add Reverse Proxy to create SSL Reverse Proxy Profiles. See Creating SSL Reverse Proxy Profiles.

  • IPS—Select the IPS value as On or Off.

  • IPS Policy—Provides support for IPS policy within the standard firewall policy. Select an IPS policy to assign to the firewall policy. IPS policies that are not assigned to any device are listed in the drop-down.

    For devices with Junos OS Release 18.2 onward, CLI configuration for the assigned IPS policy is generated along with the standard firewall policy.

    Note:

    The rule action should be Permit.

    • In Junos OS Release 18.1 and earlier, if you have configured a policy with both IPS as On or Off and an IPS policy, Security Director ignores the IPS policy and sends only IPS On CLI command to the device.

    • In Junos OS Release 18.2 and later, if you have configured a policy with both IPS as On or Off and an IPS Policy, Security Director ignores the IPS On CLI command and sends only the IPS policy CLI command to the device.

  • UTM—Select this option to define Layer 7 protection against client-side threats.

    Click Add New to create Content Security policies. See Creating UTM Policies.

  • Secure Web Proxy—Select a secure Web proxy profile created in Create a Secure Web Proxy Profile.

    You can use secure Web proxy to enable traffic for selected applications to bypass the external proxy server and sent directly to a webserver.

  • Threat Prevention Policy—Select an option to provide protection and monitoring for the selected threat profiles, including command and control servers, infected hosts, and malware.

Note:

For creating inline application firewall policy, SSL proxy profiles, and Content Security, the rule action must be permit.

Threat Profiling

Juniper ATP Cloud Adaptive Threat Profiling allows SRX Series devices to generate, propagate, and consume threat feeds based on their own advanced detection and policy-match events.

Starting in Junos Space Security Director Release 21.2, you can configure a firewall policy with source and destination addresses as threat types, which injects the source IP address and destination IP address into the selected threat feed when traffic matches the rule. Threat feed can be leveraged by other devices as a dynamic-address-group (DAG).

Add Source IP to Feed—Select a security feed from the list. The source IP address is added to the threat feed when the traffic matches the rule.

Add Destination IP to Feed—Select a security feed from the list. The destination IP address is added to the threat feed when the traffic matches the rule.

Note:

To use these fields, first enroll the devices in ATP Cloud and then configure Policy Enforcer to display feeds in the drop-down list.

Rule Options

Profile

Select a default profile or a custom profile, or you can inherit a policy profile from another policy. Policy profile specifies the basic settings of a security policy. See Creating Firewall Policy Profiles.

Schedule

Policy schedules allow you to define when a policy is active, and thus are an implicit match criterion. You can define the day of the week and the time of the day when the policy is active. For instance, you can define a security policy that opens or closes access based on business hours. Multiple schedulers can be applied to different policies, but only one scheduler can be active per policy. Select a pre-saved schedule and the schedule options are populated with the selected schedule’s data. Click New to create another schedule.

Rule Analysis

New Rule, Perform Analysis

Select this option if you want to analyze your rules to avoid any anomalies.

Rule Placement

Location/Sequence

Displays the sequence number and the order in which the rule is placed.

Related Documentation

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
16.2
Starting in Junos Space Security Director Release 16.2, for MX Series routers, the source zone field acts as an ingress interface from where the packet enters.
16.2
Starting in Junos Space Security Director Release 16.2, polymorphic zones can be used as source zone and destination zone, when you assign SRX Series devices and MX Series routers to the same group policy.
16.2
Starting in Junos Space Security Director Release 16.2, for MX Series routers, this field acts as an egress interface from where the packet enters.
arrow_backward PREVIOUS Firewall Policies Best Practices
NEXT arrow_forward Rule Base Overview
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top