Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

About the Secure Edge Policy Page

To access this page, click Secure Edge > Security Policy.

A Secure Edge policy specifies what actions to take for specific sets of traffic. Use the Secure Edge Policy page to view and manage policy rules. You can filter and sort this information to get a better understanding of what you want to configure.

Policy rules are executed in the order of their appearance. You must be aware of the following:

  • Policy rules are applied from top to bottom. For example, Secure Edge policy has two rules Rule-a and Rule-b. Rule-b has sequence number 1 and the Rule-a has sequence number 2. If you deploy the policy, the rules are applied in the following sequence:

    1. Rule-b

    2. Rule-a

  • Newly created policy rules go to the end of the list.

  • If you have configured an external probe setting at Secure Edge > Service Management > External Probe, then a new policy rule is automatically created with the prefix Secure-Edge-External-Probe-Rule. The external probe rule is placed as the first rule in the order. You cannot edit, delete, or change the order of the external probe rule.

  • You can change the order of policy rules. See, Reorder a Security Policy Rule for more details.

  • The last rule in the policy list is the default policy, which has the default action of denying all traffic.

  • A policy rule can mask another policy rule.

Tasks You Can Perform

You can perform the following tasks from this page:

  • Create a Secure Edge policy. See Add a Secure Edge Policy Rule
  • Modify, clone, or delete a Secure Edge policy. See Edit, Clone, and Delete a Secure Edge Policy Rule
  • Deploy a Secure Edge policy. See Deploy Secure Edge Policies
  • Search for a Secure Edge policy. Click the search icon in the top-right corner of the page. You can enter partial text or full text of the keyword in the text box, and press Enter. The search results are displayed on the same page.
  • Show or hide columns. Click the Show Hide Columns icon at the top right corner of the page.

Field Description

Table 1 provides guidelines on using the fields on the Secure Edge Policy page.

Table 1: Fields on the Secure Edge Policy Page
Field Description
Seq The order number for the policy. The policy lookup is performed in the order that the policies are configured. The first policy that matches the traffic is used.

Below the sequence number, you can also see the hit count. It displays how often a particular policy is used based on traffic flow. The hit count is the number of hits since the last reset.
Rule Name The name of the Secure Edge policy.
Sources The source endpoint to which a Secure Edge policy applies. A source endpoint consists of sites, addresses, and user groups.
Destinations The destination endpoint to which a Secure Edge policy applies. A destination endpoint can be addresses and URL categories.
Applications/Services The applications and services associated with the security policy.
Action The action applies to all traffic that matches the specified criteria.
  • Permit—Device permits traffic using the type of security authentication applied to the policy.
  • Deny—Device silently drops all packets for the session and does not send any active control messages such as TCP Resets or ICMP unreachable.
  • Reject—Device sends a TCP reset if the protocol is TCP, and device sends an ICMP Unreachable if the protocols are UDP, ICMP, or any other IP protocol. This option is useful when dealing with trusted resources, so that applications do not waste time waiting for timeouts and instead get the active message.
  • Redirect—The redirect URL or a custom message to be shown when HTTP requests are blocked.
Security Subscriptions The advanced security options are:
  • IPS—IPS profile to monitor and prevent intrusions.
  • Decrypt—Decrypt profile to decrypt the SSL encryption.
  • Web Filtering—Web filtering to prevent access to inappropriate Web content over HTTP.
  • Content Filtering—Content filtering filters the content based on the file type, application, and direction.
  • SecIntel—SecIntel profiles that are grouped together.
  • Anti-malware—Anti-malware profile to scan the content for any malware and take actions when malware is detected.
  • CASB—Juniper Cloud Access Security Broker (CASB) profiles to detect and respond to insider threats and advanced cyberattacks.
Options

This displays scheduling, logging, and captive portal options applicable to the Secure Edge policy.

The captive portal option is available only if you configure the following:

  • Sources—unauthenticated-user user group

  • Action—Permit