Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add a Secure Edge Policy Rule

Create a Secure Edge policy rule to manage transit traffic within a context. The traffic is identified by matching its source sites, source and destination addresses, and application protocol headers with the policy database. You can also enable advanced security protection by specifying the following:

  • Intrusion prevention system (IPS) profile
  • Decrypt profile
  • Web filtering
  • Content filtering
  • SecIntel group
  • Anti-malware
  • Cloud Access Security Broker (CASB)

Juniper Secure Edge provides the following methods to authenticate your on-premises users and devices:

  • Juniper Identity Management System (JIMS)—Deploy Juniper Identity Management System (JIMS) Collectors at your sites. JIMS fetches authenticated, domain-joined users from Active Directory and sends the details to Juniper Secure Edge service. This enables users to access applications via Juniper Secure Edge without re-authenticating, providing an optimal experience.

    Note:

    You can get user group information without the need to deploy on-premises JIMS Collectors. Configure Identity Provider (IdP) settings in Juniper Secure Edge to fetch the information from Microsoft Entra ID (Azure AD) or Okta. Juniper Secure Edge will acquire user group details from these sources, allowing administrators to utilize this data to administer security policies effectively.

  • Captive portal—You can enable the captive portal feature to require Juniper Secure Edge to authenticate your on-premises users. This is particularly useful if you need to authenticate users who are not joined to the domain through Juniper Secure Edge, and it can serve as a backup authentication method if JIMS Collectors cannot communicate with your Active Directory servers. By default, this feature is turned off for on-premises users. Before enabling the captive portal feature, consider the following:

    • Create policy exceptions for on-premises users, like guest users, and for devices that cannot be authenticated by your Active Directory.

      • Ensure that the policy exceptions are listed before the captive portal policy to grant these users or devices access through Juniper Secure Edge.
      • Allocate these users and devices their own IP subnets to efficiently manage policy configurations.

    • The captive portal policy will exclusively work for traffic through browsers.

    • Set the DHCP lease time to five hours. You should renew the lease before expiration or get a new IP address if it's not renewed. If the DHCP lease is not renewed, re-authentication is needed.

To configure a Secure Edge policy rule:

  1. Select Secure Edge > Security Policy.

    The Secure Edge Policy page is displayed.

  2. Click +.

    The option to create Secure Edge policy rule is displayed inline on the Secure Edge Policy page.

  3. Complete the configuration according to the guidelines provided in Table 1.
    Table 1: Fields on the Secure Edge Policy Add Page
    Field Description
    Rule Name Enter a unique string beginning with a number or letter and consisting of letters, numbers, dashes and underscores. No spaces are allowed, and the maximum length is 63 characters. If you do not enter a name, the rule is saved with a default name assigned by Juniper Secure Edge.
    Description Enter a description for the policy rule; maximum length is 900 characters. The description must be a string excluding '&', '<', '>' and '\n' characters.
    Sources Click the add icon (+) to select the source end points on which the Secure Edge policy rule applies, from the displayed list of sites, addresses, and user groups.
    Destinations Click the add icon (+) to select the destination end points on which the Secure Edge policy rule applies, from the displayed list of addresses and URL categories.
    Application/Services Click the add icon (+) to select the applications and services.
    Note:

    Select the dependent applications for the CASB supported cloud applications. For information on the dependent applications, see Create a CASB Profile.
    Action From the drop-down menu, select the action for the traffic between the source and destination.
    • Permit—Device permits the traffic.
    • Deny—Device silently drops all packets for the session and does not send any active control messages such as TCP Resets or ICMP unreachable.
    • Reject—Device drops the packet and sends the following message based on traffic type:
      • TCP traffic: Device sends the TCP reset message to the source host.
      • UDP traffic: Device sends the ICMP message “destination unreachable, port unreachable”.
      • For all other traffic: Device drops the packet without notifying the source host.
    • Redirect—When a policy blocks HTTP or HTTPS traffic with a reject action, you can define a response in the unified policy to notify the connected client. Redirect options:

      • Message—Select the message from the drop-down list or click Create redirect message and enter the message (in the Block Message field).

      • URL—Select the redirect URL from the drop-down list, or click Add redirect URL and enter the redirect URL.
    Security Subscriptions
    Note:

    You can configure all the security subscription options only if you select Permit for the action.
    • IPS— When you set the action to Permit, you can enable an IPS profile.

      Enable an IPS profile to monitor and prevent intrusions.

    • Decrypt profile—When you set the action to Permit or Reject, you can specify a decrypt profile by selecting a profile from the list.

      You can use the Decrypt profile to specify the traffic that may be decrypted or bypassed for decryption by Secure Edge.

      Click Create New, if you want to add a new Decrypt profile.

      You must select a decrypt profile if you have selected a CASB profile.

      Note:

      If you use CASB-supported Microsoft Teams application, you must edit the decrypt profile to identify the activities.

      By default, the decrypt profile (exempt list) includes the following Microsoft URLs:

      • *.delivery.mp.microsoft.com
      • *.teams.microsoft.com
      • *.update.microsoft.com
      • *.vortex-win.data.microsoft.com
      • activation.sls.microsoft.com
      • update.microsoft.com
      • windowsupdate.microsoft.com
      • *.windowsupdate.microsoft.com

      You must remove *.teams.microsoft.com from exempt list to identify Microsoft Teams activities.

    • Web filtering—When you set the action to Permit, you can specify a Web filtering profile by selecting a profile from the list.

      You can use the Web filtering profile to manage internet usage by preventing access to inappropriate Web content over HTTP.

      Click Create New, if you want to add a new Web filtering profile.

    • Content filtering—When you set the action to Permit, you can specify a Content filtering profile by selecting a profile from the list.

      You can use the Content filtering profile to filter the content based on the file type, application, and direction. The content filtering policy evaluates traffic before all other content security policies. Therefore, if traffic meets criteria configured in the content filter, the content filter acts first upon this traffic.

      Click Create New, if you want to add a new Content filtering profile.

    • SecIntel group—When you set the action to Permit, you can specify a SecIntel profile group by selecting a profile from the list.

      You use the SecIntel profile group to assign a group of different SecIntel profiles.

      Click Create New, if you want to add a new SecIntel group.

    • Anti-malware—When you set the action to Permit, you can specify an antimalware profile by selecting a profile from the list.

      You can use the antimalware profile to define the content to scan for any malware and the action to be taken when a malware is detected.

      Click Create New if you want to add a new antimalware profile.

    • CASB—When you set the action to Permit, you can specify a CASB profile by selecting a profile from the list. You must select a decrypt profile to assign a CASB profile.

      A pop-up window opens when you assign a CASB profile to a Secure Edge policy. By default, the cloud application groups are selected for the respective CASB-supported cloud applications. You cannot edit these groups as this option is grayed out. For more information on the cloud application groups, see Create a CASB Profile.

      You can use the CASB profile to automatically detect anomalous usage and suspicious behavior.

      Click Create New if you want to add a new CASB profile. For more information, see Create a CASB Profile.

    Options
    Schedule

    Select a saved schedule from the list.

    Policy schedules enable you to define when a policy is active and are an implicit match criterion.

    Click Create Schedule to define a new schedule. You can define the day of the week and the time of the day when the policy is active. For instance, you can define a security policy that allows access only during business hours.

    Session initiate logs

    Enable this option to log events when sessions are created.

    Session close logs

    Enable this option to log events when sessions are closed.

    When logging is enabled, the system logs at session close time by default.

    Captive portal for site traffic

    Enable this option to allow unauthenticated users to log in to Juniper Secure Edge.

    By default, the captive portal option is enabled only for roaming users.

    The captive portal option is available only if you configure the following:

    • Sources—unauthenticated-user user group

    • Action—Permit
  4. Click to save the changes.

A new Secure Edge policy rule with the provided configuration is saved, and a confirmation message is displayed.