Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Security Policies Overview

Security policies enforce specific rules to manage traffic through a device, allowing or blocking it as dictated by these rules. These regulations not only control the flow of data but can also integrate both network transport (Layer 4) and application (Layer 7) protocols into one regulation. Rules in security policies usually include source and destination information, IP addresses, user identities, URL categories, services, and applications.

You can create, edit, and remove security policies that are linked to devices. To access this page, select SRX > Security Policy > SRX Policy.

Note:

On CPE devices or next-gen firewalls with Junos OS Release 18.2R1 or later, a security policy functions as a unified security policy. This permits dynamic applications to serve as matching criteria alongside conditions, eliminating the need for a distinct application security configuration to control application traffic.

Security Policy Benefits

  • Permits, rejects, denies, redirects, or tunnels the traffic based on the application.
  • Recognizes not just HTTP traffic but also any applications operating over it, which helps in enforcing policies effectively. For instance, a security rule for applications might block HTTP traffic originating from Facebook while permitting HTTP web access to Microsoft Outlook.
  • Provides advanced security protection by specifying the following:
    • Intrusion prevention system (IPS) profile
    • Content security profile
    • SSL proxy profile

  • Categorizes rules as zone-based rules and global rules.

    • Zone-based-rules are rules with zones as source and destination endpoints.

    • Global rules give the flexibility to perform action on the traffic without any zonal restrictions.

      Table 1: Parameters for Zone-based and Global rules
      Sources Destinations Applications/Services Action Advanced Security Options Supported Options

      Zone

      Addresses

      Identity

      Zone

      Addresses

      URL Categories

      Applications

      Services

      Permit

      Deny

      Reject

      Redirect

      Tunnel

      IPS Profile

      Content Security Profile

      SSL Proxy Profile

      Schedules

      Logging

      Rule Options

Security Policy and Rule Order

Security policies and rules are applied in the order they appear.

  • Security policies and the rules within a security policy are applied in a sequential order from top to bottom. For example, consider a scenario with the following two security policies:

    • P1 containing Rule-a and Rule-b with the sequence number 1

    • P2 containing Rule-a and Rule-b with the sequence number 2

    After deploying, the security policies and rules are applied in the following sequence:

    1. P1 Rule-a

    2. P1 Rule-b

    3. P2 Rule-a

    4. P2 Rule-b

  • New security policies and rules are added at the end of the list.

  • The default policy is the last policy in the list, and it denies all traffic.

  • One security policy rule can mask another security policy rule.

  • You can change the order of the security policies and rules by using the Reorder functions.

Field Descriptions

Table 2: Fields on the Policy List Page

Field

Description

Seq.

The order number of the policy.

Name

The name of the security policy.

Rules

The number of rules associated with the policy.

If no rule is associated with the policy, Add Rule link is displayed. See Add a Security Policy Rule

Devices

The number of devices associated with the policy.

Status

The deployment status of the security policy.

  • Deploy Successful
  • Deploy Pending
  • Deploy Failed
  • Deploy scheduled
  • Deploy in progress
  • Redeploy required

Modified By

The user who modified the policy.

Last Modified

The date and time when the policy was modified.

Description

The description of the security policy.

Related Documentation