Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Security Policy Rules Overview

Use the Security Policy Rules page to view and manage policy rules associated with devices. You can filter and sort this information to get a better understanding of what you want to configure. To access this page, click SRX > Security Policy > SRX Policy and click the security policy rule.

Field Descriptions

Table 1: Fields on the Security Policy Rules Page
Field Description

Seq

The order number of the policy. The security policy lookup is performed in the order that the policies are configured. The first policy that matches the traffic is used.

Hit Count

The number of times a particular policy is used based on the traffic flow. The hit count is the number of hits since the last reset.

For example, the hit count is especially useful when you are using a large policy set and want to verify which rules are highly used and which ones are rarely used. If you see that some of the rules are not being used, you can verify that the rules are not being shadowed by another policy.

This helps you manage devices without having to generate traffic manually.

Name

The name of the security policy rule.

Sources

 The source endpoint to which a security policy rule applies. A source endpoint consists of zones, addresses, and identities.

Destinations

 The destination endpoint to which a security policy rule applies. A destination endpoint can be zones, addresses, and URL categories.

Applications/Services

 The applications and services associated with the security policy.

Action

 The action that applies to all traffic that matches the specified criteria.
  • Permit—Devices permit traffic using the type of security authentication applied to the policy.
  • Deny—Devices silently drop all packets for the session and do not send any active control messages such as TCP resets or ICMP unreachable.
  • Reject—Devices send a TCP reset message if the protocol is TCP. Devices send an ICMP reset if the protocols are UDP, ICMP, or any other IP protocol. This option is useful when dealing with trusted resources so that applications do not waste time waiting for timeouts and instead get the active message.

  • Redirect—Devices redirect traffic to the configured redirect URL or display a custom message when HTTP requests are blocked.

  • Tunnel—Devices permit traffic using the type of VPN tunneling options applied to the policy.

Security Subscriptions

The security subscription profiles that are applied to a security policy rule.

  • IPS—The IPS profile to monitor and prevent intrusions.

  • Content Security—The content security profile for protection against multiple threat types, including spam and malware, and control access to unapproved websites and content.

    Note:

    To select Juniper NextGen Content security profile, the Junos OS version must be 23.3R1 or later.

  • Decrypt profile—The decrypt profile to encrypt and decrypt the SSL connection between the client and the server to obtain granular application information and enable you to apply advanced security subscriptions protection and detect threats.

  • Flow-based AV—The flow-based antivirus profile to scan packets in the payload content for threats in real-time and block the content if a threat is detected.

  • Anti-malware profile—The anti-malware profile to define which files to send to the ATP Cloud for inspection and the action to be taken when malware is detected.

  • SecIntel profile group—The SecIntel profile group to add SecIntel profiles, such as C&C, DNS, and infected hosts.

Options

 The scheduling, logging, and rule options applicable to the security policy rule.

Deploy Status

 The deployment status.

Related Documentation