Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure a Security Policy Rule

Configuring a security policy rule involves setting conditions for traffic between network zones. Ensure the policy rules align with your network's security strategy.

To configure a security policy rule:

  1. Click Security > Security Policies to display the Security Policies page.
  2. Click a security policy to open the policy page.
  3. Select a security policy rule and click the edit icon ().
  4. Configure the security policy rule according to Fields on the Security Policy Name Page.
    1. Click + in Sources to display the Sources page. Configure the source endpoint from the list of zones, addresses, including the identity of such source end point.
    2. Click + in Destinations to display the Destinations page. Configure the destination end point from the list of zones and addresses.
    3. Click + in Applications/Services to display the Applications & Services page. Add applications and services.
    4. Select the action from the Action dropdown list for the traffic between the source and destination.
    5. Select the security subscriptions to apply.
    6. Select the options to apply.
    Table 1: Fields on the Security Policy Name Page
    Field Action
    General Information

    Name

    Enter a name containing maximum 63 alphanumeric characters without spaces. The name can contain dashes (-) and underscores (_).

    If you do not enter a name, the rule is saved with a default name assigned by Juniper Security Director Cloud.

    Description

    Enter a description for the policy rule containing maximum 900 characters. The description cannot contain special characters such as ampersand (&), angular brackets (<, >) or a new line.

    Sources

    Click + to select the source endpoint from the list of zone, addresses, and users on which the security policy rule applies.

    • Zone—Select a source zone for SRX Series Firewalls to define the context for the policy. Zone policies are applied on traffic entering from a source zone to a destination zone.

    • Addresses—Enter the IPv4 or IPv6 addresses or address groups to include in the security policy rule. Select Any to add any address, Specific to select the addresses.

    • Exclude addresses—Select the IPv4 addresses to exclude from the security policy rule. This setting is available only when you select Specific in Addresses.

    • Identity—Select the source identity to use as the match criteria for the policy. You can have different policy rules based on user roles and user groups.

    Destinations

    Click + to select the destination endpoint from the list of zones, addresses, and URL categories on which the security policy rule applies.

    • Zone—Select a destination zone for SRX Series Firewalls to define the context for the policy. Zone policies are applied on traffic entering from a source zone to a destination zone.

    • Addresses—Enter the IPv4 or IPv6 addresses or address groups to include in the security policy rule. Select Any to add any address, Specific to select the addresses.

    • Exclude addresses—Select the IPv4 addresses to exclude from the security policy rule. This setting is available only when you select Specific in Addresses.

    • URL categories—Select Any to add any URL in the security policy rule, Specific to select the URLs, or None.

    Applications/Services

    Click + to select the applications and services.

    • Applications—Select Any to add any application, Specific to select the applications, or None. Use the search field to find a specific application.

    • Services—Select Any to add any services, Specific to select the services, or Default to add Junos-default services. Select the check box for the services, click the arrow (>) to transfer them to the Selected column. Use the search fields at the top of each column to find specific services.

    The secure Web proxy feature does not support unified policies. If you want to associate a secure Web proxy profile with the rule, you must disable Applications. You can select the required applications when you configure the secure Web proxy profile.

    Action

    Select the action for the traffic between the source and destination from the drop-down list.

    • Permit—Devices permit the traffic.
    • Deny—Devices silently drop all packets for the session and do not send any active control messages such as TCP reset or ICMP unreachable.
    • Reject—Devices drop the packets and send the following message based on the traffic type:
      • TCP traffic: Devices send the TCP reset message to the source host.
      • UDP traffic: Devices send the destination unreachable, port unreachable ICMP message.
      • For all other traffic: Devices drop the packets without notifying the source host.

    • Redirect—Define a response in the unified policy to notify the connected client when a policy blocks HTTP or HTTPS traffic with a reject action.

      • Message—Select the message from the drop-down list, or click Create redirect message and enter the message.

      • URL—Select the redirect URL from the drop-down list, or click Add redirect URL and enter the redirect URL.

    • Tunnel—Devices permit traffic using the type of VPN tunneling options applied to the policy.
    Security Subscriptions

    Select the security subscriptions to apply to the security policy rule.

    • IPS—When you select the Permit action, you can specify an IPS profile by selecting a profile from the list to monitor and prevent intrusions.

    • Content Security—When you select the Permit action, you can specify a content security profile by selecting a profile from the list for protection against multiple threat types including spam and malware, and control access to unapproved websites and content.

    • Decrypt—When you select the Permit, Reject, or Redirect action, you can configure a decrypt profile to perform SSL encryption and decryption between the client and the server and obtain granular application information which enables you to apply advanced security subscriptions protection and detect threats.

    • Flow-based AV—When you set the action to Permit, you can assign a flow-based antivirus profile to the security policy to scan packets in the payload content for threats in real-time and block the content if a threat is detected.

    • Anti-malware—When you set the action to Permit, you can assign the anti-malware profile to the security policy to define the files to send to the ATP cloud for inspection and the action to be taken when malware is detected.

    • SecIntel—When you set the action to Permit, you can assign the SecIntel profile group to the security policy to add SecIntel profiles, such as C&C, DNS, and infected hosts.

    • Secure Web Proxy—When you set the action to Permit, you can enable the toggle switch to assign the secure Web proxy profile to enable applications to bypass a proxy server and connect to a web server directly. See Secure Web Proxy Overview for more information about secure Web proxy profile.

    • ICAP Redirect—When you select the Permit or Reject action, you can assign the ICAP redirect profile to decrypt HTTP or HTTPS traffic and redirect HTTP messages to a third-party, on-premise DLP server.

    Click Customize to configure the security subscription profiles. If there is no default profile configured, you can configure it using the customize option or set the default profile using Global Options. See Configure Global Options for Security Policies.

    This setting is available only if you select the Permit or the Reject action.

    Options

    Schedule

    Select a pre-saved schedule. The schedule options are populated with the selected schedule data.

    Policy schedules enable you to define when a policy is active and are an implicit match criterion. You can define the day of the week and the time of the day when the policy is active. For example, you can define a security policy that opens or closes access based on business hours.

    Session initiate logs

    Select this option to enable logging of events when sessions are created.

    Session close logs

    Select this option to enable logging of events when sessions are closed.

    When logging is enabled, the system logs at session close time by default.

    Rule options

    Create an object to specify the redirect options, the authentication, the TCP-options, and the action for destination-address translated or untranslated packets.
  5. Click the check mark () to save the configuration.
After you save the security policy configuration, regularly review and update the policy rules to adapt to network changes.

Related Documentation