Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add a Security Policy Rule

Use this page to add a security policy rule that controls transit traffic within a context. The traffic is classified by matching its source and destination zones, the source and destination addresses, and the application that the traffic carries in its protocol headers with the policy database.

You can also enable advanced security protection by specifying the following security profiles:

  • Content security profile

  • Decrypt profile

  • Flow-based antivirus profile

  • Intrusion prevention system (IPS) profile

  • Anti-malware profile

  • Secintel profile group

  • Secure Web proxy profile

  1. Select SRX > Security Policy > SRX Policy.
    The Security Policies page is displayed.
  2. Click the security policy to add the rule.
    The security policy page is displayed.
  3. Click +.
    The option to create security policy rule is displayed inline on the the security policy page.
  4. Complete the configuration according to the guidelines provided below:
    Table 1: Fields on the Security Policy Name Page
    Field Description
    General Information

    Name

    Enter a name containing maximum 63 alphanumeric characters without spaces. The name can contain dashes (-) and underscores (_).

    If you do not enter a name, the rule is saved with a default name assigned by Juniper Security Director Cloud.

    Description

    Enter a description for the policy rule containing maximum 900 characters. The description cannot contain special characters such as ampersand (&), angular brackets (<, >) or a new line.

    Sources

    Click + to select the source endpoint from the list of zone, addresses, and users on which the security policy rule applies.

    Note:

    You can choose to save a rule as a zone-based rule or a global rule if the following settings are configured:

    • The Save rule option is enabled in the Organization settings. See About the Organization Page.

    • Only one source and destination zone is selected.

    Destinations

    Click + to select the destination endpoint from the list of zones, addresses, and URL categories on which the security policy rule applies.

    Note:

    You can choose to save a rule as a zone-based rule or a global rule if the following settings are configured:

    • The Save rule option is enabled in the Organization settings. See About the Organization Page.

    • Only one source and destination zone is selected.

    Applications/Services

    Click + to select the applications and services.

    The secure Web proxy feature does not support unified policies. If you want to associate a secure Web proxy profile with the rule, you must disable Applications. You can select the required applications when you configure the secure Web proxy profile.

    Action

    Select the action for the traffic between the source and destination from the drop-down list.

    • Permit—Devices permit the traffic.
    • Deny—Devices silently drop all packets for the session and do not send any active control messages such as TCP reset or ICMP unreachable.
    • Reject—Devices drop the packets and send the following message based on the traffic type:
      • TCP traffic: Devices send the TCP reset message to the source host.
      • UDP traffic: Devices send the destination unreachable, port unreachable ICMP message.
      • For all other traffic: Devices drop the packets without notifying the source host.

    • Redirect—Define a response in the unified policy to notify the connected client when a policy blocks HTTP or HTTPS traffic with a reject action.

      • Message—Select the message from the drop-down list, or click Create redirect message and enter the message.

      • URL—Select the redirect URL from the drop-down list, or click Add redirect URL and enter the redirect URL.

    • Tunnel—Devices permit traffic using the type of VPN tunneling options applied to the policy.
    Security Subscriptions

    Select the security subscriptions to apply to the security policy rule.

    • IPS—When you select the Permit action, you can specify an IPS profile by selecting a profile from the list to monitor and prevent intrusions.

    • Content Security—When you select the Permit action, you can specify a content security profile by selecting a profile from the list for protection against multiple threat types including spam and malware, and control access to unapproved websites and content.

    • Decrypt—When you select the Permit, Reject, or Redirect action, you can configure a decrypt profile to perform SSL encryption and decryption between the client and the server and obtain granular application information which enables you to apply advanced security subscriptions protection and detect threats.

    • Flow-based AV—When you set the action to Permit, you can assign a flow-based antivirus profile to the security policy to scan packets in the payload content for threats in real-time and block the content if a threat is detected.

    • Anti-malware—When you set the action to Permit, you can assign the anti-malware profile to the security policy to define the files to send to the ATP cloud for inspection and the action to be taken when malware is detected.

    • SecIntel—When you set the action to Permit, you can assign the SecIntel profile group to the security policy to add SecIntel profiles, such as C&C, DNS, and infected hosts.

    • Secure Web Proxy—When you set the action to Permit, you can enable the toggle switch to assign the secure Web proxy profile to enable applications to bypass a proxy server and connect to a web server directly. See Secure Web Proxy Overview for more information about secure Web proxy profile.

    • ICAP Redirect—When you select the Permit or Reject action, you can assign the ICAP redirect profile to decrypt HTTP or HTTPS traffic and redirect HTTP messages to a third-party, on-premise DLP server.

    Click Customize to configure the security subscription profiles. If there is no default profile configured, you can configure it using the customize option or set the default profile using Global Options. See Configure Global Options for Security Policies.

    This setting is available only if you select the Permit or the Reject action.

    Options

    Schedule

    Select a pre-saved schedule. The schedule options are populated with the selected schedule data.

    Policy schedules enable you to define when a policy is active and are an implicit match criterion. You can define the day of the week and the time of the day when the policy is active. For example, you can define a security policy that opens or closes access based on business hours.

    Session initiate logs

    Select this option to enable logging of events when sessions are created.

    Session close logs

    Select this option to enable logging of events when sessions are closed.

    When logging is enabled, the system logs at session close time by default.

    Rule options

    Create an object to specify the redirect options, the authentication, the TCP-options, and the action for destination-address translated or untranslated packets.

  5. Click to save the changes.
A new security policy rule with the provided configuration is saved and a confirmation message is displayed. Based on the source and destination endpoints, the rules are categorized as zone-based rules or global rules.