[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring a Policy to Permit Traffic

Configuring a policy to permit traffic is the first step in the sample configuration explaining how to configure a policy.

Before You Begin
Establish basic connectivity. (See the Getting Started Guide for your device.) Create zones. See Creating Security Zones. Configure the address book for the policy. (See Configuring a Policy to Permit Traffic.) For background information, read Example: Configuring Security Policies—Detailed Configuration.

To configure a policy to permit traffic, use either J-Web or the CLI configuration editor. The following configuration commands allow traffic between the loopback addresses of both the Juniper Networks devices.

This topic covers:

J-Web Configuration

To configure a policy to permit traffic using the J-Web configuration editor:

Select Configure>CLI Tools>Point and Click CLI.
Next to Security, click Configure or Edit.
Next to Policies, select the check box and click Configure.
Next to Policy, click Add new entry.
In the From zone name box, type green.
In the To zone name box, type red.
Next to Policy, click Add new entry.
In the Policy name box, type allowin.
Select the Match check box and click Configure.
1. From the Source address choice list, select Source address.
2. Next to Source address, click Add new entry.
3. From the Value keyword list, select Enter specific value.
4. In the Address box, type netTopLoopInt and click OK.
5. To match the policy to a destination address, from the Destination address choice list, select Destination address.
6. Next to Destination address, click Add new entry.
7. From the Value keyword list, select Enter specific value.
8. In the Address box, type netBottomLoopInt and click OK.
9. To match the policy to an application set name, from the Application Choice list, select Application.
10. Next to Application, click Add new entry.
11. Specify the application or application set name to match the policy and click OK.
12. Expand the Advanced option and do either of the following:
  - Next to Apply groups, click Add new entry. Specify the group to inherit the configuration.
  - Next to Apply groups except, click Add new entry. Specify the group not to inherit the configuration.
Specify the name of the Scheduler in the Scheduler Name text box.
Select the Then check box and click Configure.
- Select the Count check box to enable counting.
- Next to Log, click Configure.
- Do any or all of the following:
  - Select Session Close, if you want the log files to be created towards the end of a session.
  - Select Session Init, if you want the log files to be created during the beginning of a session.
  You can select both the options to enable log files to be created both during the beginning as well as towards the end of a session.
- Expand the Advanced option and do either of the following:
  - Next to Apply groups, click Add new entry. Specify the group to inherit the configuration.
  - Next to Apply groups except, click Add new entry. Specify the group not to inherit the configuration.
- Click OK to return to the main configuration page.
From the Action list, select Permit .
Next to Action, click Add new entry.
1. Next to Application services, click Configure.
2. Select any or all of the following:
  - Idp, if you want to permit IDP.
  - Uac policy, if you want to permit UAC Policy.
3. Expand the Advanced option and do either of the following:
  - Next to Apply groups, click Add new entry. Specify the group to inherit the configuration.
  - Next to Apply groups except, click Add new entry. Specify the group not to inherit the configuration.
4. Click OK to save the configuration and return to the Permit configuration page.
5. Select the Destination address check box and click Configure.
6. Select any one of the option from the destination nat drop down list:
  - Drop Translated.
  - Drop Untranslated.
7. Click OK to return back to the Permit configuration page.
8. Next to Firewall authentication, click Configure.
9. Select either of the following from the Auth type drop down list:
  - Pass through. Next to Pass through click Configure and specify the access profile name, client user name or group name to match. Also select the Web redirect check box. You can also specify access groups and access groups except options.
  - Web authentication. Next to Web authentication click Configure and specify the client user name or group name to match. You can also specify access group and access group except options.
  After specifying the firewall authentication information, click OK to return to the Permit configuration page.
10. Next to Tunnel, click Configure.
11. Specify the name of the IPsec VPN to enable it. This option is mandatory.
12. Specify the policy in the reverse direction to form a pair.
13. Expand the Advanced option and do either of the following:
  - Next to Apply groups, click Add new entry. Specify the group to inherit the configuration.
  - Next to Apply groups except, click Add new entry. Specify the group not to inherit the configuration.
Click OK to return to the Then configuration page.
If you are finished configuring the device, commit the configuration.
To check the configuration, see Verifying Policy Configuration.

CLI Configuration


            
               user@host# set security policies from-zone RED to-zone
                     GREEN policy allowIn match source-address netTopLoopInt
               user@host# set security policies from-zone RED to-zone
                     GREEN policy allowIn match destination-address netBottomLoopInt
               user@host# set security policies from-zone RED to-zone
                     GREEN policy allowIn match application any
               user@host# set security policies from-zone RED to-zone
                     GREEN policy allowIn then permit

If you are finished configuring the device, commit the configuration.

To check the configuration, see Verifying Policy Configuration.

Configuring a Policy to Permit Traffic

J-Web Configuration

CLI Configuration

Related Topics