policies
语法
policies {
default-policy (deny-all | permit-all);
from-zone from-zone-name {
to-zone;
policy name {
description description;
match (Security Policies Global) {
source-address (Security Policies);
destination-address (Security Policies);
application (Security Policies);
source-identity;
source-end-user-profile <source-end-user-profile-name>;
dynamic-application (Security Policies);
url-category;
from-zone (Security Policies Global);
to-zone (Security Policies Global);
source-l3vpn-vrf-group [ source-l3vpn-vrf-group ... ];
destination-l3vpn-vrf-group [ destination-l3vpn-vrf-group ... ];
destination-address-excluded;
source-address-excluded;
}
scheduler-name scheduler-name;
then {
deny;
permit {
application-services {
(redirect-wx | reverse-redirect-wx);
advanced-anti-malware-policy advanced-anti-malware-policy;
application-traffic-control {
rule-set rule-set;
}
gprs-gtp-profile gprs-gtp-profile;
gprs-sctp-profile gprs-sctp-profile;
icap-redirect icap-redirect;
idp;
idp-policy idp-policy;
security-intelligence-policy security-intelligence-policy;
ssl-proxy {
profile-name profile-name;
}
uac-policy {
captive-portal captive-portal;
}
utm-policy utm-policy;
web-proxy {
profile-name profile-name;
}
}
destination-address (Security IDP Policy) {
(drop-translated | drop-untranslated);
}
firewall-authentication {
pass-through {
access-profile access-profile;
auth-only-browser;
auth-user-agent name;
client-match [ client-match ... ];
ssl-termination-profile ssl-termination-profile;
web-redirect;
web-redirect-to-https;
}
user-firewall {
access-profile access-profile;
auth-only-browser;
auth-user-agent name;
domain domain;
ssl-termination-profile ssl-termination-profile;
web-redirect;
web-redirect-to-https;
}
web-authentication {
client-match [ client-match ... ];
}
push-to-identity-management;
}
services-offload;
tcp-options {
initial-tcp-mss initial-tcp-mss;
reverse-tcp-mss reverse-tcp-mss;
sequence-check-required;
syn-check-required;
window-scale;
}
tunnel {
ipsec-vpn ipsec-vpn;
pair-policy pair-policy;
}
}
reject {
profile profile;
ssl-proxy {
profile-name profile-name;
}
}
count {
}
log {
session-close;
session-init;
}
}
}
}
global {
policy name {
description description;
match (Security Policies Global) {
source-address (Security Policies);
destination-address (Security Policies);
application (Security Policies);
source-identity;
source-end-user-profile <source-end-user-profile-name>;
dynamic-application (Security Policies);
url-category;
from-zone (Security Policies Global);
to-zone (Security Policies Global);
source-l3vpn-vrf-group [ source-l3vpn-vrf-group ... ];
destination-l3vpn-vrf-group [ destination-l3vpn-vrf-group ... ];
destination-address-excluded;
source-address-excluded;
}
scheduler-name scheduler-name;
then {
deny;
permit {
application-services {
(redirect-wx | reverse-redirect-wx);
advanced-anti-malware-policy advanced-anti-malware-policy;
application-traffic-control {
rule-set rule-set;
}
gprs-gtp-profile gprs-gtp-profile;
gprs-sctp-profile gprs-sctp-profile;
icap-redirect icap-redirect;
idp;
idp-policy idp-policy;
security-intelligence-policy security-intelligence-policy;
ssl-proxy {
profile-name profile-name;
}
uac-policy {
captive-portal captive-portal;
}
utm-policy utm-policy;
web-proxy {
profile-name profile-name;
}
}
destination-address {
(drop-translated | drop-untranslated);
}
firewall-authentication {
pass-through {
access-profile access-profile;
auth-only-browser;
auth-user-agent name;
client-match [ client-match ... ];
ssl-termination-profile ssl-termination-profile;
web-redirect;
web-redirect-to-https;
}
user-firewall {
access-profile access-profile;
auth-only-browser;
auth-user-agent name;
domain domain;
ssl-termination-profile ssl-termination-profile;
web-redirect;
web-redirect-to-https;
}
web-authentication {
client-match [ client-match ... ];
}
push-to-identity-management;
}
services-offload;
tcp-options {
initial-tcp-mss initial-tcp-mss;
reverse-tcp-mss reverse-tcp-mss;
sequence-check-required;
syn-check-required;
window-scale;
}
tunnel {
ipsec-vpn ipsec-vpn;
pair-policy pair-policy;
}
}
reject {
profile profile;
ssl-proxy {
profile-name profile-name;
}
}
count {
}
log {
session-close;
session-init;
}
}
}
}
policy-rematch <extensive>;
policy-stats {
system-wide (disable | enable);
}
pre-id-default-policy {
then {
log {
session-close;
session-init;
}
session-timeout {
icmp seconds;
icmp6 seconds;
ospf seconds;
others seconds;
tcp seconds;
udp seconds;
}
}
}
stateful-firewall-rule name {
match-direction (input | input-output | output);
policy name {
description description;
match (Security Policies Global) {
source-address (Security Policies);
destination-address (Security Policies);
application (Security Policies);
source-identity;
source-end-user-profile <source-end-user-profile-name>;
dynamic-application (Security Policies);
url-category;
from-zone (Security Policies Global);
to-zone (Security Policies Global);
source-l3vpn-vrf-group [ source-l3vpn-vrf-group ... ];
destination-l3vpn-vrf-group [ destination-l3vpn-vrf-group ... ];
destination-address-excluded;
source-address-excluded;
}
scheduler-name scheduler-name;
then {
deny;
permit {
application-services {
(redirect-wx | reverse-redirect-wx);
advanced-anti-malware-policy advanced-anti-malware-policy;
application-traffic-control {
rule-set rule-set;
}
gprs-gtp-profile gprs-gtp-profile;
gprs-sctp-profile gprs-sctp-profile;
icap-redirect icap-redirect;
idp;
idp-policy idp-policy;
security-intelligence-policy security-intelligence-policy;
ssl-proxy {
profile-name profile-name;
}
uac-policy {
captive-portal captive-portal;
}
utm-policy utm-policy;
web-proxy {
profile-name profile-name;
}
}
destination-address {
(drop-translated | drop-untranslated);
}
firewall-authentication {
pass-through {
access-profile access-profile;
auth-only-browser;
auth-user-agent name;
client-match [ client-match ... ];
ssl-termination-profile ssl-termination-profile;
web-redirect;
web-redirect-to-https;
}
user-firewall {
access-profile access-profile;
auth-only-browser;
auth-user-agent name;
domain domain;
ssl-termination-profile ssl-termination-profile;
web-redirect;
web-redirect-to-https;
}
web-authentication {
client-match [ client-match ... ];
}
push-to-identity-management;
}
services-offload;
tcp-options {
initial-tcp-mss initial-tcp-mss;
reverse-tcp-mss reverse-tcp-mss;
sequence-check-required;
syn-check-required;
window-scale;
}
tunnel {
ipsec-vpn ipsec-vpn;
pair-policy pair-policy;
}
}
reject {
profile profile;
ssl-proxy {
profile-name profile-name;
}
}
count {
}
log {
session-close;
session-init;
}
}
}
}
stateful-firewall-rule-set name {
stateful-firewall-rule name;
}
traceoptions (Security Policies) {
file <filename> <files files> <match match> <size size> <(world-readable | no-world-readable)>;
flag name;
no-remote-trace;
}
unified-policy {
max-lookups max-lookups;
}
}
层次结构级别
[edit security]
描述
只有当设备上启用了 IPv6 流量的流支持时,才使用 IPv6 地址配置网络安全策略。
选项
| 默认策略 | 在无用户定义策略匹配时配置默认操作。
|
| 策略重配 | 在更改时重新评估策略。
|
所需权限级别
安全性 — 要在配置中查看此语句。
安全控制 — 要将此语句添加到配置中。
发布信息
在 Junos OS 8.5 版中引入的语句。
services-offload支持在 Junos OS 版本 11.4 中添加的选项。
source-identitiy支持在 Junos OS 版本 12.1 中添加的选项。
description支持在 Junos OS 版本 12.1 中添加的选项。
从 Junos OS 版本 12.1X44-D10 和 Junos OS 15.1X49-D40 开始添加对 ssl-termination-profile 和 web-redirect-to-https 选项的支持。
user-firewall支持在 Junos OS 版本 12.1X45-D10 中添加的选项。
Junos OS 版本 12.1X47-D10 中添加了对domain选项以及from-zoneto-zone全局策略匹配选项的支持。
initial-tcp-mss支持 Junos OS 版本 12.3X48-D20 中添加的选项reverse-tcp-mss。extensive支持在 Junos OS 版本 15.1X49-D20 中添加的选项policy-rematch。
从 Junos OS 18.2R1 版开始,IDP 策略在统一安全策略中可用。IDP 策略访问已简化,并作为策略之一在统一策略下提供。当 IDP 策略在统一安全策略中可用时,无需配置源或目标地址、源和目标(从和到区域或应用程序除外),因为匹配发生在安全策略本身中。
从 Junos OS 18.3R1 版开始,当 SRX 系列设备使用统一策略配置时,您可以配置多个 IDP 策略,并将其中一个策略设置为默认 IDP 策略。如果为一个会话配置了多个 IDP 策略,并在发生策略冲突时,设备会为该会话应用默认 IDP 策略,从而解决任何策略冲突。
注意:
如果在统一安全策略中配置了两个或更多 IDP 策略,则必须配置默认 IDP 策略。