Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Creating Firewall Policies

    Use the Create Firewall Policies page to configure group or device policies that determine all the network resources within your organization and that identify the required security level for those resources.

    Before You Begin

    • Read the Firewall Policies Overview topic.
    • Review the firewall policies main page for an understanding of your current data set. See Firewall Policies Main Page Fields for field descriptions.
    • Create source (from-zone) and destination (to-zone) zones.
    • Create addresses and address sets.
    • Create services (applications) and service sets (application sets).

    Configuring Firewall Policy Settings


    To create a firewall policy:

    1. Select Configure > Firewall Policy.
    2. Click the + icon.
    3. Complete the configuration according to the guidelines provided in Table 1.
    4. Click OK. A firewall policy is created. You can click on the policy to assign rules inline or select the policy and click the + icon to configure policy rules. See Creating Firewall Policy Rules.

    A new policy is created according to your configuration. You can use this policy to assign rules, profiles, and schedules, To enable a policy, you must assign it to a domain. See Assigning Policies and Profiles to Domains.

    Table 1: Firewall Policy Settings

    Setting

    Guideline

    General Information

    Name

    Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. Maximum length is 255 characters.

    Description

    Enter a description for the group policy rules; maximum length is 255 characters. Comments entered in this field are sent to the device.

    Policy Options

    Profile

    Select a profile for the policy:

    • Log Session Init—Record entries for session start events. A traffic log that records session start events does not include bytes sent and received or session duration, but you can use the log to verify when the session was initially created.
    • Log Session Close—Record entries for session close events. A traffic log that records session close information also lists a reason for the end of the session.
    • All Logging Enabled—Logs are created for both session initiation and session closing. Logs can be used for troubleshooting.
    • All Logging Disabled—Logs are not recorded for both session initiation and session closing.

    Type

    Select the type of policy you want to create:

    • Group Policy—Firewall policy that is shared with multiple devices. This type of policy is used when you want to update a specific firewall policy configuration to a large set of devices. You can create group prerules, group postrules, and device rules for a group policy.
    • Device Policy—Firewall policy that is created per device. This type of policy is used when you want to push a unique firewall policy configuration per device. You can create device rules for a device firewall policy. During a device assignment for a device policy, only devices from the current domain are listed.

    Device Selection

    Devices

    SRX Series devices and MX Series routers are listed. When a policy is published to a device, device-specific rules are published to the appropriate SRX Series devices or MX Series routers.

    Select the devices on which the group policy will be published. For a group policy, you can include both SRX Series devices and MX Series routers. Select devices from the Available column and click the right arrow to move these devices to the Selected column. For device only policy, select the device with which you want to associate the policy.

    Note: You can also search for devices by entering the device name, device IP address, or device tags in the Search fields in the Devices area. Once the searched devices appear, you can move them to the Selected pane.

    Policy Sequence

    Policy Placement

    (For Group Policy only). Select Before Device Specific Policies or After Device Specific Policies. This decides the policy order when the devices policy configuration information is updated on the devices.

    Policy Sequence No.

    (For Group Policy only). Select this option to specify the order number for the policy. Policy lookup is performed in the order that the policies are configured. The first policy that matches the traffic is used. For more information, see Policy Ordering Overview.

    Modified: 2017-02-09