Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Firewall Policy Rules Main Page Fields

 

Use this page to get an overall, high-level view of your firewall policy rules settings. Details help you keep track of the number and order of rules per policy. You can filter and sort this information to get a better understanding of what you want to view. Table 1 describes the fields on this page.

Table 1: Firewall Policy Rules Main Page Fields

Field

Description

Seq.

Order number for the policy. Policy lookup is performed in the order that the policies are configured. The first policy that matches the traffic is used.

Hit Count

Displays how often a particular policy is used based on traffic flow. The hit count is the number of hits since the last reset.

Example: The hit count is especially useful when you are using a large policy set and you want to verify which rules are highly utilized and which ones are rarely used. Specifically, if you see that some of the rules are not being used, you can verify that the rules are not being shadowed by another policy. This helps you manage the device without having to generate traffic manually.

Rule Name

Unique name for the rule.

Src. Zone

Source zone (to-zone) that defines the context for the policy. Zone policies are applied on traffic entering one security zone (source zone) to another security zone (destination zone). This combination of a source zone and a destination zone is called a context.

For example, all policies within source zone trust and destination zone untrust are in the same context.

Src. Address

Address names or address set names to be used as match criteria for incoming traffic.

We recommend that you create address sets instead of using multiple address entries. For example, If your organization has common requirements for similar types of access across different rules, leveraging groups can be advantageous.

You can have any number of objects with a set (for example, host, network, DNS, wildcard, and so forth)

Src. ID

Users and roles to be used as match criteria for the policy.

You can have different policy rules based on the user role and user group.

If you specify the source identity in any policy within the zone pair, then user and role information is retrieved before policy lookup can proceed. (If all policies in the zone pair are set to any or have no entry in the Source Identity field, user and role information is not required and only the other five standard match criteria are used for policy lookup.)

End User Profile

Specifies the end user profile, which you have selected while creating the rule.

Dest. Zone

Destination zone (from-zone) that defines the context for the policy.

Zone policies are applied on traffic entering one security zone (source zone) to another security zone (destination zone). This combination of a source zone and a destination zone is called a context.

For example, all policies within source zone trust and destination zone untrust are in the same context.

Dest. Address

Address names or address set names to be used as match criteria for outgoing traffic.

We recommend that you create address sets instead of using multiple address entries.

For example, if your organization has common requirements for similar types of access across different rules, leveraging groups can be advantageous.

You can have any number of objects with a set (for example, host, network, DNS, wildcard, and so forth).

Service

The service (application) name in the match criteria has one or more service or service sets.

We recommend that you create a service set and refer to the name of the set in a policy instead of using multiple individual service names.

For example, for a group of employees, you can create a service set that contains all the approved services. Service objects allow you to specify objects to be used in the match criteria of security policies. You can set numerous attributes to help define what the match criteria of this object should be.

Rule Condition

Click the field to assign the condition.

The Environment Condition and Action page appears. Click the + icon to select the condition. Once you add a condition, you can change the action for the selected condition. You can apply the advanced security options only if the action is Permit. You must publish and update to the device after assigning a condition to the rule.

To select multiple conditions, click the + icon again. When multiple conditions are selected, the first active condition in the list is considered.

Action

Action applies to all traffic that matches the specified criteria.

  • Deny—Device silently drops all packets for the session and does not send any active control messages such as TCP Resets or ICMP unreachable.

  • Reject—Device sends a TCP Reset if the protocol is TCP and ICMP Reset if the protocols are UDP, ICMP, or any other IP protocol. This option is useful when facing trusted resources so that the applications do not waste time waiting for timeouts and instead get the active message.

  • Permit—Device permits traffic using the type of firewall authentication you applied to the policy.

  • Tunnel—Device permits traffic using the type of VPN tunneling options you applied to the policy.

Starting in Junos Space Security Director Release 16.1, the address and service objects can be created, managed, dragged and dropped to the required rules from the firewall policy rules page. Apart from addresses and services, you can also drag and drop zones. From the Shared Objects list, select Show Addresses or Show Services to see the required shared objects. To create a new address or service object, click the plus sign (+). You can also modify, delete, and manage these objects. You can search for any object by it’s name and IP address in the search field available in the top right corner.

You can drag more than one object and drop on the respective columns of any policy rule. Security Director ensures that objects are dropped in the supported columns and it does not permit to drop under any other columns. The drag and drop of objects is supported on the source address, destination address, source zone, destination zone, and service columns. A single address or multiple addresses can be dragged and dropped from source address field to destination address field of same rule or across rules. Similarly, single or multiple services and zones can also be dragged and dropped across rules. To view multiple objects in an address, zone, or service column, click the small horizontal triangle to expand the columns.

You can also drag and drop rules to a single rulegroup or across multiple rulegroups.

Release History Table
Release
Description
Starting in Junos Space Security Director Release 16.1, the address and service objects can be created, managed, dragged and dropped to the required rules from the firewall policy rules page. Apart from addresses and services, you can also drag and drop zones.