Help Center User GuideGetting StartedFAQRelease Notes
 
X
User Guide
Getting Started
FAQ
Release Notes
Contents  

Environment Variables and Conditions Overview

You can use environment variables and conditions to configure dynamic policy actions for your firewall policy rules. With traditional firewall rules, if you want to block all outbound traffic, then you must manually modify the action of the rules from permit to deny. Similarly, if you want to allow all traffic, you modify the action from deny to permit. When handling critical events, going through hundreds of firewall policy rules and modifying them is both time consuming and inefficient. Further, when the event is over, you might need to revert those rule settings to the previously configured values.

To avoid such manual configurations to the firewall rules and to improve your control over configurations, as a network administrator, you can define environment variables and apply conditions by using these variables. Based on the conditions that you define, certain preconfigured actions are taken on the firewall policy rules dynamically.

Along with the action, you can define certain advanced security properties. You can also disable the rules based on the action and change the logging options.

Table 172 and Table 173 show examples of the usage of custom-defined environment variables and rule actions based on variable values.

Table 172: Example of Custom-Defined Environment Variables

Environment Variable

Type

Possible Value

Default Value

Current Value

Threat Level

String

Low, Medium, High

Low

High

Table 173: Example of Rule Actions Based on Variable Values

Rule #

Source

Destination

Service

Firewall

IPS

m

Employee

Internet video

http

If (ThreatLevel= High) Deny Else Permit

None

n

WebZone

DBZone

DB

Permit

If (ThreatLevel=High) Adv_profile Else Std_Profile

Table 174 shows an example of how conditions are used. In the Environment Condition column, the condition is first evaluated to identify the related set of action the system will take. For example, if the value of the ThreatLevel environment variable is Medium at any point of time, the system automatically enables the intrusion prevention system (IPS) service for the corresponding traffic.

Table 174: Example of Environment Condition

Rule Number

Source Traffic Match Criteria

Destination Traffic Match Criteria

Environment Condition

Firewall Action

Other Actions

1000

Any

MyCriticalServers

ThreatLevel=Low

PERMIT

LOG

   

ThreatLevel=Medium

PERMIT

LOG IPS_STD_PROFILE

   

ThreatLevel=High

DENY

LOG

Benefits of Environment Variables and Conditions

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit