Creating Unified Firewall Policy Rules
Use the Create Rule page to configure firewall rules that control transit traffic within a context (source zone to destination zone). The traffic is classified by matching its source and destination zones, the source and destination addresses, and the application that the traffic carries in its protocol headers with the policy database.
Security Director allows a device to have a device-specific policy and to be part of multiple group policies. Rules for a device are updated in this order:
Rules within Policies Applied Before 'Device Specific Policies'
Rules within Device-Specific Policies
Rules within Policies Applied After 'Device Specific Policies'
Rules within Policies Applied Before 'Device Specific Policies' take priority and cannot be overridden. However, you can override rules within Policies Applied After 'Device Specific Policies' by adding an overriding rule in the Device-Specific Policies. In an enterprise scenario, “common-must-enforce” rules can be assigned to a device from the Policies Applied Before ‘Device Specific Policies’, and “common-nice-to-have” rules can be assigned to a device from the Policies Applied After ‘Device Specific Policies’.
An exception can be added on a per device basis in “Device-Specific Policies” . For a complete list of rules applied to a device, select Configure > Firewall Policy > Devices. Select a device to view rules associated with that device.
To configure a firewall unified policy rule:
- Select Configure>Firewall Policy>Unified Policies.
- Select the policy for which you want to define rules and
click the + icon.
The Create Rule page appears.
To edit the rules inline, click the policy to make the fields editable.
- Complete the configuration according to the guidelines provided in Table 1.
- Click OK.
The rules you configured are associated with the selected policy.
Table 1: Firewall Unified Policy Rules Setting
Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the; maximum length is 63 characters.
Enter a description for the policy rules; maximum length is 1024 characters. Comments entered in this field are sent to the device.
Identify the traffic that the rule applies to
For SRX Series devices, specify a source zone (from-zone) to define the context for the policy. Zone policies are applied on traffic entering one security zone (source zone) to another security zone (destination zone). This combination of a source zone and a destination zone is called a context.
Starting in Junos Space Security Director Release 16.2, for MX Series routers, the source zone field acts as an ingress interface from where the packet enters. The match direction is input, if the packet is entering the interface. The match direction is output, if the packet is leaving the interface. Configure the ingress key by selecting the aggregated multiservices (AMS) value.
Starting in Junos Space Security Director Release 16.2, polymorphic zones can be used as source zone and destination zone, when you assign SRX Series devices and MX Series routers to the same group policy.
Enter one or more address names or address set names. Click Select to add source addresses.
On the Source Address page:
(Source) User ID
Specify the source identity (users and roles) to be used as match criteria for the policy. You can have different policy rules based on user roles and user groups.
Click Select to specify source identities to permit or deny. On the User ID page, you can select a user identity from the available list or you can add a new identity by clicking Add New User ID.
To delete a user identity from the Security Director database, click Delete User ID and select a value from the drop-down list, which is not configured in any policy. If you try to delete a user identity which is configured in a policy, a message with its reference ID and user ID are displayed.
Note: The user IDs which are only created in Security Director are displayed in the drop-down list.
(Source) End User Profile
Select an end user profile from the list. The firewall policy rule is applied to it.
When traffic from device A arrives at an SRX Series device, the SRX Series obtains the IP address of device A from the first traffic packet and uses it to search the device identity authentication table for a matching device identity entry. Then it matches that device identity profile with a security policy whose End User Profile field specifies the device identity profile name. If a match is found, the security policy is applied to traffic issuing from device A.
For SRX Series devices, specify a destination zone (to-zone) to define the context for the policy. Zone policies are applied on traffic entering one security zone (source zone) to another security zone (destination zone). This combination of a source zone and a destination zone is called a context.
Starting in Junos Space Security Director Release 16.2, for MX Series routers, this field acts as an egress interface from where the packet enters. The match direction is input, if the packet is entering the interface. The match direction is output, if the packet is leaving the interface. Configure the egress key by selecting the aggregated multiservices (AMS) value.
Polymorphic zones can be used as source zone and destination zone, when you assign SRX Series devices and MX Series routers to the same group policy.
Select one or more address names or address sets. Click Select to add destination addresses.
On the Destination Address page:
(Destination) URL Category
Select one or more predefined or custom URL category as a match criterion. URL category is supported on devices running Junos OS Release 18.4R3 and later.
Click Select to select a URL category. Select one or more predefined or custom URL categories from the Available list and move them to the Selected list. Click OK.
Configure the dynamic application with one of the following values:
(Service Protocols) Services
Select one or more service (application) names. Select the Include Any Service to disable the any option in the services list builder. Select Include Specific to permit or deny services from the services list builder available column. Click Add New Service to create a service. See Creating Services and Service Groups. Select Default to have the service value as junos-default.
When user configures a value for dynamic application other than None, the default value of service is junos-default.
Action applies to all traffic that matches the specified criteria.
Select the redirect profile from the list. This field is displayed only when the action is Deny and Redirect.
Firewall policies provide a core layer of security that ensures that network traffic is restricted to only that which a policy dictates through its match criteria. When the traditional policy is not enough, select application identification components to create an advanced security profile for the policy:
Note: For using advanced security options, the rule action must be permit.
Juniper ATP Cloud Adaptive Threat Profiling allows SRX Series devices to generate, propagate, and consume threat feeds based on their own advanced detection and policy-match events.
Starting in Junos Space Security Director Release 21.2, you can configure a firewall policy with source and destination addresses as threat types, which injects the source IP address and destination IP address into the selected threat feed when traffic matches the rule. Threat feed can be leveraged by other devices as a dynamic-address-group (DAG).
Add Source IP to Feed—Select a security feed from the list. The source IP address is added to the threat feed when the traffic matches the rule.
Add Destination IP to Feed—Select a security feed from the list. The destination IP address is added to the threat feed when the traffic matches the rule.
Note: To use these fields, first enroll the devices in ATP Cloud and then configure Policy Enforcer to display feeds in the drop-down list.
Select a default profile or a custom profile, or you can inherit a policy profile from another policy. Policy profile specifies the basic settings of a security policy. See Creating Firewall Policy Profiles.
Policy schedules allow you to define when a policy is active, and thus are an implicit match criterion. You can define the day of the week and the time of the day when the policy is active. For instance, you can define a security policy that opens or closes access based on business hours. Multiple schedulers can be applied to different policies, but only one scheduler can be active per policy. Select a pre-saved schedule and the schedule options are populated with the selected schedule’s data. Click Add New to create another schedule.
Automated Rule Analysis and Placement
Select this option if you want to analyze rules to avoid any anomalies.
Note: All rules with dynamic application “None” is evaluated first.
To view the analysis report, click View Analysis Report.
Displays the sequence number and the order in which the rule is placed.
To view rule placement in a Policy, click View Placement Inside Policy.