Creating Firewall Policy Profiles

Use this page to create an object that specifies the basic settings of a security policy. You can configure the following basic settings using a policy profile:

Log options
Firewall authentication schemes
Traffic redirection options

When a policy profile is created, Junos Space creates an object in the Junos Space database to represent the policy profile. You can use this object to create security policies.

The security policies enforce rules for transit traffic, in terms of what traffic can pass through the firewall, and the actions that need to take place on traffic as it passes through the firewall. Also, you can control the traffic flow from zone to zone by defining the kinds of traffic permitted to pass from specified sources to specified destinations at scheduled times.

Before You Begin

Read the Understanding Firewall Policy Profiles topic.
Create zones.
Create an application (or application set) that indicates that the policy applies to traffic of that type.
Create the policy.
Create schedulers if you plan to use them for your policies.
Review the policy profiles main page for an understanding of your current data set. See Firewall Policy Profiles Main Page Fields for field descriptions.

To configure a policy profile:

Select Configure > Firewall Policy > Profiles.
Click the + icon.
Complete the configuration according to the guidelines provided in the Table 1.
Click OK.

A new policy profile with the predefined policy configurations is created. You can use this object in security policies.

Table 1: Firewall Policy Profile Settings

Settings	Guidelines
Name	Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters.
Description	Enter a description for the policy profile; maximum length is 1024 characters.
Template	Select a Security Director device template to use the predefined device-deployable configuration by replacing the variables with actual values and evaluating the control logic statements.
Logging
Session Initiate	Select this option to enable logging of events when sessions are created.
Session Close	Select this option to enable logging of events when sessions are closed. When logging is enabled, the system logs at session close time by default.
Count	Select this option to enable counting. Once enabled, the number of packets, bytes, and sessions that enter the device for a given policy are counted. You can configure counts in an individual policy.
Alarm Threshold
Bytes to be Logged	Enter the alarm threshold, in bytes per second, of all network traffic the policy allows to pass through the device in both directions from client to server and server to client. The range is from 0 through 4,294,967,295.
Count Value	Enter the alarm threshold, in kilobytes per minute, of all network traffic the policy allows to pass through the device in both directions from client to server and server to client. The range is from 0 through 4,294,967,295.
Authentication
Authentication Type	Select an option to restrict or permit users individually or in groups: None—Allows user without any authentication to restrict or permit clients. Pass Through—Allows user to use an FTP, Telnet, or HTTP client to access the IP address of the protected resource in another zone. Subsequent traffic from the user or host is allowed or denied based on the result of this authentication. Web—Policy allows access to users who have previously been authenticated by Web authentication. User Firewall—Uses the username and role information to determine whether to permit or deny a user's session or traffic. Infranet—Pushes the user and role information for all authenticated users from the Access Control Service.
Authentication Type - Pass Through
Client Name	Enter the names of the users or user groups in a profile for whom this policy allows access. If you do not specify any users or user groups, then any user who is successfully authenticated is allowed access.
Client Direction	Enable an option to redirect HTTP request: Redirect to web—Redirects an HTTP request to the device and redirect the client system to a webpage for authentication. This allows users an easier authentication process because they need to know only the name or IP address of the resource they are trying to access. Redirect to HTTPS—Redirects unauthenticated HTTP requests to the internal HTTPS webserver of the device.
Access Profile Name	Enter a name for the access profile to be used for authentication.
Auth Only Browser	Enable this option to configure the firewall authentication to ignore non browser HTTP/HTTPS traffic. This ensures that the unauthenticated users issuing access requests through HTTP/HTTPS browsers are presented with a captive portal interface to allow them to authenticate. By default, firewall authentication responds to all HTTP/HTTPS traffic.
Auth User Agent	Specify a user agent value to be matched against values specified in the browser’s User-Agent header field that identifies the traffic as HTTP/HTTPS browser traffic. You can specify only one user agent value for a security policy configuration. The value must not contain spaces. The length of the string must be 17 characters or less. For example, you can specify Opera to be verified against the browser’s User-Agent field for a match. You can either use this parameter for the Pass Through or User Firewall authentication types or in conjunction with the Auth Only Browser parameter.
Authentication Type - Web
Client Name	Enter the names of the users or user groups who have already been Web authenticated and for whom this policy allows access. Web authentication must be enabled on one of the addresses on the interface to which the HTTP request is redirected.
Authentication Type - User Firewall
Domain Name	Enter a domain name for firewall authentication in the event that the Windows Management Instrumentation client (WMIC) is not available to get IP-to-user mapping for the integrated user firewall feature. The maximum length is 63 characters.
Access Profile Name	Enter a name for the access profile to be used for authentication.
Auth Only Browser	Enable this option to configure the firewall authentication to ignore non browser HTTP/HTTPS traffic. This ensures that the unauthenticated users issuing access requests through HTTP/HTTPS browsers are presented with a captive portal interface to allow them to authenticate. By default, firewall authentication responds to all HTTP/HTTPS traffic.
Auth User Agent	Specify a user agent value to be matched against values specified in the browser’s User-Agent header field that identifies the traffic as HTTP/HTTPS browser traffic. You can specify only one user agent value for a security policy configuration. The value must not contain spaces. The length of the string must be 17 characters or less. For example, you can specify Opera to be verified against the browser’s User-Agent field for a match. You can either use this parameter for the Pass Through or User Firewall authentication types or in conjunction with the Auth Only Browser parameter.
Authentication Type - User Infranet
Redirect URL	Enter a URL for the webpage to which the client is directed. For example: https://www.juniper.net/.
Redirect Options	Select an option to redirect encrypted or unencrypted traffic: None—To not redirect any traffic All Traffic—To redirect the encrypted traffic Unauthenticated Traffic—To redirect the unencrypted traffic
Advance Settings
Datacenter SRX Acceleration	Enable this option to process fast-path packets in the network processor instead of in the Services Processing Unit (SPU). When performing the policy check, the SPU verifies if the traffic is qualified for services offloading.
Destination Address Translation	Select an option to specify whether the traffic permitted by the policy is limited to packets where the destination IP address has been translated by means of a destination NAT rule or to packets where the destination IP address has not been translated: Drop Untranslated—You do not want to translate the destination address. Traffic permitted by the policy is limited to packets where the destination IP address has not been translated. Drop Translated—You want to translate the destination address. Traffic permitted by the policy is limited to packets where the destination IP address has been translated by means of a destination NAT rule.
Redirect Options	Select an option to define the acceleration policy for WX redirection of packets to the WXC Integrated Service Module (ISM 200) for WAN acceleration: None—You want traffic to be redirected Redirect WX—You want to enable Wx redirection for packets that arrive from the LAN Reverse Redirect WX—You want to enable WX redirection for the reverse flow of packets that arrive from the WAN. During the redirection process, the direction of the WX packet and its type determine further processing of the packet.
TCP-Session Options
TCP-SYN	Enable this option for the device to reject TCP segments with non-SYN flags set unless they belong to an established session.
TCP Sequence	Enable this option to monitor the TCP byte sequence counter and to validate the trusted acknowledgment number against the untrusted sequence number.
Window Scale	Enable this option to increase the network transmission speed.
Initial TCP MSS	Select the TCP maximum segment size (MSS) for packets arriving at the ingress interface (initial direction). If the value in the packet is higher than the one you select, the configured value overrides the TCP MSS value in the incoming packet. The range is 64 through 65535.
Reverse TCP MSS	Select the TCP maximum segment size (MSS) for packets that match a specific policy and travel in the reverse direction of a session. If the value in the packet is higher than the one you select, the configured value replaces the TCP MSS value. The range is 64 through 65535.

Creating Firewall Policy Profiles

Before You Begin

Related Documentation