Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
ContentIndex
  
[+] Expand All
[-] Collapse All

No index entries found.

Security Configuration Statement Hierarchy

For the integrated ClearPass authentication and enforcement feature, use the statements in the security hierarchy for the following purposes:

  • To set the authentication source priority for Aruba ClearPass, if required, to ensure that the system checks the ClearPass authentication table for user authentication information before other authentication tables.
  • To set the threat-attack filter and the rate limit and to control which logs are sent from the SRX Series device to the CPPM and the rate at which they are sent.

The security hierarchy also allows you to configure aspects of many other features, including, certificates, dynamic virtual private networks, firewall authentication, flow, forwarding options, group VPNs, Internet Key Exchange (IKE), Internet Protocol Security (IPsec), Intrusion Detection Prevention (IDP), logging, Network Address Translation (NAT), policies, public key infrastructure (PKI), resource manager, rules, SCREENS, secure shell known hosts, trace options, Unified Threat Management (UTM), user identification, and zones.

security {address-book (book-name | global) {address address-name {ip-prefix {description text;}description text;dns-name domain-name {ipv4-only;ipv6-only;}range-address lower-limit to upper-limit;wildcard-address ipv4-address/wildcard-mask;}address-set address-set-name {address address-name;address-set address-set-name;description text;}attach { zone zone-name;}description text;}alarms {audible {continuous;}potential-violation {authentication failures;cryptographic-self-test; decryption-failures {threshold value;}encryption-failures {threshold value;}idp;ike-phase1-failures {threshold value;}ike-phase2-failures {threshold value;}key-generation-self-test;non-cryptographic-self-test;policy {application {duration interval;size count;threshold value;}destination-ip {duration interval;size count;threshold value;}policy match {duration interval;size count;threshold value;}source-ip {duration interval;size count;threshold value;}}replay-attacks { threshold value;}security-log-percent-full percentage;}}alg {alg-manager {traceoptions {flag {all <extensive>;}}}alg-support-lib {traceoptions {flag {all <extensive>;}}}dns {disable;doctoring (none | sanity-check);maximum-message-length number;traceoptions {flag {all <extensive>;}}}ftp {allow-mismatch-ip-address;disable;ftps-extension;line-break-extension;traceoptions {flag {all <extensive>;}}}h323 {application-at a {message-flood {gatekeeper {threshold rate; }}unknown-message {permit-nat-applied;permit-routed;}}disable;dscp-rewrite {code-point string;}endpoint-registration-timeout value-in-seconds;media-source-port-any;traceoptions {flag flag <detail | extensive | terse>;}}ike-esp-nat { enable;esp-gate-timeout value-in-seconds;esp-session-timeout value-in-seconds; state-timeout value-in-seconds;traceoptions {flag {all <extensive>;}}}mgcp {application-screen {connection-flood {threshold rate; }message-flood {threshold rate; }unknown-message {permit-nat-applied;permit-routed;}}disable;dscp-rewrite {code-point string;}inactive-media-timeout value-in-seconds;maximum-call-duration value-in-minutes;traceoptions {flag flag <extensive>;}transaction-timeout value-in-seconds;}msrpc {disable;traceoptions {flag {all <extensive>;}}}pptp {disable;traceoptions {flag {all <extensive>;}}}real {disable;traceoptions {flag {all <extensive>;}}}rsh {disable;traceoptions {flag {all <extensive>;}}}rtsp {disable;traceoptions {flag {all <extensive>;}}}sccp {application-screen {call-flood {threshold rate; }unknown-message {permit-nat-applied;permit-routed;}}disable;dscp-rewrite {code-point string;}inactive-media-timeout value-in-seconds;traceoptions {flag flag <extensive>;}}sip {application-screen {protect {deny {all {timeout value-in-seconds;}destination-ip address;timeout value-in-seconds;}}unknown-message {permit-nat-applied;permit-routed;}}c-timeout value-in-minutes;disable;dscp-rewrite {code-point string;}inactive-media-timeout value-in-seconds;maximum-call-duration value-in-minutes;retain-hold-resource;t1-interval value-in-milliseconds;t4-interval value-in-seconds;traceoptions {flag flag <detail | extensive | terse>;}}sql {disable;traceoptions {flag {all <extensive>;}}}sunrpc {disable;traceoptions {flag {all <extensive>;}}}talk {disable;traceoptions {flag {all <extensive>;}}}tftp {disable;traceoptions {flag {all <extensive>;}}}traceoptions {file {filename;files number;match regular-expression;(no-world-readable | world-readable);size maximum-file-size;}level (brief | detail | extensive | verbose);no-remote-trace;}}analysis no-report;application-firewall {rule-sets rule-set-name {rule rule-name {default-rule (deny | permit);match {dynamic-application [system-application];dynamic-application-groups [system-application-group];}then (deny | permit);}}traceoptions {file {filename;files number;match regular-expression;(no-world-readable | world-readable);size maximum-file-size;}flag flag;no-remote-trace;}}application-tracking {disable;first-update | (first-update-interval first-update-interval);session-update-interval session-update-interval;}certificates {cache-size bytes;cache-timeout-negative seconds;certification-authority profile-name {ca-name name;crl filename;encoding (binary | pem);enrollment-url url;file filename;ldap-url url;}enrollment-retry number;local name {certificate;load-key-file url;}maximum-certificates number;path-length length;}datapath-debug {action-profile profile-name {event (jexec | lbt | lt-enter | lt-leave | mac-egress | mac-ingress | np-egress | np-ingress | pot) {count;packet-dump;packet-summary;trace; }module {flow {flag {all;}}}preserve-trace-order;record-pic-history;}capture-file {filename;files files-number;format pacp-format;(no-world-readable | world-readable);size maximum-file-size;}maximum-capture-size value;packet-filter packet-filter-name {action-profile (profile-name | default);destination-port (port-range | protocol-name);destination-prefix destination-prefix;interface logical-interface-name;protocol (protocol-number | protocol-name;source-port (port-range | protocol- name);source-prefix source-prefix;}trace-options {file {filename;files files-number;match regular-expression;(no-world-readable | world-readable);size maximum-file-size;}no-remote-trace;}}dynamic-vpn {access-profile profile-name; clients configuration-name {ipsec-vpn vpn-name;remote-exceptions ip-address/mask;remote-protected-resources ip-address/mask;user username;}force-upgrade;}firewall-authentication {traceoptions {flag flag;}}flow {aging {early-ageout seconds;high-watermark percent;low-watermark percent;}allow-dns-reply;bridge {block-non-ip-all;bpdu-vlan-flooding;bypass-non-ip-unicast;no-packet-flooding {no-trace-route;}}force-ip-reassembly;pending-sess-queue-length (high | moderate | normal);route-change-timeout seconds;syn-flood-protection-mode (syn-cookie | syn-proxy);tcp-mss {all-tcp mss value;gre-in {mss value;}gre-out {mss value;}ipsec-vpn {mss value;}}tcp-session {no-sequence-check;no-syn-check;no-syn-check-in-tunnel;rst-invalidate-session;rst-sequence-check;strict-syn-check;tcp-initial-timeout seconds;time-wait-state {(session-ageout | session-timeout seconds);}}traceoptions {file {filename;files number;match regular-expression;(no-world-readable | world-readable);size maximum-file-size;}flag flag;no-remote-trace;packet-filter filter-name {destination-port port-identifier;destination-prefix address;interface interface-name;protocol protocol-identifier;source-port port-identifier;source-prefix address;}rate-limit rate-limit;}}forwarding-options {family {inet6 {mode (drop | flow-based | packet-based); }iso {mode packet-based;}mpls {mode packet-based;}}}forwarding-process {application-services {maximize-alg-sessions;maximize-cp-sessions; maximize-idp-sessions {inline-tap;weight (equal | firewall | idp);}session-distribution-mode {hash-based;}}}gprs {gtp {enable;profile profile-name {apn pattern-string {mcc-mnc mcc-mnc-number {action {drop; pass;selection (ms|net|vrf);}}}drop {aa-create-pdp (0 | 1 | 2 | all);aa-delete-pdp (0 | 1 | 2 | all);bearer-resource (0 | 1 | 2 | all);change-notification (0 | 1 | 2 | all);config-transfer (0 | 1 | 2 | all);context (0 | 1 | 2 | all);create-bearer (0 | 1 | 2 | all);create-data-forwarding (0 | 1 | 2 | all);create pdp (0 | 1 | 2 | all);create-session (0 | 1 | 2 | all);create-tnl-forwarding (0 | 1 | 2 | all);cs-paging (0 | 1 | 2 | all);data-record (0 | 1 | 2 | all);delete-bearer (0 | 1 | 2 | all);delete-command (0 | 1 | 2 | all);delete-data-forwarding (0 | 1 | 2 | all);delete-pdn (0 | 1 | 2 | all);delete-pdp (0 | 1 | 2 | all);delete-session (0 | 1 | 2 | all);detach (0 | 1 | 2 | all);downlink-notification (0 | 1 | 2 | all);echo (0 | 1 | 2 | all);error-indication (0 | 1 | 2 | all);failure-report (0 | 1 | 2 | all);fwd-access (0 | 1 | 2 | all);fwd-relocation (0 | 1 | 2 | all);fwd-srns-context (0 | 1 | 2 | all);g-pdu (0 | 1 | 2 | all);identification (0 | 1 | 2 | all);mbms-sess-start (0 | 1 | 2 | all);mbms-sess-stop (0 | 1 | 2 | all);mbms-sess-update (0 | 1 | 2 | all);modify-bearer (0 | 1 | 2 | all);modify-command (0 | 1 | 2 | all);node-alive (0 | 1 | 2 | all);note-ms-present (0 | 1 | 2 | all);pdu-notification (0 | 1 | 2 | all);ran-info (0 | 1 | 2 | all);redirection (0 | 1 | 2 | all);release-access (0 | 1 | 2 | all);relocation-cancel (0 | 1 | 2 | all);resume (0 | 1 | 2 | all);send-route (0 | 1 | 2 | all);sgsn-context (0 | 1 | 2 | all);stop-paging (0 | 1 | 2 | all);supported-extension (0 | 1 | 2 | all);suspend (0 | 1 | 2 | all);trace-session (0 | 1 | 2 | all);update-bearer (0 | 1 | 2 | all);update-pdn (0 | 1 | 2 | all);update-pdp (0 | 1 | 2 | all);ver-not-supported (0 | 1 | 2 | all);}gtp-in-gtp-denied;log {forwarded (basic | detail);prohibited (basic | detail);rate-limited {(basic | detail);frequency-number number;}state-invalid (basic | detail);}max-message-length number;min-message-length number;rate-limit limit;remove-ie {version v1 {number ie-number;release (R6 | R7 | R8 | R9);}}restart-path (all | create | echo);timeout (value);}traceoptions {file {filename;files number;matchregular-expression;(no-world-readable | world-readable);size maximum-file-size;}flag flag;no-remote-trace;}} sctp { log {configuration;decoding-error;dropped-packet;exceeding-rate-limit;}profile profile-name {association-timeout time-in-minutes; drop { m3ua-service { isup; sccp; tup; }payload-protocol { all; asap; bicc; ddp-segment; ddp-stream; dua; enrp; h248; h323; iua; m2pa; m2ua; m3ua; qipc; reserved; simco; sua; tali; v5ua; }}handshake-timeout time-in-seconds; limit { rate { address ip-address { sccp rate-limit; ssp rate-limit; sst rate-limit; } sccp rate-limit; ssp rate-limit; sst rate-limit; }}}traceoptions {file {filename;files number;matchregular-expression;(no-world-readable | world-readable);size maximum-file-size;}flag flag;no-remote-trace;}}}group-vpn {co-location;member {ike {gateway gateway-name {address [ip-address-or-hostname];ike-policy policy-name;local-address ip-address;local-identity {(distinguished-name | hostname hostname | inet ipv4-ip-address | user-at-hostname e-mail-address);}}policy policy-name {certificate {local-certificate certificate-id;peer-certificate-type [pkcs7 | x509-signature);trusted-ca (ca-index | use-all);}description description;mode (aggressive | main); pre-shared-key (ascii-text key | hexadecimal key);proposal-set (basic | compatible | standard);proposals [proposal-name];}proposal proposal-name {authentication-algorithm (md5 | sha-256 | sha1);authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures);description description;dh-group (group1 | group14 | group2 | group5);encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc);lifetime-seconds seconds;}}ipsec {vpn vpn-name {group id;group-vpn-external-interface interface;heartbeat-threshold number;ike-gateway gateway-name;}}}server {group name{activation-time-delay seconds;anti-replay-time-window seconds;description description;group-id number;ike-gateway gateway-name;ipsec-sa name {match-policy policy-name {destination ip-address/netmask;destination-port number;protocol number;source ip-address/netmask;source-port number;}proposal proposal-name;}no-anti-replay;server-address ip-address;server-member-communication {certificate certificate-id;communication-type (multicast | unicast);encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc);heartbeat seconds;lifetime-seconds seconds;multicast-group address;multicast-outgoing-interface interface;number-of-retransmission number;retransmission-period seconds;sig-hash-algorithm (md5 | sha1);}}ike {gateway gateway-name {address (ip-address | hostname);dynamic {(distinguished-name <container container-string> <wildcard wildcard-string> | hostname domain-name | inet ip-address | user-at-hostname e-mail-address);}ike-policy policy-name;local-identity {(distinguished-name | hostname hostname | inet ip-address | user-at-hostname e-mail-address);}}policy policy-name {certificate {local-certificate certificate-id;peer-certificate-type [pkcs7 | x509-signature);trusted-ca (ca-index | use-all);}description description;mode (aggressive | main); pre-shared-key (ascii-text key | hexadecimal key);proposal-set (basic | compatible | standard);proposals [proposal-name];}proposal proposal-name {authentication-algorithm (md5 | sha-256 | sha1);authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures);description description;dh-group (group1 | group14 | group2 | group5);encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc);}}ipsec {proposal proposal-name {authentication-algorithm (hmac-md5-96 | hmac-sha-256-128 | hmac-sha1-96);description description;encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc);lifetime-seconds seconds;}}traceoptions {file {filename;files number;matchregular-expression;(no-world-readable | world-readable);size maximum-file-size;}flag flag;no-remote-trace;}}}idp {active-policy policy-name; custom-attack attack-name{attack-type {anomaly {direction (any | client-to-server | server-to-client);service service-name;shellcode (all | intel | no-shellcode | sparc);test test-condition ;}chain {expression boolean-expression;member member-name {attack-type {(anomaly | signature);}}order;protocol-binding {application application-name;icmp;ip {protocol-number transport-layer-protocol-number ; }rpc {program-number rpc-program-number ;}tcp {minimum-port port-number maximum-port port-number ;}udp {minimum-port port-number maximum-port port-number;}}reset;scope (session | transaction);}signature {context context-name;direction (any | client-to-server | server-to-client);negate;pattern signature-pattern;protocol {icmp {code {match (equal | greater-than | less-than | not-equal);value code-value;}data-length {match (equal | greater-than | less-than | not-equal);value data-length;}identification {match (equal | greater-than | less-than | not-equal);value identification-value;}sequence-number {match (equal | greater-than | less-than | not-equal);value sequence-number;}type {match (equal | greater-than | less-than | not-equal);value type-value;}}ip {destination {match (equal | greater-than | less-than | not-equal);value hostname;}identification {match (equal | greater-than | less-than | not-equal);value identification-value;}ip-flags {(df | no-df);(mf | no-mf);(rb | no-rb);}protocol {match (equal | greater-than | less-than | not-equal);value transport-layer-protocol-id ;}source {match (equal | greater-than | less-than | not-equal);value hostname;}tos {match (equal | greater-than | less-than | not-equal);value type-of-service-in-decimal;}total-length {match (equal | greater-than | less-than | not-equal);value total-length-of-ip-datagram;}ttl {match (equal | greater-than | less-than | not-equal);value time-to-live;}}tcp {ack-number {match (equal | greater-than | less-than | not-equal);value acknowledgement-number ;}data-length {match (equal | greater-than | less-than | not-equal);value tcp-data-length;}destination-port {match (equal | greater-than | less-than | not-equal);value destination-port;}header-length {match (equal | greater-than | less-than | not-equal);value header-length;}mss {match (equal | greater-than | less-than | not-equal);value maximum-segment-size ;}option {match (equal | greater-than | less-than | not-equal);value tcp-option;}sequence-number {match (equal | greater-than | less-than | not-equal);value sequence-number;}source-port {match (equal | greater-than | less-than | not-equal);value source-port;}tcp-flags {(ack | no-ack);(fin | no-fin);(psh | no-psh);(r1 | no-r1);(r2 | no-r2);(rst | no-rst);(syn | no-syn);(urg | no-urg);}urgent-pointer {match (equal | greater-than | less-than | not-equal);value urgent-pointer;}window-scale {match (equal | greater-than | less-than | not-equal);value window-scale-factor;}window-size {match (equal | greater-than | less-than | not-equal);value window-size;}}udp {data-length {match (equal | greater-than | less-than | not-equal);value data-length;}destination-port {match (equal | greater-than | less-than | not-equal);value destination-port;}source-port {match (equal | greater-than | less-than | not-equal);value source-port;}}}protocol-binding {application application-name;icmp;ip {protocol-number transport-layer-protocol-number ;}rpc {program-number rpc-program-number ;}tcp {minimum-port port-number maximum-port port-number ;}udp {minimum-port port-number maximum-port port-number;}}regexp regular-expression;shellcode (all | intel | no-shellcode | sparc);}}recommended-action (close | close-client | close-server | drop | drop-packet | ignore | none);severity (critical | info | major | minor | warning);time-binding {count count-value;scope (destination | peer | source);}}custom-attack-group custom-attack-group-name {group-members [attack-group-name | attack-name];}dynamic-attack-group dynamic-attack-group-name { filters { category { values [list-of-values]; } direction { expression [and | or]; values [any | client-to-server | exclude-any | exclude-client-to-server | exclude-server-to-client | server-to-client]; } false-positives { values [frequently | occasionally | rarely | unknown]; } performance { values [fast | normal | slow | unknown]; } products { values [list-of-values]; } recommended; service { values [list-of-values]; } severity { values [critical | info | major | minor | warning]; } type { values [anomaly | signature]; }}}idp-policy policy-name {rulebase-ddos {rule rule-name {description text;match {application (application-name | any | default);application-ddos {(application-name | adp);destination-address [ any names ];destination-except [ names ];from-zone (zone-name | any);source-address [ names ];source-except [ names ];to-zone zone-name;}then {action {(close-server | drop-connection | drop-packet | no-action);}ip-action {(ip-block | ip-close | ip-connection-rate-limit connections-per-second | ip-notify);log;log-create;refresh-timeout;timeout seconds;}notification {log-attacks {alert;}}}}}rulebase-exempt {rule rule-name {description text ;match {application [application-name];attacks {custom-attacks [attack-name];predefined-attack-groups [attack-name];predefined-attacks [attack-name];}destination-address [address-name];destination-except [address-name];from-zone zone-name ;source-address [address-name];source-except [address-name];to-zone zone-name ;}}}rulebase-ips {rule rule-name {description text ;match {attacks {custom-attacks [attack-name];predefined-attack-groups [attack-name];predefined-attacks [attack-name];}destination-address [address-name];destination-except [address-name];from-zone zone-name ;source-address [address-name];source-except [address-name];to-zone zone-name ;}terminal;then {action {(close-client | close-client-and-server | close-server |drop-connection | drop-packet | ignore-connection | mark-diffserv value | no-action | recommended);}ip-action {(ip-block | ip-close | ip-notify);log;log-create;refresh-timeout;target (destination-address | service | source-address | source-zone | zone-service);timeout seconds;}notification {log-attacks {alert;(}}severity (critical | info | major | minor | warning);}}}}security-package {automatic {enable;interval hours ;start-time start-time ;}url url-name ;}sensor-configuration {application-identification {max-packet-memory value ;max-tcp-session-packet-memory value ;max-udp-session-packet-memory value ;}detector {protocol-name protocol-name {tunable-name tunable-name {tunable-value protocol-value ;}}}flow {(allow-icmp-without-flow | no-allow-icmp-without-flow);(log-errors | no-log-errors);max-timers-poll-ticks value ;reject-timeout value ;(reset-on-policy | no-reset-on-policy);}global {(enable-all-qmodules | no-enable-all-qmodules);(enable-packet-pool | no-enable-packet-pool);(policy-lookup-cache | no-policy-lookup-cache);}high-availability {no-policy-cold-synchronization;}ips {detect-shellcode;ignore-regular-expression;log-supercede-min minimum-value ;pre-filter-shellcode;process-ignore-s2c;process-override;process-port port-number ;}log {cache-size size ;suppression {disable;include-destination-address;max-logs-operate value ;max-time-report value ;start-log value ;}}re-assembler {ignore-memory-overflow;ignore-reassembly-memory-overflow;ignore-reassembly-overflow;max-flow-mem value ;max-packet-mem value ;}}traceoptions {file filename {<files number >;<match regular-expression >;<size maximum-file-size >;<world-readable | no-world-readable>;}flag all;level (all | error | info | notice | verbose | warning);no-remote-trace;}}ike {gateway gateway-name {address [ip-address-or-hostname];dead-peer-detection {always-send;interval seconds;threshold number;}dynamic { connections-limit number; (distinguished-name <container container-string> <wildcard wildcard-string> | hostname domain-name | inet ip-address | inet6 ipv6-address | user-at-hostname e-mail-address);ike-user-type (group-ike-id | shared-ike-id); }external-interface external-interface-name;general-ikeid;ike-policy policy-name;local-identity {(distinguished-name | hostname hostname | inet ip-address | inet6 ipv6-address | user-at-hostname e-mail-address);}nat-keepalive seconds;no-nat-traversal;remote-identity {(distinguished-name <container container-string> <wildcard wildcard-string> | hostname hostname | inet ip-address | inet6 ipv6-address | user-at-hostname e-mail-address);}version (v1-only | v2-only);xauth {access-profile profile-name;}}policy policy-name {certificate {local-certificate certificate-id;peer-certificate-type (pkcs7 | x509-signature);trusted-ca (ca-index | use-all);}description description;mode (aggressive | main);pre-shared-key (ascii-text key | hexadecimal key);proposal-set (basic | compatible | standard);proposals [proposal-name];}proposal proposal-name {authentication-algorithm (md5 | sha-256 | sha1);authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures);description description;dh-group (group1 | group14 | group2 | group5);encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc);lifetime-seconds seconds;}respond-bad-spi <max-responses>;traceoptions {file {filename;files number;match regular-expression;(no-world-readable | world-readable);size maximum-file-size;}flag flag;no-remote-trace;rate-limit messages-per-second;}}ipsec { policy policy-name { description description; perfect-forward-secrecy keys (group1 | group14 | group2 | group5); proposal-set (basic | compatible | standard); proposals [proposal-name];}proposal proposal-name {authentication-algorithm (hmac-md5-96 | hmac-sha-256-128 | hmac-sha1-96); description description; encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc);lifetime-kilobytes kilobytes; lifetime-seconds seconds;protocol (ah | esp);} traceoptions { flag flag;} vpn vpn-name { bind-interface interface-name; df-bit (clear | copy | set); establish-tunnels (immediately | on-traffic); ike { gateway gateway-name; idle-time seconds; install-interval seconds; ipsec-policy ipsec-policy-name; no-anti-replay; proxy-identity { local ip-prefix; remote ip-prefix; service (any | service-name); }} manual { authentication { algorithm (hmac-md5-96 | hmac-sha-256-128 | hmac-sha1-96); key (ascii-text key | hexadecimal key);} encryption { algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc); key (ascii-text key | hexadecimal key); } external-interface external-interface-name; gateway ip-address; protocol (ah | esp); spi spi-value; } vpn-monitor { destination-ip ip-address; optimized; source-interface interface-name; }} vpn-monitor-options { interval seconds; threshold number; }}key-protection;log {cache {exclude exclude-name {destination-address destination-address;destination-port destination-port;event-id event-id;failure;interface-name interface-name;policy-name policy-name;process process-name;protocol protocol;source-address source-address;source-port source-port;success;user-name user-name;}limit value;}disable;event-rate rate;file {files max-file-number;name file-name;path binary-log-file-path;size maximum-file-size;}format (binary | sd-syslog | syslog);mode (event | stream);source-address source-address;stream stream-name {category (all | content-security);filter threat-attackformat (binary | sd-syslog | syslog | welf);host {ip-address;port port-number;}rate-limit log-server-limitseverity (alert | critical | debug | emergency | error | info | notice | warning);}traceoptions {file {file-name;files max-file-number;match regular-expression;(no-world-readable | world-readable);size maximum-file-size;}flag flag;no-remote-trace;}utc-time-stamp;}nat {destination {pool pool-name {address ip-address {(port port-number | to ip-address);}description text;routing-instance routing-instance-name;}rule-set rule-set-name {description text;from {interface [interface-name];routing-instance [routing-instance-name];zone [zone-name];}rule rule-name {description text;match {(destination-address <ip-address> | destination-address-name <address-name>);destination-port port-number;protocol [protocol-name-or-number];source-address [ip-address];source-address-name [address-name];}then {destination-nat (off | pool pool-name);}}}}proxy-arp {interface interface-name {address ip-address {to ip-address;}}}proxy-ndp {interface interface-name {address ip-address {to ip-address;}}}source {address-persistent;interface {port-overloading { off;}}pool pool-name {address ip-address {to ip-address;}description text;host-address-base ip-address;overflow-pool (interface | pool-name);port {(no-translation | port-overloading-factor number | range port-low <to port-high>);}routing-instance routing-instance-name;}pool-default-port-range lower-port-range to upper-port-range;pool-utilization-alarm {clear-threshold value;raise-threshold value;}port-randomization {disable;}rule-set rule-set-name {description text;from {interface [interface-name];routing-instance [routing-instance-name];zone [zone-name];}rule rule-name {description text;match {(destination-address <ip-address> | destination-address-name <address-name>);destination-port port-number;protocol [protocol-name-or-number];source-address [ip-address];source-address-name [address-name];}then {source-nat {interface {persistent-nat {address-mapping;inactivity-timeout seconds;max-session-number value;permit (any-remote-host | target-host | target-host-port);}}off;pool { persistent-nat { address-mapping;inactivity-timeout seconds;max-session-number number;permit (any-remote-host | target-host | target-host-port); } pool-name;}}}}to {interface [interface-name];routing-instance [routing-instance-name];zone [zone-name];}}}static {rule-set rule-set-name {description text;from {interface [interface-name];routing-instance [routing-instance-name];zone [zone-name];}rule rule-name {description text;match {(destination-address ip-address | destination-address-name address-name);}then {static-nat {inet {routing-instance (default | routing-instance-name);}prefix {address-prefix;routing-instance (default | routing-instance-name);}prefix-name {address-prefix-name;routing-instance (default | routing-instance-name);}}}}}}traceoptions {file {filename;files number;match regular-expression;(no-world-readable | world-readable);size maximum-file-size;}flag flag;no-remote-trace;}}pki {auto-re-enrollment {certificate-id certificate-id-name {ca-profile-name ca-profile-name ;challenge-password password ;re-enroll-trigger-time-percentage percentage ;re-generate-keypair;}}ca-profile ca-profile-name {administrator {e-mail-address e-mail-address;}ca-identity ca-identity;enrollment {retry number;retry-interval seconds;url url-name;}revocation-check {crl {disable {on-download-failure;}refresh-interval hours;url url-name ;}disable;}routing-instance routing-instance-name;}traceoptions {file filename {files number;match regular-expression;(no-world-readable | world-readable);size maximum-file-size;}flag flag;no-remote-trace;}}policies {default-policy (deny-all | permit-all);from-zone zone-name to-zone zone-name {policy policy-name {description description;match {application {[application];any;}destination-address {[address];any;any-ipv4;any-ipv6;}source-address {[address];any;any-ipv4;any-ipv6;}source-identity {[role-name];any;authenticated-user;unauthenticated-user;unknown-user;}}scheduler-name scheduler-name;then {count { alarm {per-minute-threshold number; per-second-threshold number;}}deny;log {session-close;session-init;}permit {application-services {application-firewall {rule-set rule-set-name;}application-traffic-control {rule-set rule-set-name;}gprs-gtp-profile profile-name;gprs-sctp-profile profile-name;idp;redirect-wx | reverse-redirect-wx;ssl-proxy {profile-name profile-name;}uac-policy {captive-portal captive-portal;}utm-policy policy-name;}destination-address {drop-translated;drop-untranslated;}firewall-authentication {pass-through {access-profile profile-name;client-match user-or-group-name;web-redirect;}web-authentication {client-match user-or-group-name;}}services-offload;tcp-options {sequence-check-required;syn-check-required;}tunnel {ipsec-group-vpn group-vpn;ipsec-vpn vpn-name;pair-policy pair-policy;}}reject;}}}global {policy policy-name {description description;match {application {[application];any;}destination-address {[address];any;any-ipv4;any-ipv6;}source-address {[address];any;any-ipv4;any-ipv6;}source-identity {[role-name];any;authenticated-user;unauthenticated-user;unknown-user;}}scheduler-name scheduler-name;then { count { alarm {per-minute-threshold number; per-second-threshold number;}}deny;log {session-close;session-init;}permit {application-services {application-firewall {rule-set rule-set-name;}application-traffic-control {rule-set rule-set-name;}gprs-gtp-profile profile-name;gprs-sctp-profile profile-name;idp;redirect-wx | reverse-redirect-wx;ssl-proxy {profile-name profile-name;}uac-policy {captive-portal captive-portal;}utm-policy policy-name;}destination-address {drop-translated;drop-untranslated;}firewall-authentication {pass-through {access-profile profile-name;client-match user-or-group-name;web-redirect;}web-authentication {client-match user-or-group-name;}}services-offload;tcp-options {sequence-check-required;syn-check-required;}}reject;}}}policy-rematch;traceoptions {file {filename;files number;match regular-expression;(no-world-readable | world-readable);size maximum-file-size;}flag flag;no-remote-trace;}}resource-manager {traceoptions {flag flag;}}screen {ids-option screen-name { alarm-without-drop;description text;icmp {flood {threshold number;}fragment;ip-sweep {threshold number;}large;ping-death;}ip {bad-option;block-frag;loose-source-route-option;record-route-option;security-option;source-route-option;spoofing;stream-option;strict-source-route-option;tear-drop;timestamp-option;unknown-protocol;}limit-session {destination-ip-based number;source-ip-based number;}tcp {fin-no-ack;land;port-scan {threshold number;}syn-ack-ack-proxy {threshold number;}syn-fin;syn-flood {alarm-threshold number;attack-threshold number;destination-threshold number;source-threshold number;timeout seconds;white-list name {destination-address destination-address;source-address source-address;}}syn-frag;tcp-no-flag;tcp-sweep {threshold threshold number;}winnuke;}udp {flood {threshold number;}udp-sweep {threshold threshold number;}}}}traceoptions {file filename {files number;match regular-expression;(no-world-readable | world-readable);size maximum-file-size;}flag flag;no-remote-trace;}}softwires {softwire-name name { softwire-concentrator ipv6-address; softwire-type IPv4-in-IPv6;}traceoptions {file {filename;files number;match regular-expression;(no-world-readable | world-readable);size maximum-file-size;}flag (all | configuration | flow);no-remote-trace;}}ssh-known-hosts {fetch-from-server server-name;host hostname {dsa-key dsa-key;ecdsa-sha2-nistp256-key ecdsa-sha2-nistp256-key;ecdsa-sha2-nistp384-key ecdsa-sha2-nistp384-key;ecdsa-sha2-nistp521-key ecdsa-sha2-nistp521-key;rsa-key rsa-key;rsa1-key rsa1-key;}load-key-file key-file;}traceoptions {file {filename;files number;match regular-expression;(no-world-readable | world-readable);size maximum-file-size;}flag flag;no-remote-trace;rate-limit messages-per-second;}user-identification {authentication-source {active-directory-authentication-table ( priority priority);aruba-clearpass (priority priority);local-authentication-table ( priority priority);unified-access-control ( priority priority);}}}utm {application-proxy {traceoptions {flag flag;}}custom-objects {custom-url-category object-name {value [value];}filename-extension object-name {value [value];}mime-pattern object-name {value [value];}protocol-command object-name {value [value];}url-pattern object-name {value [value];}}feature-profile {anti-spam {address-blacklist list-name;address-whitelist list-name;sbl {profile profile-name {custom-tag-string [string];(no-sbl-default-server | sbl-default-server);spam-action (block | tag-header | tag-subject);}}traceoptions {flag flag;}}anti-virus {juniper-express-engine {pattern-update {email-notify {admin-email email-address;custom-message message;custom-message-subject message-subject;}interval value;no-autoupdate;proxy {password password-string;port port-number;server address-or-url;username name;}url url;}profile profile-name { fallback-options {content-size (block | log-and-permit);default (block | log-and-permit);engine-not-ready (block | log-and-permit);out-of-resources (block | (log-and-permit);timeout (block | log-and-permit);too-many-requests (block | log-and-permit);}notification-options {fallback-block {administrator-email email-address;allow-email;custom-message message;custom-message-subject message-subject;display-host;(no-notify-mail-sender | notify-mail-sender); type (message | protocol-only);}fallback-non-block {custom-message message;custom-message-subject message-subject;(no-notify-mail-recipient | notify-mail-recipient);}virus-detection {custom-message message;custom-message-subject message-subject;(no-notify-mail-sender | notify-mail-sender); type (message | protocol-only);}}scan-options {content-size-limit value;(intelligent-prescreening | no-intelligent-prescreening);timeout value;}trickling {timeout value;}}}kaspersky-lab-engine {pattern-update {email-notify {admin-email email-address;custom-message message;custom-message-subject message-subject;}interval value;no-autoupdate;proxy {password password-string;port port-number;server address-or-url;username name;}url url;}profile profile-name { fallback-options {content-size (block | log-and-permit);corrupt-file (block | log-and-permit);decompress-layer (block | log-and-permit);default (block | log-and-permit);engine-not-ready (block | log-and-permit);out-of-resources (block | (log-and-permit);password-file (block | (log-and-permit);timeout (block | log-and-permit);too-many-requests (block | log-and-permit);}notification-options {fallback-block {administrator-email email-address;allow-email;custom-message message;custom-message-subject message-subject;display-host;(no-notify-mail-sender | notify-mail-sender); type (message | protocol-only);}fallback-non-block {custom-message message;custom-message-subject message-subject;(no-notify-mail-recipient | notify-mail-recipient);}virus-detection {custom-message message;custom-message-subject message-subject;(no-notify-mail-sender | notify-mail-sender); type (message | protocol-only);}}scan-options {content-size-limit value;decompress-layer-limit value;(intelligent-prescreening | no-intelligent-prescreening);scan-extension filename;scan-mode (all | by-extension);timeout value;}trickling {timeout value;}}}mime-whitelist {exception listname;list listname {exception listname;}}sophos-engine {pattern-update {email-notify {admin-email email-address;custom-message message;custom-message-subject message-subject;}interval value;no-autoupdate;proxy {password password-string;port port-number;server address-or-url;username name;}url url;}profile <name> {fallback-options {content-size (block | log-and-permit | permit);default (block | log-and-permit | permit);engine-not-ready (block | log-and-permit | permit);out-of-resources (block | log-and-permit | permit);timeout (block | log-and-permit | permit);too-many-requests (block | log-and-permit | permit);}notification-options {fallback-block {administrator-email email-address;allow-email;custom-message message;custom-message-subject message-subject;display-host;(no-notify-mail-sender | notify-mail-sender); type (message | protocol-only);}fallback-non-block {custom-message message;custom-message-subject message-subject;(no-notify-mail-recipient | notify-mail-recipient);}virus-detection {custom-message message;custom-message-subject message-subject;(no-notify-mail-sender | notify-mail-sender); type (message | protocol-only);}}scan-options {content-size-limit value;(no-uri-check | uri-check);timeout value;}trickling {timeout value;}}sxl-retry value;sxl-timeout seconds;}traceoptions {flag flag;} type (juniper-express-engine | kaspersky-lab-engine | sophos-engine);url-whitelist listname;}content-filtering {profile profile-name { block-command protocol-command-list;block-content-type (activex | exe | http-cookie | java-applet | zip);block-extension extension-list;block-mime {exception list-name;list list-name;}notification-options {custom-message message;(no-notify-mail-sender | notify-mail-sender); type (message | protocol-only);}permit-command protocol-command-list;}traceoptions {flag flag;}}web-filtering {juniper-enhanced {cache {size value;timeout value;}profile profile-name {block-message {type {custom-redirect-url;}url url;}category customurl-list name {action (block | log-and-permit | permit);}custom-block-message value;default (block | log-and-permit | permit);fallback-settings {default (block | log-and-permit);server-connectivity (block | log-and-permit);timeout (block | log-and-permit);too-many-requests (block | log-and-permit);}no-safe-search;site-reputation-action {fairly-safe (block | log-and-permit | permit);harmful (block | log-and-permit | permit);moderately-safe (block | log-and-permit | permit);suspicious (block | log-and-permit | permit);very-safe (block | log-and-permit | permit);}timeout value;}server {host host-name;port number;}}juniper-local {profile profile-name {custom-block-message value;default (block | log-and-permit | permit);fallback-settings {default (block | log-and-permit);server-connectivity (block | log-and-permit);timeout (block | log-and-permit);too-many-requests (block | log-and-permit);}timeout value;}}surf-control-integrated {cache {size value;timeout value;}profile profile-name {category customurl-list name {action (block | log-and-permit | permit);}custom-block-message value;default (block | log-and-permit | permit);fallback-settings {default (block | log-and-permit);server-connectivity (block | log-and-permit);timeout (block | log-and-permit);too-many-requests (block | log-and-permit);}timeout value;}server {host host-name;port number;}}traceoptions {flag flag;}type (juniper-enhanced | juniper-local | surf-control-integrated | websense-redirect);url-blacklist listname;url-whitelist listname;websense-redirect { profile profile-name {account value;custom-block-message value;fallback-settings {default (block | log-and-permit);server-connectivity (block | log-and-permit);timeout (block | log-and-permit);too-many-requests (block | log-and-permit);}server {host host-name;port number;}sockets value; timeout value;}}}}ipc {traceoptions {flag flag;}}traceoptions {flag flag;}utm-policy policy-name {anti-spam {smtp-profile profile-name;}anti-virus {ftp {download-profile profile-name;upload-profile profile-name;}http-profile profile-name;imap-profile profile-name;pop3-profile profile-name;smtp-profile profile-name;}content-filtering {ftp {download-profile profile-name;upload-profile profile-name;}http-profile profile-name;imap-profile profile-name;pop3-profile profile-name;smtp-profile profile-name;}traffic-options {sessions-per-client {limit value;over-limit (block | log-and-permit);}}web-filtering {http-profile profile-name;}}}zones {functional-zone {management {description text;host-inbound-traffic {protocols protocol-name { except;}system-services service-name { except;}}interfaces interface-name {host-inbound-traffic {protocols protocol-name { except;}system-services service-name { except;}}}screen screen-name;}}security-zone zone-name {address-book {address address-name {ip-prefix {description text;}description text;dns-name domain-name {ipv4-only;ipv6-only;}range-address lower-limit to upper-limit;wildcard-address ipv4-address/wildcard-mask;}address-set address-set-name {address address-name;address-set address-set-name;description text;}}application-tracking;description text;host-inbound-traffic {protocols protocol-name { except;}system-services service-name { except;}}interfaces interface-name {host-inbound-traffic {protocols protocol-name { except;}system-services service-name { except;}}}screen screen-name;tcp-rst;}}}

Modified: 2016-05-01