Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Security

 

Security Policy

Configuring Firewall Security Policy Rules

  1. Select Configure>Security Services>Security Policy>Rules.

    The Rules configuration page appears displaying all the rules based on grouping of rules as zone pairs or zone contexts. Each row displays the from and to zones (zone pairs) and the number of rules present in that zone pair. Table 161 explains the contents of this page.

  2. Click one:
    • Global Options—Configures global options for the firewall security policy. Enter information as specified in Table 162.

    • Add icon (+)—Adds a new firewall or global security policy configuration. Enter information as specified in Table 163.

    • Edit icon (/)—Edits the selected firewall policy configuration. Enter information as specified in Table 163.

    • Delete icon (X)—Deletes the selected firewall security policy configuration.

    • Save—Saves the rule that you edited or cloned. This is enabled if you edit or clone a rule.

    • Discard—Discards the rule that you selected from the grid.

    • More— Enables you to add rule before or after, copy, cut, paste, clone a rule, and so on. For more information see Table 164.

    • Search icon—Enables you to search a firewall policy or rule from the grid.

    • Show Hide Column Filter icon—Enables you to show or hide a column in the grid.

  3. Click Commit icon at the top of the J-Web page. The following commit options are displayed.

    • Commit—Commits the configuration and returns to the main configuration page.

    • Compare—Enables you to compare the current configuration with the previous configuration.

    • Discard—Discards the configuration changes you performed in the J-Web.

    • Preferences—There are two tab:

      Commit preferences—You can choose to just validate or validate and commit the changes.

      Startup page upon login—You can choose what page should be displayed as soon as you login to J-Web. The options are: Configuration, Monitoring, Dashboard, and Last accessed.

Table 161: Rules Configuration Page

Field

Function

Seq.

Displays the sequence number of rules in a zone pair.

Hit Count

Displays the number of hits the rule has encountered.

Rule Name

Displays the rule name.

Source Zone

Displays the source zone that is specified in the zone pair for the rule.

Source Address

Displays the name of the source address or address set for the rule.

Identity or User ID

Displays the user identity of the rule.

Destination Zone

Displays the destination zone that is specified in the zone pair for the rule.

Destination Address

Displays the name of the destination address or address set for the rule.

Dynamic Application

Displays the dynamic application names for match criteria in application firewall rule set.

An application firewall configuration permits, rejects, or denies traffic based on the application of the traffic.

Service

Displays the type of service for the destination of the rule.

Action

Displays the actions that need to take place on the traffic as it passes through the firewall.

Rule Options

Displays the rule option while permitting the traffic.

Advanced Security

Displays the security option that apply for this rule.

Description

Displays the description of the rule.

Table 162: Global Options Firewall Policy Configuration Details

Field FunctionAction
Policy Options

Default policy action

Specifies that specific protocol actions are overridden. This action is also nonterminating. The options available are:

  • permit-all

  • deny-all

Select a value from the list.

Policy rematch

Specifies that a policy is added that has just been modified to a deferred action list for reevaluation. For every session associated with the policy, the device reevaluates the policy lookup. If the policy is different from the one associated with the session, the device drops the session. If the policy matches, the session continues.

Select the check box.

Flow - Main

Early ageout

Specifies the amount of time before the device aggressively ages out a session from its session table.

Enter a value from 1 through 65,535 seconds. The default value is 20 seconds.

High watermark

Specifies the percentage of session table capacity at which the aggressive aging-out process begins.

Enter a value from 0 through 100 percent. The default value is 100 percent.

Low watermark

Specifies the percentage of session table capacity at which the aggressive aging-out process ends.

Enter a value from 0 through 100 percent. The default value is 100 percent.

Enable SYN cookie protection

Enables SYN cookie defenses against SYN attacks.

Select the check box.

Enable SYN proxy protection

Enables SYN proxy defenses against SYN attacks.

Select the check box.

Allow DNS reply

Specifies that an incoming DNS reply packet without a matched request is allowed.

Select the check box.

Force IP reassembly

Specifies reassemble all IP fragmented packets before forwarding.

Enable Routing Mode

Enables routing mode on uPIM and ePIM ports that correspond to the interfaces that will carry the VPLS traffic.

Route change to nonexistent route timeout

Specifies the session timeout value on a route change to a nonexistent route.

Enter a value from 6 through 1800 seconds.

Flow - TCP MSS

Enable MSS override for all packets

Enables maximum segment size override for all TCP packets for network traffic.

Select the check box.

Enter an maximum segment size value from 64 through 65,535.

Enable MSS override for all GRE packets coming out of an IPSec tunnel

Enables maximum segment size override for all generic routing encapsulation packets exiting an IPsec tunnel.

Select the check box.

Enter a maximum segment size value from 64 through 65,535 bytes. The default value is 1320 bytes.

Enable MSS override for all GRE packets entering an IPsec tunnel

Enables maximum segment size override for all generic routing encapsulation packets entering an IPsec tunnel.

Select the check box.

Enter a maximum segment size value from 64 through 65,535 bytes. The default value is 1320 bytes.

Enable MSS override for all packets entering IPSec tunnel

Enables maximum segment size override for all packets entering an IPsec tunnel.

Select the check box.

Enter a maximum segment size value from 64 through 65,535 bytes. The default value is 1320 bytes.

Flow - TCP Session

Disable sequence-number checking

Disables checking of sequence numbers in TCP segments during stateful inspections. By default, the device monitors the sequence numbers in TCP segments.

Select the check box.

Strict SYN-flag check

Enables the strict three-way handshake check for the TCP session. This check enhances security by dropping data packets before the three-way handshake is done. By default, this check is disabled.

Select the check box.

Disable SYN-flag check

Disables the checking of the TCP SYN bit before creating a session. By default, the device checks that the SYN bit is set in the first packet of a session. If it is not set, the device drops the packet.

Select the check box.

Disable SYN-flag check (tunnel packets)

Disables the first packet check for the SYN flag when forming a TCP flow session.

Select the check box.

RST invalidate session

Specifies that a session is marked for immediate termination when it receives a TCP RST segment. By default, this statement is unset. When unset, the device applies the normal session timeout interval—for TCP, session timeout is 30 minutes; for HTTP, it is 5 minutes; and for UDP, it is 1 minute.

Select the check box.

RST sequence check

Specifies that the TCP sequence number in a TCP segment can be checked, with the RST bit enabled. This matches the previous sequence number for a packet in that session or is the next higher number incrementally.

Select the check box.

TCP Initial Timeout

Specifies the length of time (in seconds) that the device keeps an initial TCP session in the session table before dropping it, or until the device receives a FIN or RST packet.

Select the check box.

Table 163: Add Firewall Policy Rule Configuration Details

Field FunctionAction
General

Rule Name

Specifies the name of the security policy.

Enter a name for the new rule or policy.

Rule Description

Specifies a description for the security policy.

Enter a description for the security policy.

Global Policy

Specifies that the policy defined is a global policy and zones are not required.

Source

Zone

Specifies the source zone.

Identify and select the source zone to which you want the rule to be associated with from the dropdown menu.

Address(es)

Specifies the source address of the rule.

Select the Address(es) for the policy by clicking Select The Source Address page appears.

Select the Address for this policy. The options available are:

  • Any Address—Selecting this will include any address as the source address.

  • Include Specific—Selects an address book entry from the available list or you can make a new address book entry by selecting Add New Source Address and creating a new source address in the Create Address page.

  • Exclude Specific—Selects an address book entry from the available list or you can make a new address book entry by selecting Add New Source Address and creating a new source address in the Create Address page.

Identity

Select the user identity that you want to permit or deny in the rule.

Select the user identity to permit or deny.

Click Select to choose a user identity from the available list or you can make a new user identity by selecting Add New Identity and creating a new user name or identity in the Create Identity page.

Note: Starting in Junos OS Release 19.1R1, list of local authentication users are available in the source identity list for logical system and tenant users.

Destination

Zone

Specifies the destination zone.

Identify and select the destination zone to which you want the rule to be associated with from the dropdown menu.

Address(es)

Specifies the source address of the rule.

Select the Address(es) for the policy by clicking Select The Destination Address page appears.

Select the Address for this policy. The options available are:

  • Any Address—Selecting this will include any address as the destination address.

  • Include Specific—Selects an address book entry from the available list or you can make a new address book entry by selecting Add New Source Address and creating a new source address in the Create Address page.

  • Exclude Specific—Selects an address book entry from the available list or you can make a new address book entry by selecting Add New Source Address and creating a new source address in the Create Address page.

Dynamic Application

Select the dynamic application names for match criteria in application firewall rule set.

Select the application from the Available list and move it to Selected list.

Service(s)

Select the services that you want to permit or deny in the rule.

Select the services to permit or deny. You can choose a service from the available list.

Advanced Security

Rule Action

Specifies the action taken when traffic matches the criteria. Available options are:

  • Permit

  • Deny

  • Reject

Select an option.

Permit —Allow packet to pass through the firewall. It enables the following Permit options:

  1. App Firewall—Select the application firewall from the dropdown list.
  2. IPS—Select Off or On from the dropdown list. If you select On, the IPS Policy field will be disabled. If you select Off, you may select the IPS Policy from the dropdown list.
  3. UTM—Select the UTM policy to associate with this rule from the dropdown list, which shows all the UTM policies available.

    If you want to create a new UTM policy, click Add New, which enables you to create a new UTM policy in the Create UTM Policies Wizard. To know more about this wizard refer Configure>Security>UTM page in J-Web.

  4. SSL Proxy—Select the SSL proxy policy to associate with this rule from the dropdown list, which shows all the SSL proxy profiles that are created using the Configure>Security>SSL Proxy page in J-Web. After you associate, the SSL proxy policy will be applied to the traffic.
  5. IPSec VPN—Select the IPsec VPN tunnel from the dropdown list.
  6. Pair Policy Name—Select the name of the policy with the same IPsec VPN in the opposite direction to create a pair policy.
  7. Threat Prevention Policy—Select the configured threat prevention policy from the dropdown list. To create a threat prevention policy go to Configure>Security>SkyATP or Threat Prevention>Policies.
  8. ICAP Redirect Profile—Select the configured ICAP Redirect profile name from the dropdown list.

Deny—Block and drop the packet, but do not send notification back to the source.

Reject—Block and drop the packet and send a notice to the source host.

  • For TCP traffic—Sends TCP RST.

  • For UDP traffic—Sends ICMP destination unreachable, port unreachable message (type 3, code 3).

  • For TCP and UDP traffic—Specifies action denied.

Rule Options

Logging/Count

  

Log at Session Close Time

Specifies that an event is logged when the session closes.

Select the check box.

Log at Session Init Time

Specifies that an event is logged when the session is created.

Select the check box.

Enable Count

Specifies statistical counts and triggers alarms whenever traffic exceeds specified packet and byte thresholds. When this count is enabled, statistics are collected for the number of packets, bytes, and sessions that pass through the firewall with this policy.

Select the check box.

Note: Alarm threshold fields are disabled if Enable Count is not enabled.

Authentication

  

Push Auth Entry to JIMS

Pushes authentication entries from firewall authentication, that are in auth-success state, to Juniper Identity Management Server (JIMS). This will enable the SRX device to query JIMS to get IP/user mapping and device information.

Select the check box.

Type

Specify the type of firewall authentication for this rule.

Select the type of firewall authentication from the dropdown list. The options available are: None, Pass-through, User-firewall, and Web-authentication.

Advanced Settings

Destination Address Translation

Specifies the action to be taken on a destination address translation.

Select the action to be taken on a destination address translation. The options available are: None, Drop Translated, Drop Untranslated.

Redirect Options

Specifies the action to be taken if redirect is needed.

Select the action to redirect. The options available are: None, Redirect Wx, and Reverse Redirect Wx.

Enable TCP-SYN

Disables or enables the checking of the TCP SYN bit before creating a session. By default, the device checks that the SYN bit is set in the first packet of a session. If it is not set, the device drops the packet.

Select if you want enable TCP-SYN.

Log TCP Sequence

Disables or enables checking of sequence numbers in TCP segments during stateful inspections. By default, the device monitors the sequence numbers in TCP segments.

Select if you want to log TCP sequencing.

Table 164: More options on Rules

Field

Function

Add Rule Before

Adds a new rule before the selected rule.

Add Rule After

Adds a new rule after the selected rule.

Copy

Copies a selected rule and enables you to paste it before or after the selected rule.

Cut

Removes the selected rule from its row and enables you to paste it before or after the selected rule.

Paste

Pastes the copied or cut rule before or after the rule selected for copy.

Clone

Clones or copies the selected firewall policy configuration and enables you to update the details of the rule.

Move Rule

Organizes records. Select a rule and choose Move up, Move down, Move to top, or Move to bottom to reposition the rule.

Disable

Disables the selected rule.

Enable

Enables the selected rule if it was disabled.

Clear Selection

Clears the selection of those rules that are selected.

Configuring Firewall Policy Schedules

  1. Select Configure>Security>Firewall Policy>Schedules.

    The Scheduler Information configuration page appears. Table 165 explains the contents of this page.

  2. Click one:
    • Add icon (+)—Adds a new or duplicate scheduler configuration. Enter information as specified in Table 166.

    • Edit icon (/)—Edits the selected scheduler configuration.

    • Delete(X)—Deletes the selected scheduler configuration.

    • More— Enables you to clone a schedule from the selected schedule, display a detailed view of the selected schedule, and clear all selections in the grid.

    • Search icon—Enables you to search a schedule in the grid.

    • Show Hide Column Filter icon—Enables you to show or hide a column in the grid.

  3. Click Commit icon at the top of the J-Web page. The following commit options are displayed.

    • Commit—Commits the configuration and returns to the main configuration page.

    • Compare—Enables you to compare the current configuration with the previous configuration.

    • Discard—Discards the configuration changes you performed in the J-Web.

    • Preferences—There are two tab:

      Commit preferences—You can choose to just validate or validate and commit the changes.

      Startup page upon login—You can choose what page should be displayed as soon as you login to J-Web. The options are: Configuration, Monitoring, Dashboard, and Last accessed.

Table 165: Scheduler Configuration Page

Field

Function

Details icon in blue color

Displays the Schedules Details, on clicking the icon.

Name

Displays the name of the scheduler.

Description

Displays a description of the scheduler.

Start Date

Displays the start date for the first day.

End Date

Displays the stop date for the first day.

Second Start Date

Displays the start date for the second day.

Second End Date

Displays the stop date for the second day.

Schedules

On expanding, displays the days of the schedule, exclusion days if any, and the start and end time of the schedule.

Table 166: Add Scheduler Configuration Details

Field FunctionAction

Name

Specifies the scheduler name.

Enter the name of the scheduler.

Description

Specifies a description for the scheduler.

Enter a description for the scheduler.

Start Date

Specifies the start date of the first day.

Select the start date for the first day from the calendar.

Stop Date

Specifies the stop date of the first day.

Select the stop date for the first day from the calendar.

Second Start Date

Specifies the start date of the second day.

Select the start date for the second day from the calendar.

Second End Date

Specifies the stop date of the second day.

Select the stop date for the second day from the calendar.

Time Ranges

Specify a day/time range to edit

Specify the same time for all days

Specifies the same time for all days

Click Specify the same time for all days. The Apply Options for All Days page appears.

Select the Time Options from All Day, Exclude Day, or Time Ranges.

If you select Time Ranges enter the Start Time and End Time. You can also a Second Start Time and Second End Time by clicking Add Another Range.

Daily option

Specifies that you can set the scheduler to run at regular and recurring intervals.

Select an day from the list. The Speicify Time for <selected day> appears.

Select the Time Options from All Day, Exclude Day, or Time Ranges.

If you select Time Ranges enter the Start Time and End Time. You can also a Second Start Time and Second End Time by clicking Add Another Range.

Time Start1

Specifies the start time for the first day.

Enter the start time in HH:MM:SS format.

Time Stop1

Specifies the stop time for the first day.

Enter the stop time in HH:MM:SS format.

Time Start2

Specifies the start time for the second day.

Enter the start time in HH:MM:SS format.

Time Stop2

Specifies the stop time for the second day.

Enter the stop time in HH:MM:SS format.

NAT

Source NAT Configuration Page Options

  1. Select Configure>NAT>Source NAT in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>>Security>NAT>Source in the J-Web user interface.

    The Source NAT configuration page appears. Table 167 explains the contents of this page.

  2. Click one:
    • Global Settings—Defines general specifications for source NAT. Enter information as specified in Table 168.

    • Add or +—Adds a new or duplicate Source NAT configuration. Enter information as specified in Table 169.

    • Edit or /—Edits the selected source NAT configuration.

    • Delete or X—Deletes the selected source NAT configuration.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 167: Source NAT Configuration Page

Field

Function

Source NAT Rule Set

From

Displays the source NAT sort options from which the packets flow.

The options available are:

  • Routing Instance

  • Zone

  • Interface

To

Displays the source NAT sort options to which the packets flow.

The options available are:

  • Routing Instance

  • Zone

  • Interface

Filter

Displays the filter option.

Name

Displays the name of the source NAT rule set.

From

Displays the name of the routing instance/zone/interface from which the packets flow.

To

Displays the name of the routing instance/zone/interface to which the packets flow.

Rule

Displays the name of the rule in the selected source NAT rule set.

Description

Displays a description of the source NAT rule set.

Rules in Selected Rule-Set

Rule Name

Displays the name of the rule in the selected source NAT rule set.

Match Source

Displays the match source address.

Match Destination

Displays the match destination address.

Match IP Protocol

Displays the match IP protocol.

Match Destination Port

Displays the match destination port.

Action

Displays the action of the rule.

Persistent

Displays the persistent NAT address in the source NAT pool

Description

Displays a description of the rule.

Source NAT Pool

Name

Displays the name of the source NAT pool.

Address

Displays the IP address of the source NAT pool.

Port

Displays the port address of the source NAT pool.

Description

Displays a description of the source NAT pool.

Table 168: Source NAT Global Setting Configuration Page

Field

Function

Global Settings

Address Persistent

Provides source address to maintain same translation.

Select check box to the enable address persistence.

Interface Port-Overloading

Specifies interface port overloading for persistent NAT.

Select check box to the enable interface port-overloading.

Port randomization

Specifies source NAT port randomization.

Select check box to the enable port randomization.

Pool Utilization Alarm

Clear Threshold

Specifies clear to clear the threshold for pool utilization.

The default option is 40-100.

Raise Threshold

Specifies raise to raise the threshold for pool utilization.

The default option is 50-100.

Table 169: Add Source NAT Configuration Details

Field FunctionAction
Add Rule Set

Rule Set Name

Specifies the name of the rule set.

Enter the rule set name.

Rule Set Description

Specifies a description for the rule set.

Enter a description for the rule set.

From/To

Specifies the filter option. The options available are:

  • Routing Instance

  • Zone

  • Interface

Select an option.

Select the source routing instances/zones/interfaces in the Available column and the use the right arrow to move them to the Selected column.

Select the destination routing instances/zones/interfaces in the Available column and the use the right arrow to move them to the Selected column.

Add Rule

Rule Name

Specifies the name of the rule.

Enter the rule name.

Rule Description

Specifies a description for the rule.

Enter a description for the rule.

Match

Source Address

Specifies the source IP address. The options available are:

  • Available—Specifies the available source addresses.

  • Selected—Specifies the selected source addresses.

Search and select the source addresses in the Available column and the use the right arrow to move them to the Selected column.

You can also enter a source address in the New text box in the Selected and click Add to add the source address to the lower pane of the Selected column.

Destination Address

Specifies the destination IP address. The options available are:

  • Available—Specifies the available destination addresses.

  • Selected—Specifies the selected destination addresses.

Select the destination addresses in the Available column and the use the right arrow to move them to the Selected column.

You can also enter a destination address in the New text box in the Selected column and click Add to add the destination address to the lower pane of the Selected column.

IP Protocol

Specifies the IP protocol.

Enter the protocol name in the New text box and click Add to add the protocol to the lower pane of the IP Protocol column.

Destination Port

Specifies the destination port options. The options available are:

  • Any

  • Port

  • Port Range

Select an option.

Action

Specifies the action to the taken. The options available are:

  • No Source NAT

  • Do Source NAT with Egress Interface Address

  • Do Source NAT with Pool

Select an option.

Persistent

Specifies the persistent NAT address in the source NAT pool.

Select the check box to enable the following fields:

  • Permit—Select an option.

  • Inactivity Timeout—Enter a value.

  • Max Session Number—Enter a value.

Add Source NAT Pool

Pool Name

Specifies the name of the source NAT pool.

Enter the source NAT pool name.

Pool Description

Specifies a description for the source NAT pool.

Enter a description for the source NAT pool.

Routing Instance

Specifies the routing instances available.

Select an option.

Pool Address Family

Specifies the source NAT pool address family.

Select an option.

Pool Addresses

Specifies the source NAT pool addresses.

Enter the address range in the Address/Range text boxes. Click Add to add the address range to the Addresses column.

Port Translation

Specifies the port translation options. The options available are:

  • No Translation

  • Translation with Default Port Range (1024–65535)

  • Translation with Specified Port Range

  • Translation with Port Overloading Factor

Select an option.

Destination NAT Configuration Page Options

  1. Select Configure>NAT>Destination NAT in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Security>NAT>Destination in the J-Web user interface.

    The Destination NAT configuration page appears. Table 170 explains the contents of this page.

  2. Click one:
    • Add or +—Adds a new or duplicate destination NAT configuration. Enter information as specified in Table 171.

    • Edit or /—Edits the selected destination NAT configuration.

    • Delete or X—Deletes the selected destination NAT configuration.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 170: Destination NAT Configuration Page

Field

Function

Destination NAT Rule Set

From

Displays the destination NAT sort options from which the packets flow.

The options available are:

  • Routing Instance

  • Zone

  • Interface

To

Displays the destination NAT sort options to which the packets flow.

The options available are:

  • Routing Instance

  • Zone

  • Interface

Filter

Displays the filter option.

Name

Displays the name of the destination NAT rule set.

From

Displays the name of the routing instance/zone/interface from which the packets flow.

Rule

Displays the name of the rule in the selected destination NAT rule set.

Description

Displays a description of the destination NAT rule set.

Rules in Selected Rule-Set

Rule Name

Displays the name of the rule in the selected destination NAT rule set.

Match Source

Displays the match source address.

Match Destination

Displays the match destination address.

Match IP Protocol

Displays the match IP protocol.

Match Destination Port

Displays the match destination port.

Action

Displays the action of the rule in the selected rule set.

Description

Displays a description of the rule in the selected destination NAT rule set.

Destination NAT Pool

Name

Displays the name of the destination NAT pool.

Address

Displays the IP address of the destination NAT pool.

Port

Displays the port address of the destination NAT pool.

Description

Displays a description of the destination NAT pool.

Table 171: Add Destination NAT Rule Set Configuration Details

Field FunctionAction
Destination Rule Set
Add Rule Set

Rule Set Name

Specifies the name of the rule set.

Enter the rule set name.

Rule Set Description

Specifies a description for the rule set.

Enter a description for the rule set.

From

Specifies the filter options. The options available are:

  • Routing Instance

  • Zone

  • Interface

Select an option.

Select the routing instances/zones/interfaces in the Available column and the use the right arrow to move them to the Selected column.

Add Rule

Rule Name

Specifies the name of the rule.

Enter the rule name.

Rule Description

Specifies a description for the rule.

Enter a description for the rule.

Match

Source Address

Specifies the source IP address. The options available are:

  • Available—Specifies the available source addresses.

  • Selected—Specifies the selected source addresses.

Search and select the source addresses in the Available column and the use the right arrow to move them to the Selected column.

You can also enter a source address in the New text box in the Selected column and click Add to add the source address to the lower pane of the Selected column.

Destination Address

Specifies the destination IP address.

Enter the destination IP address.

Port

Specifies the destination port number.

Enter the destination port number.

IP Protocol

Specifies the IP protocol for the destination NAT rule.

Enter the protocol name in the text box and click Add to add the protocol to the IP Protocol column.

Actions

Specifies the actions for the destination NAT pool. The options available are:

  • No Destination NAT.

  • Do Destination NAT With Pool.

Select an option.

Do Destination NAT With Pool

Add New Pool

Specifies the add option for the Do Destination NAT With Pool option.

Click Add New Pool.

Add Destination Pool

Pool Name

Specifies the name of the destination pool.

Enter the destination pool name.

Pool Description

Specifies a description for the destination pool.

Enter a description for the destination pool.

Routing Instance

Specifies the routing instance available.

Select an option.

Pool Addresses and Port

Address/Port

Specifies the destination pool address.

Enter the destination pool address.

Port

Specifies the destination pool port number.

Enter the destination pool port number.

Address Range

Specifies the destination pool address range.

Enter the destination pool address range.

Destination NAT Pool
Add Destination Pool

Pool Name

Specifies the name of the destination pool.

Enter the destination pool name.

Pool Description

Specifies a description for the destination pool.

Enter a description for the destination pool.

Routing Instance

Specifies the routing instance available.

Select an option.

Pool Addresses and Port

Address/Port

Specifies the destination pool address.

Enter the destination pool address.

Port

Specifies the destination pool port number.

Enter the destination pool port number.

Address Range

Specifies the destination pool address range.

Enter the destination pool address range.

Static NAT Configuration Page Options

  1. Select Configure >NAT>Static NAT in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Security>NAT>Static in the J-Web user interface.

    The Static NAT configuration page appears. Table 172 explains the contents of this page.

  2. Click one:
    • Add or +—Adds a new or duplicate static NAT configuration. Enter information as specified in Table 173.

    • Edit or /—Edits the selected static NAT configuration.

    • Delete or X—Deletes the selected static NAT configuration.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 172: Static NAT Configuration Page

Field

Function

Static NAT Rule Set

From

Displays the destination NAT sort options from which the packets flow.

The options available are:

  • Routing Instance

  • Zone

  • Interface

Filter

Displays the filter option.

Name

Displays the name of the static NAT rule set.

From

Displays the name of the routing instance/zone/interface from which the packets flow.

Rule

Displays the name of the rule in the selected static NAT rule set.

Description

Displays a description of the static NAT rule set.

Rules in Selected Rule-Set

Rule Name

Displays the name of the routing instance/zone/interface to which the packet flows.

Match Destination

Displays the match destination address.

Action

Displays the action of the rule in the selected rule set.

Description

Displays a description of the rule in the selected static NAT rule set.

Table 173: Add Static NAT Configuration Details

Field FunctionAction
Add Rule Set

Rule Set Name

Specifies the name of the rule set.

Enter the rule set name.

Rule Set Description

Specifies a description for the rule set.

Enter a description for the rule set.

From

Specifies the filter options. The options available are:

  • Routing Instance

  • Zone

  • Interface

Select an option.

Select the routing instances/zones/interfaces in the Available column and the use the right arrow to move them to the Selected column.

Add Rule

Rule Name

Specifies the name of the rule.

Enter the rule name.

Rule Description

Specifies a description for the rule.

Enter a description for the rule.

Match Destination Address

IPv4

Specifies the IPv4 address.

Enter the IPv4 address.

IPv6

Specifies the IPv6 address.

Enter the IPv6 address.

Then

Static Prefix

Specifies the static prefix.

Enter the static prefix address.

Routing Instance

Specifies the routing instance.

Select a routing instance.

Proxy Configuration Page Options

  1. Select Configure>NAT>Proxy in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Security>NAT>Proxy ARP/ND in the J-Web user interface.

    The Proxy ARP configuration page appears. Table 174 explains the contents of this page.

  2. Click one:
    • Add or +—Adds a new or duplicate proxy configuration. Enter information as specified in Table 176.

    • Edit or /—Edits the selected proxy ARP or Proxy ND configuration.

    • Delete or X—Deletes the selected proxy ARP or proxy ND configuration.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 174: Proxy Configuration Page

Field

Function

Proxy

Interface

Displays the interface type.

Address

Displays the IPv4 or IPv6 address.

Table 175: Add Proxy ARP Configuration Details

Field FunctionAction
Add Proxy ARP

Interface

Specifies the interface type. The options available are:

  • ge-0/0/0.0

  • ge-0/0/2.0

  • lo0.0

  • vlan0.0

Select an option.

Address

Specifies the proxy ARP IP address.

Click Delete to deleted the proxy ARP address.

Address/Range

Specifies the source IP address range.

Click Add to add the range address.

To

Specifies the end IP address that the device can be assigned to.

Click Add to add the port address.

Table 176: Add Proxy ND Configuration Details

Field FunctionAction
Add Proxy ND

Interface

Specifies the interface type. The options available are:

  • ge-0/0/0.0

  • ge-0/0/1.0

  • ge-0/0/3.0

  • lo0.0

Select an option.

Address

Specifies the proxy ND IP address.

Click Delete to deleted the proxy ND address.

Address/Range

Specifies the source IPv6 address range.

Click Add to add the range address.

To

Specifies the end IPv6 address that the device can be assigned to.

Click Add to add the port address.

Objects

Zones and Screens Configuration Page Options

  1. Select Configure>Security>Zones/Screens in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Security>Objects>Zones/Screens in the J-Web user interface.

    The Zones/Screens configuration page appears. Table 177 explains the contents of this page.

  2. Click one:
    • Add or +—Adds a new or duplicate zone configuration. Enter information as specified in Table 178.

    • Edit or /—Edits the selected zone configuration.

    • Delete or X—Deletes the selected zone configuration.

  3. Click one:
    • Add or +—Adds a new or duplicate screen configuration. Enter information as specified in Table 179.

    • Edit or /—Edits the selected screen configuration.

    • Delete or X—Deletes the selected screen configuration.

  4. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 177: Zones/Screens Configuration Page

Field

Function

Zones list

Zone name

Displays the name of the zone.

Type

Displays the type of zone.

Services

Displays the type of service.

Protocols

Displays the protocol type of incoming traffic.

Interfaces

Displays the interfaces that are part of this zone.

Screen

Displays name of the option objects applied to the zone.

Description

Displays a description of the zone.

Screen list

Screen name

Displays the name of the screen object.

Type

Displays the type of screen.

Description

Displays a description of the screen.

Table 178: Add Zone Configuration Details

Field FunctionAction
Main

Zone name

Specifies the name of the zone.

Enter a name for the zone.

Zone description

Specifies a description for the zone.

Enter a description for the zone.

Zone type

Specifies the type of the zone.

Select either security or functional. Only one functional zone can be configured.

Send RST for non matching session

Specifies that when the reset feature is enabled, the system sends a TCP segment with the RESET flag set when traffic arrives. This does not match an existing session and does not have the Synchronize flag set.

Select the Send RST for non matching session check box to enable this feature.

Binding screen

Specifies that you can assign screens to a zone.

Note: If you have already configured screens, the list shows the screen names and allows you to select or delete a screen.

Select a binding screen from the list.

Interfaces in this zone

Specifies the available interfaces that you can select for the security zone.

Select or deselect the interfaces that you want to include in the security zone using either the left or the right arrow.

Note: The selected interfaces are displayed in the Selected grid.

Host inbound traffic - Zone

Protocols

Specifies the protocols that permit inbound traffic of the selected type to be transmitted to hosts within the zone.

Select the protocols in the Available column and then use the right arrow to move them to the Selected column. Select all to permit all protocols.

Note: To deselect protocols, select the protocols in the Selected column and then use the left arrow to move them to the Available column.

Services

Specifies the interface services that permit inbound traffic of the selected type to be transmitted to hosts within the zone.

Select the services in the Available column and then use the right arrow to move them to the Selected column. Select all to permit all services.

Note: To deselect services, select the services in the Selected column and then use the left arrow to move them to the Available column.

Host inbound traffic - Interface

Interface services

Specifies the interfaced services that permit inbound traffic from the selected interface to be transmitted to hosts within the zone.

Select the interface services in the Available column and then use the right arrow to move them to the Selected column. Select all to permit all interface services.

To deselect services, select the services in the Selected column and then use the left arrow to move them to the Available column.

Note: If you select multiple interfaces, the existing interface services and protocols are cleared and are applied to the selected interfaces.

Interface protocols

Specifies the interface protocols that permit inbound traffic from the selected interface to be transmitted to hosts within the zone.

Select the interface protocols in the Available column and then use the right arrow to move them to the Selected column. Select all to permit all interface protocols.

To deselect protocols, select the protocols in the Selected column and then use the left arrow to move them to the Available column.

Table 179: Add Screen Configuration Details

FieldFunctionAction
Main

Screen name

Specifies the name of the screen object.

Enter a name for the screen object.

Screen description

Specifies a description for the screen object.

Enter a description for the screen object.

Generate alarms without dropping packet

Specifies that alarms are generated without dropping packets.

Select the Generate alarms without dropping packet check box to enable this feature.

IP spoofing

Specifies that you can enable IP address spoofing. IP spoofing is when a false source address is inserted in the packet header to make the packet appear to come from a trusted source.

Select the IP spoofing check box to enable this feature.

IP sweep

Specifies the number of ICMP address sweeps. An IP address sweep can occur with the intent of triggering responses from active hosts.

Select the IP sweep check box to enable this feature.

Threshold

Specifies the threshold value of the IP sweep.

Enter the time interval for an IP sweep.

Note: If a remote host sends ICMP traffic to 10 addresses within this interval, an IP address sweep attack is flagged and further ICMP packets from the remote host are rejected. The range is from 1000 through 1000000 microseconds. The default value is 5000 microseconds.

Port scan

Specifies the number of TCP port scans. The purpose of this attack is to scan the available services in the hopes that at least one port will respond, thus identifying a service to target.

Select the Port scan check box to enable this feature.

Threshold

Specifies the threshold value of the TCP port scan.

Enter the time interval for a port scan.

Note: If a remote host scans 10 ports within this interval, a port scan attack is flagged and further packets from the remote host are rejected. The range is from 1000 through 1000000 microseconds. The default value is 5000 microseconds.

WinNuke attack protection

Specifies the number of TCP WinNuke attacks.

Note: WinNuke is a DoS attack targeting any computer on the Internet running Windows operating system.

Select the WinNuke attack protection check box to enable this feature.

Denial of Service

Land attack protection

Specifies the number of land attacks.

Note: Land attacks occur when an attacker sends spoofed SYN packets containing the IP address of the victim as both the destination and source IP address.

Select the Land attack protection check box to enable this feature.

Teardrop attack protection

Specifies the number of teardrop attacks.

Note: Teardrop attacks exploit the reassembly of fragmented IP packets.

Select the Teardrop attack protection check box to enable this feature.

ICMP fragment protection

Specifies the number of ICMP fragments.

Note: ICMP packets contain very short messages. There is no legitimate reason for ICMP packets to be fragmented.

Select the ICMP fragment protection check box to enable this feature.

Ping of death attack protection

Specifies the ICMP ping of death counter.

Note: A ping of death occurs when IP packets are sent that exceed the maximum legal length (65,535 bytes).

Select the Ping of death attack protection check box to enable this feature.

Large size ICMP packet protection

Specifies the number of large ICMP packets.

Select the Large size ICMP packet protection check box to enable this feature.

Block fragment traffic

Specifies the number of IP block fragments.

Select the Block fragment traffic check box to enable this feature.

SYN-ACK-ACK proxy protection

Specifies the number of TCP flags enabled with SYN-ACK-ACK.

Note: This is designed to prevent flooding with SYN-ACK-ACK sessions. After the number of connections from the same IP address reaches the SYN-ACK-ACK proxy threshold, Junos OS rejects further connection requests from that IP address.

Select the SYN-ACK-ACK proxy protection check box to enable this feature.

Threshold

Specifies the threshold value for SYN-ACK-ACK proxy protection.

Enter the threshold value for SYN-ACK-ACK proxy protection.

Note: The range is from 1 through 250000 sessions. The default value is 512 sessions.

Anomalies

Bad option

Specifies the number of bad options counter.

Select the Bad option check box to enable this feature.

Security

Specifies the method for hosts to send security.

Select the Security check box to enable this feature.

Unknown protocol

Specifies that the IP address with security option can be enabled.

Select the Unknown protocol check box to enable this feature.

Strict source route

Specifies the complete route list for a packet to take on its journey from source to destination.

Select the Strict source route check box to enable this feature.

Source route

Specifies the number of IP addresses of the devices set at the source that an IP transmission is allowed to take on its way to its destination.

Select the Source route check box to enable this feature.

Timestamp

Specifies the time recorded (in UTC) when each network device receives the packet during its trip from the point of origin to its destination.

Select the Timestamp check box to enable this feature.

Stream

Specifies a method for the 16-bit SATNET stream identifier to be carried through networks that do not support streaming.

Select the Stream check box to enable this feature.

Loose source route

Specifies a partial route list for a packet to take on its journey from source to destination.

Select the Loose source route check box to enable this feature.

Record route

Specifies that IP addresses of network devices along the path that the IP packet travels can be recorded.

Select the Record route check box to enable this feature.

SYN Fragment Protection

Specifies the number of TCP SYN fragments.

Select the SYN Fragment Protection check box to enable this feature.

SYN and FIN Flags Set Protection

Specifies the number of TCP SYN and FIN flags.

Note: When you enable this option, Junos OS checks if the SYN and FIN flags are set in TCP headers. If it discovers such a header, it drops the packet.

Select the SYN and FIN Flags Set Protection check box to enable this feature.

FIN Flag Without ACK Flag Set Protection

Specifies the number of TCP FIN flags set without an ACK flag set.

Select FIN Flag Without ACK Flag Set Protection check box to enable this feature.

TCP Packet Without Flag Set Protection

Specifies the number of TCP headers without flags set.

Note: A normal TCP segment header has at least one flag control set.

Select TCP Packet Without Flag Set Protection check box to enable this feature.

Flood Defense

Limit sessions from the same source

Specifies that sessions are limited from the same source IP.

Enter the range within which the sessions are limited from the same source IP.

Note: The range is from 1 through 50000 sessions.

Limit sessions from the same destination

Specifies that sessions are limited from the same destination IP.

Enter the range within which the sessions are limited from the same destination IP. The range is from 1 through 50000 sessions.

Note: The default value is 128 sessions. For SRX Series Services Gateways, the range is from 1 through 8000000 sessions per second.

ICMP flood protection

Specifies the Internet Control Message Protocol (ICMP) flood counter.

Note: An ICMP flood typically occurs when ICMP echo requests use all resources in responding, such that valid network traffic can no longer be processed.

Select the ICMP flood protection check box to enable this feature.

Threshold

Specifies the threshold value for ICMP flood protection.

Enter the threshold value for ICMP flood protection.

Note: The range is from 1 through 100000 ICMP packets per second (pps). For SRX Series Services Gateways, the range is from 1 through 4000000 ICMP pps.

UDP flood protection

Specifies the User Datagram Protocol (UDP) flood counter.

Note: UDP flooding occurs when an attacker sends IP packets containing UDP datagrams to slow system resources, such that valid connections can no longer be handled.

Select the UDP flood protection check box to enable this feature.

Threshold

Specifies the threshold value for UDP flood protection.

Enter the threshold value for UDP flood protection.

Note: The range is from 1 through 100000 session. The default value is 1000 sessions.

UDP white list

Starting Junos Release 18.1R1, the option to add UDP IP addresses and white list them is available.

Specifies the UDP port IP addresses that can be allowed access.

Note:

  • The UDP white list option is enabled only if you select UDP flood protection.

  • The white list that you created in the UDP white list window will be available in the TCP white list window also for selection.

Choose Select. The UDP White List window appears. Click + to add IP addresses that you wish to white list. The Add Whitelist window appears. Enter a Name to identify the group of IP addresses. Enter IPv4 or IPv6 address. Click +. The IPv4/IPv6 Address(es) lists the address that you entered. You may add as many IP addresses to this group. When you are done click OK. The UDP White List window is presented.

The Name you associated with the group of IP addresses that you entered in the Add Whitelist window is listed in the Selected table. You can create many such names (group of IP addresses) and choose them to be in the Available column for you to select it later for white listing. To move the groups between Available and Selected list click the < or > accordingly.

SYN flood protection

Specifies that SYN flooding occurs when a host becomes so overwhelmed by SYN segments initiating incomplete connection requests that it can no longer process legitimate connection requests.

Select the SYN flood protection check box to enable all the threshold and ager timeout options.

TCP white list

Starting Junos Release 18.1R1, the option to add TCP IP addresses and white list them is available.

Specifies the TCP port IP addresses that can be allowed access.

Note:

  • The TCP white list option is enabled only if you select SYN flood protection.

  • The white list that you created in the TCP white list window will be available in the UDP white list window also for selection.

Choose Select, The TCP White List window appears. Click + to add IP addresses that you wish to white list. The Add Whitelist window appears. Enter a Name to identify the group of IP addresses. Enter IPv4 or IPv6 address. Click +. The IPv4/IPv6 Address(es) lists the address that you entered. You may add as many IP addresses to this group. When you are done click OK. The TCP White List window is presented.

The Name you associated with the group of IP addresses that you entered in the Add Whitelist window is listed in the Selected table. You can create many such names (group of IP addresses) and choose them to be in the Available column for you to select it later for white listing. To move the groups between Available and Selected list click the < or > accordingly.

Attack threshold

Specifies the number of SYN packets per second required to trigger the SYN proxy mechanism.

Enter a value from 1 through 100000 proxied requests per second. The default value is 200.

Note: For SRX Series Services Gateways, the range is from 1 through 1000000 proxied requests per second. The default attack threshold value is 625 pps.

Alarm threshold

Specifies the number of half-complete proxy connections per second at which the device makes entries in the event alarm log.

Enter a value from 1 through 100000 segments received per second for SYN flood alarm. The default value is 512.

Note: For SRX Series Services Gateways, the range is from 1 through 1000000 segments per second. The default alarm threshold value is 250 pps.

Source threshold

Specifies the number of SYN segments received per second from a single source IP address (regardless of the destination IP address and port number), before the device begins dropping connection requests from that source.

Enter a value for SYN flood from the same source from 4 through 100000 segments received per second. The default value is 4000.

Note: For SRX Series Services Gateways, the range is from 4 through 1000000 segments per second. The default source threshold value is 25 pps.

Destination threshold

Specifies the number of SYN segments received per second for a single destination IP address before the device begins dropping connection requests to that destination. If a protected host runs multiple services, you might want to set a threshold based only on destination IP address, regardless of the destination port number.

Enter a value for SYN flood to the same destination from 4 through 100000. The default value is 4000.

Note: For SRX Series Services Gateways, the range is from 4 through 1000000 segments per second. The default destination threshold value is 0 pps.

Ager timeout

Specifies the maximum length of time before a half-completed connection is dropped from the queue. You can decrease the timeout value until you see any connections dropped during normal traffic conditions.

Enter a value for SYN attack protection from 1 through 50 seconds. The default value is 20 seconds.

Note: 20 seconds is a reasonable length of time to hold incomplete connection requests.

Apply to Zones

Apply to Zones

Specifies that you can apply values to zones from the Available column to the Selected column.

Select zones in the Available column and then use the right arrow to move them to the Selected column.

Note: To remove zones from the Selected column, select the zones in the Selected column and then use the left arrow to move them to the Available column.

Configuring Applications

  1. Select Configure>Security>Objects>Applications.

    The Applications configuration page appears. Table 180 explains the contents of this page.

  2. Click one:
    • Add—Adds a new or duplicate application configuration. Enter information as specified in Table 181.

    • Edit—Edits the selected application configuration.

    • Delete—Deletes the selected application configuration.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 180: Applications Configuration Page

Field

Function

Custom-Applications

Application Name

Displays the custom application name.

Application Description

Displays a description of the custom application.

Application-Protocol

Displays the custom application protocol.

IP-Protocol

Displays the custom network protocol.

Source-Port

Displays the custom source port identifier.

Destination-Port

Displays the custom destination port identifier.

Pre-defined Applications

Application Name

Displays the predefined application name.

Application-Protocol

Displays the predefined application protocol.

IP-Protocol

Displays the predefined network protocol.

Source-Port

Displays the predefined source port identifier.

Destination-Port

Displays the predefined destination port identifier.

Application Sets

Application-Set Name

Displays the application set name.

Members

Displays members in the set.

Description

Displays a description of the application set.

Table 181: Add Applications Configuration Details

Field FunctionAction
Custom-Applications
Global

Application Name

Specifies a custom application name.

Enter a custom application name.

Application Description

Specifies a description for the custom application.

Enter a description for the custom application.

Application-protocol

Specifies the custom application protocol.

Select a value from the list.

Match IP protocol

Specifies the custom network protocol.

Select a value from the list.

Destination Port

Specifies the custom destination port identifier.

Select a value from the list.

Source Port

Specifies the custom source port identifier.

Select a value from the list.

Inactivity-timeout

Specifies the length of time (in seconds) that the application is inactive before it times out.

Enter a value from 4 through 86400.

RPC-program-number

Specifies the remote procedure call value.

Enter a value from 0 through 65535.

Match ICMP message code

Specifies the Internet Control Message Protocol message code.

Select a value from the list.

Match ICMP message type

Specifies the Internet Control Message Protocol message type.

Select a value from the list.

UUID

Specifies a universal unique identifier (UUID).

Enter a UUID.

ApplicationSet

Specifies the set to which this application belongs.

Select an option from the list.

Terms

New Term

Specifies the new term created. The options available are:

  • Add—Adds a new term.

  • Edit—Edits the selected term.

  • Delete—Deletes a record.

Select an option.

Term Name

Specifies a name for the application term.

Enter a term name.

ALG

Specifies the Application Layer Gateway for the application protocol.

Select an option from the list.

Match IP protocol

Specifies the network protocol.

Select an option from the list.

Destination Port

Specifies the destination port identifier.

Enter the destination port identifier.

Source Port

Specifies the source port identifier.

Enter the source port identifier.

Inactivity-timeout

Specifies the length of time (in seconds) that the application is inactive before it times out.

Enter a value from 4 through 86400.

RPC-program-number

Specifies the remote procedure call value.

Enter a value from 0 through 65535.

Match ICMP message code

Specifies the Internet Control Message Protocol message code.

Select a value from the list.

Match ICMP message type

Specifies the Internet Control Message Protocol message type.

Select a value from the list.

UUID

Specifies the set to which this application belongs.

Select an option from the list.

Application Sets

Application-set Name

Specifies the application set name.

Enter an application set name. Using the right and left arrows select values from Application out of this set and move them to Applications in this set.

Description

Specifies a description for the application set.

Enter a description for the application set.

Zone Address Book Configuration Page Options

  1. Select Configure>Security>Policy Elements> Zone Address in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Security>Objects>Zone Addresses in the J-Web user interface.

    The Addresses/Address-sets Configuration page appears. Table 182 explains the contents of this page.

  2. Click one:
    • Add or +—Adds a new or duplicate address/address-set configuration. Enter information as specified in Table 183.

    • Edit or /—Edits the selected address/address-set configuration.

    • Delete or X—Deletes the selected address/address-set configuration.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 182: Addresses/Address Sets Configuration Page

Field

Function

Addresses

Zone

Displays the zone to which the address is applied.

Zone Name

Displays the zone name of the address.

Address Name

Displays the address name.

IP(v4/v6)/Prefix

Displays the IP address of the address.

Domain Name

Displays the domain name of the address.

Address Sets

Zone

Displays the zone to which the address set is applied.

Zone Name

Displays the zone name of the address set.

Address Set Name

Displays the address set name.

Address List

Displays the preexisting addresses that are included or excluded from the address set.

Table 183: Add Addresses/Address-sets Configuration Details

Field FunctionAction
Add Address

Zone

Specifies the zone to which the address is applied.

Select an option from the list.

Address Name

Specifies the address name.

Enter the address name.

IP(v4/v6)/Prefix

Specifies the IP address of the address.

Select the option and enter the IP address.

Domain Name

Specifies the domain name of the address.

Select the option and enter the domain name.

Address Sets

Displays the address sets.

Displays the address set name.

Add Address Set

Specifies the address set name.

Enter the address set name and click Add.

Note: Click Undo to delete the immediate previous action.

Add Address Set

Zone

Specifies the zone to which the address set is applied.

Select an option from the list.

Address Set Name

Specifies the address set name.

Enter the address set name.

Address List

Specifies which of the preexisting addresses should be included or excluded from the address set.

Select the addresses and use the arrows to move them to the Out of This Set and In This Set lists.

Address Book Configuration Page Options

  1. Select Configure>Security>Address Book in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Security>Objects>Global Addresses in the J-Web user interface.

    The Address Books Configuration page appears. Table 184 explains the contents of this page.

  2. Click one:
    • Add or +—Adds an address book configuration. Enter information as specified in Table 185.

    • Edit or /—Edits the selected address book configuration.

    • Delete or X—Deletes the selected address book configuration.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 184: Address Books Configuration Page

Field

Function

Address Books

Address Book Name

Displays the address book name.

Attached Zone

Displays the name of the zone that is attached to the address book.

Global

Displays information about the predefined address book.

The global address book is available by default to all security zones. You do not need to attach a security zone to the global address book.

Address/Address-Set Name

Displays the addresses and address sets associated with the selected address book.

Address Value

Displays the IP address.

Address-Set Members

Displays the addresses in an address set.

Table 185: Add Address Books/Address Sets Configuration Details

Field FunctionAction
Add Address Book

Address Book Name

Specifies the address book name.

Enter a name for the address book.

Attach Zones

Specifies which of the predefined zones should be attached to the specified address.

Select the zones from the Available list and use the Right Arrow to move them to the Attached list.

You can select more than one zone from the Attached list for one address book. However, make sure that each zone has only one address book attached to it. If there is more than one address book attached to a zone, you will get the following error when you commit the configuration:

“Security zone must be unique in address books.”

Add Address

Address Name

Specifies the address name.

Enter a name for the address.

Address Type

Specifies the type of address.

Select the address type from the list. The options available are:

  • IP address

  • IP address/network

  • Domain name

  • Ranged address

Value

Specifies the address.

Enter an address that matches the selected address type.

Add Address Set

Address Set Name

Specifies the address set name.

Enter the address set name.

Address List

Specifies which of the preexisting addresses should be included or excluded from the address set.

Select the addresses and use the arrows to move them to the Out of This Set and In This Set lists.

Address Set List

Specifies which of the preexisting address sets should be included or excluded from the list.

Select the address sets and use the arrows to move them to the Out of This Set and In This Set lists.

Proxy Profiles Configuration Page Options

The Proxy Profiles page is use to configure the proxy profiles to protect your web servers against client-to-server attacks from malicious clients.

  1. Select Configure>Security Service>Security PolicyObjects>Proxy Profiles in the J-Web user interface.

    The Proxy Profiles configuration page appears. Table 186 explains the contents of this page.

  2. Click one:
    • Add or +—Adds a new or duplicate proxy profile configuration. Enter information as specified in Table 187.

    • Edit or /—Edits a selected proxy profile configurationTable 187.

    • Delete or X—Deletes the selected proxy profile configuration.

    • Search Icon—Enables you to search a proxy profile or rule from the grid.

    • Show Hide Column Filter icon—Enables you to show or hide a column in the grid.

  3. Click one:

    Click Commit icon at the top of the J-Web page. The following commit options are displayed.

    • Commit—Commits the configuration and returns to the main configuration page.

    • Compare—Enables you to see the configuration changes that you have performed in the Show Pending Changes.

    • Discard—Discards the configuration changes you performed in the J-Web.

    • Preferences—There are two tab:

      • Commit preferences— You can choose to just validate or validate and commit the changes.

      • Confirm commit timeout (in min)— You can select the commit timeout interval.

Table 186: Proxy Profile Configuration Page

Field

Function

Profile Name

Displays the name of the proxy profile.

Server IP/ Host Name

Displays the connection type used by the proxy profile.

Port Number

Displays the port number.

Table 187: Add-Edit Proxy Profile Configuration Details

Field FunctionAction

Profile Name

Specifies the name of the proxy profile.

Enter a name for the proxy profile.

Connection Type

Specifies the type of connection used by the proxy profile.

Select the connection type server from the list.

  • Server IP

  • Host Name

Port Number

Specifies the port number used by the proxy profile.

Select a port number for the proxy profile from 0 to 65535.

Security Objects

Address Pools Configuration Page Options

  1. Select Configure>Security Objects>Address Pools in the J-Web user interface.

    The Address Pools configuration page appears. Table 188 explains the contents of this page.

  2. Click one:
    • +—Adds a new or duplicate address pools configuration. Enter information as specified in Table 188.

    • Edit or /—Edits the selected address pools configuration.

    • Delete—Deletes the selected address pools configuration.

    • Search icon—Enables you to search a address pool in the grid.

    • Show Hide Column Filter icon—Enables you to show or hide a column in the grid.

Table 188: Add Address Pool Configuration Details

General

Pool Name

Specifies the name of the address pool.

Enter the address pool name.

Network Address

Specifies the network address used by the address pool.

Enter a IPv4 address for the address pool.

XAUTH Attributes

Primary DNS Server

Specifies the primary-dns IP address.

Enter the primary-dns IP address.

Secondary DNS Server

Specifies the secondary-dns IP address.

Enter the secondary-dns IP address.

Primary WINS Server

Specifies the primary-wins IP address.

Enter the primary-wins IP address.

Secondary WINS Server

Specifies the secondary-wins IP address.

Enter the secondary-wins IP address.

Address Ranges

Name

Specifies the name of the address range.

Enter a name for the IP address range.

Lower Limit

Specifies the lower limit of the address range.

Enter the lower limit of the address range.

High Limit

Specifies the upper limit of the address range.

Enter the upper limit of the address range.

Add

Adds a new address range for the access profile.

Click + to add a new address range for the address pool.

Delete

Deletes the address range for the access profile.

Click Delete to delete the address range for the address pool.

Application Tracking Configuration Page Options

  1. Select Configure>Security Objects>App Tracking in the J-Web user interface.

    The Application Tracking configuration page appears. Table 189 explains the contents of this page.

  2. Click Save to save the configuration.
  3. Click Cancel to remove all the entries of the configuration.

Table 189: Application Tracking Configuration Page

FieldFunctionAction
Application Tracking

Application tracking

Enables or disables application tracking.

Select this option to enable application tracking.

Logging Type

You can set the following:

  • Log as session(s) created—Generates a log message when a session is created. By default, this option is disabled.

  • Delay logging first session(s)—Enables you to specify the length of time that must pass before the first log message is created. The default is 1 minute.

Select an option.

First Update Interval (min)

Interval when the first update message is sent (minutes).

Use the up/down arrow to set the interval time.

Session Update Interval (min)

Enables you to set the interval at which update messages are sent. Default is 5 minutes.

Use the up/down arrow to set the interval time.

Application Tracking By Zone

Lists the available zones.

  • To enable application tracking, select the zone and click the right arrow to move it to the tracking enabled list.

  • To disable application tracking, select the zone and then click the left arrow to move the zone back into the available list.

AppSecure

Application Signature Configuration Page Options

Use the following procedure to download predefined application signatures and to view installed application signatures and their status.

  1. Select Configure>Security>AppSecure Settings in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Security>AppSecure>App Signatures in the J-Web user interface.

    The display lists all enabled and disabled application signatures on the device.

  2. (Junos OS Release 18.3R1 and later releases) Select Configure>Security Services>App Secure>App Signatures.
  3. Click one:
    • Global Settings—Defines run specifications for application identification or for an automatic downloading schedule.

      • Select the App-Signature Global Settings tab to define run conditions, and to enable or disable application signatures and the application system cache.

      • Select the Download Scheduler tab to set up a schedule for automatic downloads of the latest predefined application signature package.

    • Download—Manually downloads the latest predefined application signature package.

    • Check Status—Monitors the progress of an active manual or scheduled download.

    • Uninstall—Removes application signatures that are currently installed on your device.

      On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, specify the type of signature to uninstall. Choose one of the uninstall options:

      • Customized—Uninstalls all customized application signatures on your device. This option does not uninstall predefined application signatures.

      • Predefined—Uninstalls all predefined application signatures on your device. This option does not uninstall any customized applications.

      • All—Uninstalls all customized and predefined application signatures on your device.

  4. Click one:
    • OK–Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit–Commits the configuration and returns to the main configuration page.

    • Cancel–Cancels your entries and returns to the main configuration page.

Application Firewall Configuration Page Options

  1. Select Configure>Security>Policy>Define AppFW Policy in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Security>AppSecure>App Firewall in the J-Web user interface.

    The Application Firewall configuration page displays existing application rule sets for the device. Select a rule set to display its rules in the bottom pane. The content of this display is described in Table 190.

  2. Click one:
    • Add or +—Adds a new rule set configuration. Enter the information specified in Table 191. To add a rule configuration, click Add from the lower pane or from the Add Rule Set page, and enter the information specified in Table 192.

    • Edit or /—Edits the selected rule set or the selected rule. See Table 191 for rule set details or Table 192 for rule details.

    • Delete or X—Deletes the selected rule set or the selected rule configuration.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 190: Application Firewall Configuration Page

Field

Function

Rule Set

Name

Specifies the name of an existing application rule set configured for the device.

Select a rule set to display its associated rules in the lower pane.

Rule

Specifies the name of each rule associated with the rule set. If this field contains more than two rule names, hover over the field to display the names of all the rules in a tool tip.

Rules in Selected Rule-Set

Rule Name

Displays the name of each rule contained in the selected rule set. This pane is blank until a rule set is selected in the upper pane.

Match Dynamic Applications

Specifies one or more application signatures to be used as match criteria for the rule.

Action

Specifies the action to be taken if traffic matches one of the specified applications.

  • permit—Permits traffic that matches this rule.

  • deny—Denies traffic that matches this rule.

Table 191: Add or Edit Rule Set Configuration Details

Field

Function

Action

Rule Set Name

Specifies the rule set name

Enter a rule set name.

When editing a rule set, the name cannot be changed.

Rules

When rules are defined for the new rule set, the Rules pane displays each rule name, its associated dynamic applications, and its action.

Click Add to create a rule for this rule set. See Table 192 for rule configuration details.

Table 192: Add or Edit Rule Configuration Details

Field

Function

Action

Rule Name

Specifies the name of the rule.

Enter a rule name.

When editing a selected rule, the name cannot be changed.

Rule Action

Specifies the action to be taken when traffic matches one of the dynamic application signatures associated with this rule.

  • permit—Permits traffic that matches this rule.

  • deny—Denies traffic that matches this rule.

Select permit or deny.

Note: All rules belonging to a rule set must have the same Action setting.

When editing a rule, changing the Action setting will change the setting in all rules in this rule set.

Match Dynamic Application

Applications

Displays the applications available on your device.

To add applications to the match criteria:

  • Select one or more applications in the Applications list. (Use the Ctrl key to select more than one item.)

  • Click the right arrow to move the selections to the Matched list.

Matched

Displays the applications selected as match criteria for the rule.

To delete applications from the match criteria:

  • Select one or more applications in the Matched list. (Use the Ctrl key to select more than one item.)

  • Click the left arrow to return the selections to the Applications list.

Search

Redisplays the Applications list with the specified application at the top.

Enter an application name.

UTM

Default Configuration Page Options

The Default Configuration page describes the security features of Unified threat management (UTM).

This default configuration will be used, If there are multiple UTM policies present in the potential list. The global configuration will be used till the exact match is found in the potential list.

The following security features are parts of UTM default configuration:

  • Sophos Antivirus— Sophos antivirus is an in-the-cloud antivirus solution. The virus pattern and malware database is located on external servers maintained by Sophos (Sophos Extensible List) servers.

  • Web filtering—Web filtering lets you to manage Internet usage by preventing access to inappropriate Web content.

  • Antispam—This feature examines transmitted messages to identify any e-mail spam.

  • Content filtering— This feature blocks or permits certain types of traffic based on the MIME type, file extension, protocol command, and embedded object type.

  1. Select Configure>Security>UTM>Default Configuration in the J-Web user interface.

    The Default Configuration page appears. Table 193explains the contents of this page.

  2. Click one:
    • Anti-Virus—Select this tab to view or create anti-virus configuration. Enter information as specified in Table 194.

    • Web Filtering —Select this tab to view or create the web filtering configuration. Enter information as specified in Table 194.

    • Anti-Spam —Select this tab to view or create the anti-spam configuration. Enter information as specified in Table 194.

    • Content-Filtering—Select this tab to view or create the anti-spam configuration. Enter information as specified in Table 194.

  3. Click one:

    Click Commit icon at the top of the J-Web page. The following commit options are displayed.

    • Commit—Commits the configuration and returns to the main configuration page.

    • Compare—Enables you to see the configuration changes that you have performed in the Show Pending Changes.

    • Discard—Discards the configuration changes you performed in the J-Web.

    • Preferences—There are two tab:

      • Commit preferences— You can choose to just validate or validate and commit the changes.

      • Confirm commit timeout (in min)— You can select the timeout interval.

Table 193: Default Configuration main page

Field

Function

Anti-Virus

Displays the configured antivirus. You can also configure an antivirus.

Web Filtering

Displays the configured web filtering. You can also configure a web filtering.

Anti-Spam

Displays the configured antispam. You can also configure an anti-spam.

Content-Filtering

Displays the configured content filtering. You can also configure a content filtering.

Table 194: Default configuration option page

Field FunctionAction
Create antivirus

Type

Displays the anti-virus engine type.

Select the require required engine type:

  • Anti-Virus None

  • Sophos Engine

URL Whitelist

Specifies a unique customized list of all URLs or IP addresses for a given category that are to be bypassed for scanning.

Select the customized object from the list.

MIME Whitelist

list

Specifies the comprehensive list of MIME types that can bypass antivirus scanning.

Select the customized object from the list.

Exception

Specifies a list of MIME types to be excluded from the whitelist. The exception MIME whitelist is a subset of MIME types found in the MIME whitelist.

Select the customized object from the list.

Sophos Engine options
General Settings

Timeout

Specify the Sophos antivirus engine timeout.

Select a time, ranges from 1 to 5 seconds.

Retry

Specify the number of times retry the Sophos antivirus engine query.

Select the number of retries from 1 to 5 numeric values.

Server

Server IP

Specify the DNS Server IP.

Enter a valid DNS server IP address.

Routing Instance

Specify the name of the routing instance.

Select a valid routing instance name..

Pattern Update

URL

Specifies the URL of the database server.

Enter the URL for the pattern database.

Routing Instance

Specifies the routing instance name.

Select a routing instance from the drop down list. Routing instance can be defined under, 'Configure / Network / Routing Instance'.

Pattern Update Interval (sec)

Specifies the interval at which the database server is queried for a new version of the database.

Enter the time interval for automatically updating the pattern database. The range is from 10 through 10080 seconds. The default interval is 60 seconds.

Auto Update

Specifies that the antivirus pattern database is configured to be automatically updated.

Select the auto update option.

No Auto Update

Specifies that the automatic download and update of the antivirus engine and signature database are disabled.

Select the no auto update option.

Proxy Profile

Specify the name of the proxy profile.

Select the proxy profile for Anti virus

Create Proxy Profile

Profile Name

Specifies the proxy profile name .

Enter a valid profile name.

Connection Type

Specifies the type of connection.

Select any one option from the following:

  • Server IP— Enter the server IP address.

  • Host Name— Enter the host name.

Port Number

Specifies the port number.

Enter the port number in the range 0 to 65535.

Email Notify

Admin Email

Specify that the Admin email to be notify about the pattern file update.

Enter a valid admin email id.

Custom Message subject

Specify the custom message subject for notification.

Enter the subject of the custom message.

Custom Message

Displays the custom message for notification.

Enter the custom message for notification.

Fallback Settings

Default

Specifies all errors other than the categorized settings. This could include either unhandled system exceptions (internal errors) or other unknown errors. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Block.

Content Size

Fallback action for over content size.

Select from the following permit, block, log and permit.

Engine-not-ready

Specifies that the scan engine is not ready during certain processes, for example, while the signature database is loading. The available actions are block or log-and-permit.

Select from the following permit, block, log and permit.

Timeout

Specifies that if the time taken to scan exceeds the timeout setting in the antivirus profile, the processing is aborted and the content is passed or blocked without completing the virus checking.

Select Log and Permit. The default action is Block.

Out-of-resources

Specifies the resource constraints error received during virus scanning. This error can be or by the can be sent by the scan engine (as a scan-code) or scan manager. When the system is out of resources occurs, scanning is aborted. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Block.

Too-many-requests

Specifies that if the total number of messages received concurrently exceeds the device limits, the content is passed or blocked depending on the too-many-request fallback option. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Block.

Scan Option

URI Check

Specify the antivirus URI check.

Enable the URI check.

Content Size Limit

Specifies the accumulated TCP payload size.

Enter the content size limit, a value from 20 through 40,000 KB.

Timeout

Specifies the timeframe between the scan requests generated to the scan result returned by the scan engine. Trickling timeout value is used by all supported protocols. Each protocol can have a different timeout value.

Enter the time interval from 1 through 1800 seconds. The default value is 180 seconds.

Trickling

Trickling Timeout

Displays the trickling timeout interval.

Enter the time interval from 0 through 600 seconds.

Virus Detection

Type

Specifies the type of notification to be sent when a virus is detected.

Select Protocol Only or Message option.

Notify Mail Sender

Specifies whether or not a notification is sent to the virus-detection notification e-mail address when a virus is detected.

Select yes to send a notification and no to not send a notification.

Custom Message Subject

Specifies the subject line text for your custom message for the virus detection notification.

Enter the subject line text for your custom message.

Custom Message

Specifies the customized message text for the virus detection notification.

Enter the text for this custom notification message.

Fallback Block

Type

Specifies the type of notification sent when a fallback option of block is triggered.

Select the Protocol Only or the Message check box.

Notify Mail Sender

Specifies that when a virus is detected and a fallback option of block is triggered, an e-mail is sent to the administrator.

Select the Notify Mail Sender check box to enable this notification.

Custom Message

Specifies the customized message text for the fallback block notification.

Enter the text for this custom notification message

Custom Message Subject

Specifies the subject line text for your custom message for the fallback block notification.

Enter the subject line text for your custom message.

Fallback Non Block  

Notify Mail Recipient

Notify mail sender

Custom Message Subject

Specifies the customized message text for the fallback nonblock notification.

Enter the text for this custom notification message.

Custom Message

Specifies the subject line for your custom message for the fallback nonblock notification.

Enter the subject line text for your custom message.

Create Web filtering

HTTP persist

Configure the web-filtering engine type

Enable/Disable the option.

HTTP Reassemble

Specifies a unique customized list of all URLs or IP addresses for a given category that are to be bypassed for scanning.

Reassemble HTTP request segments

Type

Specifies a unique customized list of all URLs or IP addresses for a given category that are scanned for blacklisting.

Select from the drop down list:

  • Juniper Enhanced

  • Juniper Local

  • Websense Redirect

URL Blacklist

Specifies a unique customized list of all URLs or IP addresses for a given category that are to be bypassed for scanning.

Configure custom URL for blacklist category

URL Whitelist

Specifies a unique customized list of all URLs or IP addresses for a given category that are scanned for blacklisting.

Configure custom URL for whitelist category

Juniper Enhanced Options

Specifies that the Juniper Enhanced Web filtering intercepts the HTTP and the HTTPS requests and sends the HTTP URL or the HTTPS source IP to the Websense ThreatSeeker Cloud (TSC).

Global

Base Filter

Select the base filter from the drop down list.

Select the base filter from the drop down list.

Custom Block Message

Specify the juniper enhanced custom block message sent to HTTP Client.

Enter a message to be displayed when content is blocked.

Default Action

Juniper enhanced profile default.

Select Log and Permit. The default action is Log and Permit.

No Safe Search

Specifies not to perform safe-search for Juniper enhanced protocol.

Enable/Disable this option to choose this type of search.

Note: Do not perform safe-search for Juniper enhanced protocol

Quarantine Custom Message

Juniper enhanced quarantine custom message.

Enter the quarantine custom message.

Timeout

Juniper enhanced timeout.

Select a timeout interval from 1 to 1800 seconds.

Cache

Size

Specify Juniper enhanced cache size

Select a cache size from 0 to 4096 Killobytes.

Time out

Specify Juniper enhanced cache time out.

Select a timeout interval from 1 to 1800 seconds.

Block Messages

Type

Specify the type of block message.

Select the type of block message.

URL

Specify the URL of the block message.

Enter URL of the block messages.

Fallback Settings

Default

Specifies all errors other than the categorized settings. These could include either unhandled system exceptions (internal errors) or other unknown errors. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Log and Permit.

Server-connectivity

Specifies that the server connection is not established during certain processes, for example, while the signature database is loading. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Log and Permit.

Timeout

Specifies that if the time taken to scan exceeds the timeout setting in the Web filtering profile, the processing is aborted and the content is passed or blocked without completing filtering.

Select Log and Permit. The default action is Log and Permit.

Too-many-requests

Specifies that if the total number of messages received concurrently exceeds the device limits, the content is passed or blocked depending on the too-many-request fallback option. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Log and Permit.

Category

Specifies a unique customized list of categories.

  • Add (+)—Adds the selected category and the corresponding action to the list of available categories for the Juniper Enhanced Web Ffiltering profile.

  • Delete(X)—Deletes the selected category from the list of available categories for the Juniper Enhanced Web Filtering profile.

Select a category from the list.

Action

Specifies the action that the device must take for the category selected.

Select Permit, Log and Permit, or Block.

Quarantine Message

Type

Specify type of quarantine message desired.

Select a type.

URL

URL of quarantine message.

Enter a valid URL.

Server

Host

Specifies the address of the host server.

Enter the address of the host server.

Port

Specifies the port number of the server.

Enter the port number of the server.

Routing Instance

Specify the routing instance name.

Select a routing instance.

Proxy Profile

Specify the proxy profile for Web filtering.

Create a Proxy profile

Site Reputation Action

Specify the action to be taken depending on the site reputation returned for all types of URLs whether it is categorized or uncategorized.

Displays the following options:

  • Very Safe– Permit, log-and-permit, block, or quarantine a request if a site-reputation of 90 through 100 is returned.

  • Moderately Safe– Permit, log-and-permit, block, or quarantine a request if a site-reputation of 80 through 89 is returned.

  • Fairly Safe– Permit, log-and-permit, block, or quarantine a request if a site-reputation of 70 through 79 is returned.

  • Suspicious– Permit, log-and-permit, block, or quarantine a request if a site-reputation of 60 through 69 is returned.

  • Harmful– Permit, log-and-permit, block, or quarantine a request if a site-reputation of zero through 59 is returned.

Click Reset to position the slider to the recommended levels.

Juniper Local

Specify the Local profile type.

Select this option to use the Local profile type.

Websense Redirect

Account

Displays the user account for which this profile is intended.

Sockets

Displays the number of sockets used for communicating between the client and server.

Enter the number of sockets.

Delete All Default Configurations

Deletes all the configurations

-

Create Anti-Spam

Address Whitelist

Specifies the comprehensive list of MIME types that can bypass antivirus scanning.

Select the customized object from the list.

Address Blacklist

Specifies a list of MIME types to be excluded from the whitelist. The exception MIME whitelist is a subset of MIME types found in the MIME whitelist.

Select the customized object from the list.

Type

Specify the antispam type.

SBL settings

Custom Tag String

Specifies the custom string that is used to identify a spam message.

Enter a custom string for identifying a message as spam. By default the devices uses ***SPAM***.

SBL Default Server

Specifies the profile that uses SBL server. The SBL server is predefined on the device.

Select the check box if you are using the default server.

Spam Action

Displays the Spam action.

Select any one from the action.

  • Block Email

  • Tag header email

  • Tag subject email.

Create Content Filtering

Click one:

  • Expand/Collapse- All

  • Edit- Edits the options.

  • Delete- Delete the option.

Permit Command List

Displays the permitted protocol command name.

Select the protocol command name to be permitted from the list.

Block Command List

Displays the blocked protocol command.

Select the protocol command name to be blocked from the list.

Block Extension List

Specifies the blocked extension list name.

Select the extension to be blocked from the list.

Block MIME List

Specifies the blocked MIME.

Select the MIME type from the list.

Block MIME Exception List

Specifies the blocked MIME list.

Select the MIME type to be excluded from the list.

Type

Specifies the content filtering type.

Select the type.

Block Content Type

Specifies the blocked content type.

  • activex

  • exe

  • http-cookie

  • java-applet

  • zip

Select the content type to be blocked.

Notification Options

Type

Specifies the type of notification sent when a content block is triggered.

Select the Protocol Only or the Message check box.

Notify Mail Sender

Specifies that when a virus is detected and a content block is triggered, an e-mail is sent to the administrator.

Select the Notify Mail Sender check box.

Custom Notification Message

Specifies the customized message text for the content-block notification.

Enter the text for this custom notification message (if you are using one).

Antivirus Configuration Page Options

  1. Select Configure>Security>UTM>Anti-Virus in the J-Web user interface.

    The Antivirus configuration page appears. Table 195 explains the contents of this page.

  2. Click one:
    • Global Options—Defines general specifications for antivirus configuration. Enter information as specified in Table 196.

      Note

      Global Options are NOT enabled for logical systems users. It is enabled only for root users.

    • Add or +—Adds a new or duplicate antivirus profile configuration. Enter information as specified in Table 197.

    • Edit or /—Edits the selected antivirus configuration.

    • Delete or X—Deletes the selected antivirus configuration.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 195: Antivirus Configuration Page

Field

Function

Profile Name

Displays the unique name of the antispam profile.

Profile Type

Displays the profile type selected.

Intelligent Prescreening

Displays the intelligent prescreening status.

Scan Mode

Displays the scan mode option selected.

Trickling Timeout

Displays the trickling timeout interval.

Table 196: Global Options Antivirus Configuration Details

Field FunctionAction
Main

MIME Whitelist

Specifies the comprehensive list of MIME types that can bypass antivirus scanning.

Select the customized object from the list.

Exception MIME Whitelist

Specifies a list of MIME types to be excluded from the whitelist. The exception MIME whitelist is a subset of MIME types found in the MIME whitelist.

Select the customized object from the list.

URL Whitelist

Specifies a unique customized list of all URLs or IP addresses for a given category that are to be bypassed for scanning.

Select the customized object from the list.

Engine Type

Kaspersky Lab

Specifies the internal scan engine for full antivirus protection provided by Kaspersky Labs.

Note: This option is not supported on SRX1500 devices.

Select this option to choose the Kaspersky Lab engine type.

Juniper Express

Specifies the internal scan engine for full antivirus protection provided by Juniper Networks.

Note: This option is not supported on SRX1500 devices.

Select this option to choose the Juniper Express engine type.

Sophos

Specifies the internal scan engine for full antivirus protection provided by Sophos.

Note: SRX1500 devices support only this option.

Select this option to choose the Sophos engine type.

Kaspersky Lab Engine Options

Admin Email

Specifies the e-mail address for the notification to be sent to the administrator when the pattern update is complete.

Enter the administrator e-mail address.

Custom Message

Specifies the text of the pattern-update e-mail notification that is sent when the pattern update is complete.

Enter the customized message.

Custom Message Subject

Specifies the customized message subject line for the custom message.

Enter the customized message subject line.

Juniper Express Engine Options

Pattern Update URL

Specifies the URL of the database server.

Enter the URL for the pattern database.

Pattern Update Interval (sec)

Specifies the interval at which the database server is queried for a new version of the database.

Enter the time interval for automatically updating the pattern database. The range is from 10 through 10080 seconds. The default interval is 60 seconds.

Auto Update

Specifies that the antivirus pattern database is configured to be automatically updated.

Select the auto update option.

No Auto Update

Specifies that the automatic download and update of the antivirus engine and signature database are disabled.

Select the no auto update option.

Sophos Engine Options

Pattern Update URL

Specifies the URL of the database server.

Enter the URL for the pattern database.

Pattern Update Interval (sec)

Specifies the interval at which the database server is queried for a new version of the database.

Enter the time interval for automatically updating the pattern database. The range is from 10 through 10080 seconds. The default interval is 60 seconds.

Auto Update

Specifies that the antivirus pattern database is configured to be automatically updated.

Select the auto update option.

No Auto Update

Specifies that the automatic download and update of the antivirus engine and signature database are disabled.

Select the no auto update option.

Proxy Options

Proxy Server Host

Specifies the host name of the proxy server.

Enter the IP address or hostname of the proxy server.

Proxy Server Port

Specifies the port with which the proxy server is associated.

Enter the port number.

Proxy Server Username

Specifies the username to use on the proxy server.

Enter the username.

Proxy Server Password

Specifies the password to use on the proxy server.

Enter the password.

Confirm Proxy Server Password

Verifies the login password for the proxy server.

Re-enter the password.

Table 197: Add Antivirus Configuration Details

Field FunctionAction
Main

Profile Name

Specifies a unique name for the antivirus profile.

Enter a unique name for the antispam profile.

Profile Type

Displays the internal scan engine for full antivirus option selected in the global options. Intelligent prescreening is only intended for use with non-encoded traffic.

-

Trickle Timeout

Specifies the trickle timeout value.

Enter timeout parameters.

Scan Options for Kaspersky Lab Engine

Intelligent Prescreening

Specifies the antivirus module used to begin scanning a file and improves antivirus scanning performance. The antivirus module generally begins to scan data after the gateway device has received all the packets of a file.

Select yes to enable intelligent prescreening.

Content Size Limit

Specifies the accumulated TCP payload size.

Enter the content size limit, a value from 20 through 20000 KB.

Scan Engine Timeout

Specifies the timeframe between the scan request generated to the scan result returned by the scan engine. Trickling timeout value is used by all supported protocols. Each protocol can have a different timeout value.

Enter the time interval from 1 through 1800 seconds. The default value is 180 seconds.

Decompress Layer Limit

Specifies the number of layers of nested compressed files the internal antivirus scanner can decompress before the execution of the virus scan.

Enter the decompress layer limit, a value from 1 through 4 layers.

Scan Mode

Scan All Files

Specifies all files to be scanned.

Select this option to scan all files.

Scan Files With Specified Extension

Specifies the list of file extensions.

Select this option to scan files with specific extensions.

Scan Engine Filename Extension

Specifies the file extensions found in the traffic being scanned.

Select this option to scan the engine filename extension.

Scan Options for Juniper Express Engine

Intelligent Prescreening

Specifies the antivirus module used to begin scanning a file and improves antivirus scanning performance. The antivirus module generally begins to scan data after the gateway device has received all the packets of a file.

Select yes to enable intelligent prescreening.

Content Size Limit

Specifies the accumulated TCP payload size.

Enter the content size limit, a value from 20 through 20,000 KB.

Scan Engine Timeout

Specifies the timeframe between the scan request generated to the scan result returned by the scan engine. Trickling timeout value is used by all supported protocols. Each protocol can have a different timeout value.

Enter the time interval from 1 through 1800 seconds. The default value is 180 seconds.

Scan Options for Sophos Engine

URI Check

Specifies Uniform Resource Identifier blocking: an effective measure for preventing malware from reaching the endpoint. URI lookup is performed against an in-the-cloud malicious/infected URI database on each URI requested via HTTP.

Select the URI check check box to enable URI check.

Content Size Limit

Specifies the accumulated TCP payload size.

Enter the content size limit, a value from 20 through 20,000 KB.

Scan Engine Timeout

Specifies the timeframe between the scan request generated to the scan result returned by the scan engine. Trickling timeout value is used by all supported protocols. Each protocol can have a different timeout value.

Enter the time interval from 1 through 1800 seconds. The default value is 180 seconds.

Query Interval

Specifies the antivirus engine query timeout interval.

Enter the query interval from 1 through 5 seconds.

Query Retries

Specifies the antivirus engine query retry (number of times) value.

Enter the query retry value from 0 through 5.

Fallback Settings

Default Action

Specifies all errors other than the categorized settings. This could include either unhandled system exceptions (internal errors) or other unknown errors. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Block.

Corrupt File

Specifies the error returned by the scan engine when it detects a corrupted file. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Block.

Password File

Specifies the error returned by the scan engine when the scanned file is protected by a password. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Block.

Decompress Layer

Specifies the error returned by the scan engine when the scanned file has too many compression layers. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Block.

Content Size

Specifies that if the content size exceeds a set limit, the content is passed or blocked depending on the max-content-size fallback option. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Block.

Engine Not Ready

Specifies that the scan engine is not ready during certain processes, for example, while the signature database is loading. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Block.

Timeout

Specifies that if the time taken to scan exceeds the timeout setting in the antivirus profile, the processing is aborted and the content is passed or blocked without completing the virus checking. The decision is made based on the timeout fallback option. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Block.

Out Of Resource

Specifies the resource constraints error received during virus scanning. This error can be or by the can be sent by the scan engine (as a scan-code) or scan manager. When the system is out of resources occurs, scanning is aborted. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Block.

Too Many Requests

Specifies that if the total number of messages received concurrently exceeds the device limits, the content is passed or blocked depending on the too-many-request fallback option. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Block. The allowed request limit is not configurable.

Notification Options
Fallback Block

Notification Type

Specifies the type of notification sent when a fallback option of block is triggered.

Select the Protocol Only or the Message check box.

Notify Mail Sender

Specifies that when a virus is detected and a fallback option of block is triggered, an e-mail is sent to the administrator.

Select the Notify Mail Sender check box to enable this notification.

Custom Message

Specifies the customized message text for the fallback block notification.

Enter the text for this custom notification message (if you are using one).

Custom Message Subject

Specifies the subject line text for your custom message for the fallback block notification.

Enter the subject line text for your custom message.

Display Hostname

Specifies the device name.

Select the check box to display the hostname.

Allow Email

Specifies that a notification e-mail address must be allowed.

Select the check box to allow e-mail.

Administrator Email Address

Specifies the administrator e-mail address where notification is sent when a fallback error occurs.

Enter the administrator e-mail address.

Fallback Nonblock

Notify Mail Recipient

Specifies that the fallback nonblock notification is sent when a fallback e-mail option without a blocking action is triggered.

Select the Notify Mail Sender check box.

Custom Message

Specifies the customized message text for the fallback nonblock notification.

Enter the text for this custom notification message (if you are using one).

Custom Message Subject

Specifies the subject line for your custom message for the fallback nonblock notification.

Enter the subject line text for your custom message.

Virus Detection

Notification Type

Specifies the type of notification to be sent when a virus is detected.

Select Protocol Only or Message option.

Notify Mail Sender

Specifies whether or not a notification is sent to the virus-detection notification e-mail address when a virus is detected.

Select yes to send a notification and no to not send a notification.

Custom Message

Specifies the customized message text for the virus detection notification.

Enter the text for this custom notification message (if you are using one).

Custom Message Subject

Specifies the subject line text for your custom message for the virus detection notification.

Enter the subject line text for your custom message.

Web Filtering Configuration Page Options

  1. Select Configure>Security>UTM>Web Filtering in the J-Web user interface to display the Web Filtering configuration page.

    The Web Filtering configuration page appears, Table 198 explains the contents of this page.

  2. Click one:
    • Global Options—Defines general specifications for a Web filtering configuration. Enter information as specified in Table 199.

      Note

      Global Options are not enabled for logical systems users. It is enabled only for root users.

    • Add or +—Adds a new or duplicate Web filtering configuration. Enter information as specified in Table 200.

    • Edit or /—Edits the selected Web filtering configuration.

    • Delete or X—Deletes the selected Web filtering configuration.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

To configure Web filtering using the J-Web Configuration editor, if you are using custom objects, you must create the custom objects (URL pattern list, custom URL category list).

Note

In addition to custom object lists, you can use included default lists and whitelist and blacklist categories.

Configure a URL Pattern List Custom Object as follows:

Note

Because you use URL pattern lists to create custom URL category lists, you must configure URL pattern list custom objects before you configure a custom URL category list.

  1. Select Configure>Security>UTM>Custom Objects.

  2. From the URL Pattern List tab , click Add to create URL pattern lists.

  3. Next to URL Pattern Name, enter a unique name for the list you are creating. This name appears in the Custom URL Category List Custom Object page for selection.

  4. Next to URL Pattern Value, enter the URL or IP address that you want to add to list for bypassing scanning.

    Note

    URL pattern wildcard support—The wildcard rule is as follows: \*\.[]\?* and you must precede all wildcard URLs with http://. You can only use “*” if it is at the beginning of the URL and is followed by a “.”. You can only use “?” at the end of the URL.

    The following wildcard syntax is supported: http://*.juniper.net, http://www.juniper.ne?, http://www.juniper.n??. The following wildcard syntax is not supported: *.juniper.net , www.juniper.ne?, http://*juniper.net, http://*.

  5. Click Add to add your URL pattern to the Values list box.

    The list can contain up to 8192 items. You can also select an entry and use the Delete button to delete it from the list. Continue to add URLs or IP addresses in this manner.

  6. Click OK to save the selected values as part of the URL pattern list you have created.

  7. If the configuration item is saved successfully, you receive a confirmation. Click OK. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.

Configure a custom URL category list custom object as follows:

Note

Because you use URL pattern lists to create custom URL category lists, you must configure URL pattern list custom objects before you configure a custom URL category list.

  1. Select Configure>Security>UTM>Custom Objects.

  2. From the URL Category List tab, click Add to create URL category lists.

  3. Next to URL Category Name, enter a unique name for the list you are creating. This name appears in the URL Whitelist, Blacklist, and Custom Category lists when you configure Web filtering global options.

  4. In the Available Values box, select a URL Pattern List name from the list for bypassing scanning, and click the right arrow button to move it to the Selected Values box.

  5. Click OK to save the selected values as part of the custom URL list you have created.

  6. If the configuration item is saved successfully, you receive a confirmation. Click OK. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.

Now that your custom objects have been created, you can configure the integrated Web filtering feature profile.

Note

The below steps use Surf Control Web filtering type. SRX1500 devices do not support Surf Control Integrated option. Hence replace Surf Control with Websense.

  1. Select Configure>Security>UTM>Global options.

  2. In the Web Filtering, next to URL whitelist, select the Custom URL list you created from the available options.

    This is the first filtering category that both integrated and redirect Web filtering use. If there is no match, the URL is sent to the SurfControl server.

    Note

    The SurfControl option is not supported on SRX1500 devices. For SRX1500 devices, the URL is sent to the Websense server.

  3. Next to URL blacklist, select the Custom URL list that you have created from the list.

    This is the first filtering category that both integrated and redirect Web filtering use. If there is no match, the URL is sent to the SurfControl server.

  4. In the Filtering Type section, select the type of Web filtering engine you are using.

    In this case, you would select Surf Control Integrated.

  5. In the SurfControl Integrated options section, next to Cache timeout, enter a timeout limit, in minutes, for expiring cache entries (24 hours is the default and the maximum allowed life span).

  6. Next to Cache Size, enter a size limit, in kilobytes, for the cache (500 KB is the default).

  7. Next to Server Host, enter the Surf Control server name or IP address.

  8. Next to Server Port, enter the port number for communicating with the Surf Control server (default ports are 80, 8080, and 8081).

  9. Click OK to save these values.

  10. If the configuration item is saved successfully, you receive a confirmation. Click OK. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.

  11. Select Web Filtering, under UTM, in the left pane.

  12. In Web filtering Profiles Configuration, click Add to create a profile for Surf Control Integrated Web filtering. (To edit an existing item, select it and click Edit.)

  13. In Profile name, enter a unique name for this Web filtering profile.

  14. Select the Profile Type. In this case, select Surf Control.

  15. Next to Default action, select Permit, Log and permit, or Block.

    This is the default action for this profile for requests that shows errors.

  16. Next to Custom Block Message, enter a custom message to be sent when HTTP requests are blocked.

  17. Next to Timeout, enter a value in seconds.

    Once this limit is reached, fail mode settings are applied. The default limit here is 10 seconds. You can enter a value from 10 to 240 seconds.

  18. Next to Custom block message subject, enter text to appear in the subject line of your custom message for this block notification.

  19. Select the Fallback options tab.

  20. Next to Default, select Log and Permit or Block as the action to occur when a request fails for any reason not specifically called out.

  21. Next to Server Connectivity, select Log and Permit or Block as the action to occur when a request fails for this reason.

  22. Next to Timeout, select Log and Permit or Block as the action to occur when a request fails for this reason.

  23. Next to Too Many Requests, select Log and Permit or Block as the action to occur when a request fails for this reason.

  24. Click Save.

  25. Select Custom Objects, under UTM, in the left pane.

  26. Select the URL category list tab.

  27. In the custom URL category list section, click Add to use a configured custom URL category list custom object in the profile.

  28. Next to Categories, select a configured custom object from the list.

  29. Next to Actions, select Permit, Block, or Log and Permit from the list.

  30. Click Add.

  31. Click OK.

  32. If the configuration item is saved successfully, you receive a confirmation. Click OK. If it is not saved successfully, click Details in the pop-up window that appears to discover why.

Note

Next, you configure a UTM policy for Web filtering to which you attach the content filtering profile you have configured.

  1. Select Configure>Security>Policy>UTM Policies.

  2. From the UTM policy configuration window, click Add to configure a UTM policy.

    The policy configuration pop-up window appears.

  3. Select the Main tab in pop-up window.

  4. In the Policy Name box, enter a unique name for the UTM policy that you create.

  5. In the Session per client limit box, enter a session per client limit from 0 to 20000 for this UTM policy.

  6. For Session per client over limit, select one of the following: Log and Permit or Block. This is the action the device takes when the session per client limit for this UTM policy is exceeded.

  7. Select the Web Filtering profiles tab in the pop-up window.

  8. Next to HTTP profile, select the profile you have configured from the list.

  9. Click OK.

  10. If the policy is saved successfully, you receive a confirmation. Click OK. If the profile is not saved successfully, click Details in the pop-up window that appears to discover why.

Note

Next, you attach the UTM policy to a security policy that you create.

  1. Select Configure>Security>Policy>FW Policies.

  2. From the Security Policy window, click Add to configure a security policy with UTM.

    The policy configuration pop-up window appears.

  3. In the Policy tab, enter a name in the Policy Name box.

  4. Next to From Zone, select a zone from the list.

  5. Next to To Zone, select a zone from the list.

  6. Choose a Source Address.

  7. Choose a Destination Address.

  8. Choose an Application. Do this by selecting junos-<protocol> (for all protocols that support Web filtering, http in this case) in the Application Sets box and click the —> button to move them to the Matched box.

  9. Next to Policy Action, select one of the following: Permit, Deny, or Reject.

    Note

    When you select Permit for Policy Action, several additional fields become available in the Applications Services tab, including UTM Policy.

  10. Select the Application Services tab in the pop-up window.

  11. Next to UTM Policy, select the appropriate policy from the list.

    This attaches your UTM policy to the security policy.

    Note

    There are several fields on this page that are not described in this section. See the section on Security Policies for detailed information on configuring security policies and all the available fields.

  12. Click OK.

  13. If the policy is saved successfully, you receive a confirmation. Click OK. If the profile is not saved successfully, you can click Details in the pop-up window that appears to discover why.

Table 198: Web Filtering Configuration Page

Field

Function

Profile Name

Displays the unique name of the antispam profile.

Profile Type

Displays the profile type selected.

Account

Displays the user account for which this profile is intended.

Server

Displays the server name.

Timeout

Displays the timeout interval.

Table 199: Global Options Web Filtering Configuration Details

Field FunctionAction

URL Whitelist

Specifies a unique customized list of all URLs or IP addresses for a given category that are to be bypassed for scanning.

Select the customized object from the list.

URL Blacklist

Specifies a unique customized list of all URLs or IP addresses for a given category that are scanned for blacklisting.

Select the customized object from the list.

Filtering Type

Surf Control Integrated

Specifies that the Surf Control CPA server intercepts every HTTP request in a TCP connection. The decision making is done on the device after it identifies a category for a URL either from user-defined categories or from the Surf Control category server.

Note: This option is not supported on SRX1500 devices.

Select this option to choose this type of Web filtering engine.

Websense Redirect

Specifies that the Web filtering module intercepts an HTTP request. The URL in the request is then sent to the external Websense server which makes a permit or a deny decision.

Select this option to choose this type of Web filtering engine.

Local

Specifies that the Web filtering module intercepts URLs and makes a permit/deny decision locally.

Select this option to choose this type of Web filtering engine.

Juniper Enhanced

Specifies that the Juniper Enhanced Web filtering intercepts the HTTP and the HTTPS requests and sends the HTTP URL or the HTTPS source IP to the Websense ThreatSeeker Cloud (TSC).

Select this option to choose this type of Web filtering engine.

The Juniper Enhanced Options with the respective parameters is displayed.

Juniper Enhanced Options

The following options are displayed only if you have selected Juniper Enhanced as the Filtering type.

Cache timeout (mins)

Specifies the time interval to wait before the cache is cleared.

Enter or select the time using the up/down arrow.

Cache size (kb)

Specifies the size of the cache memory that must be provisioned.

Enter the size of cache to be provisioned in kilobytes. You can also select a size using the up/down arrow.

Server host

Specifies the address of the host server.

Enter the address of the host server.

Server port

Specifies the port number of the server that is used for communication.

Enter the port number or select using the up/down arrow.

Reputation Level

Specifies the level at which the device must take appropriate action (permit, log and permit, or block) when the site reputation level reaches the level that you have defined.

Move each of the four sliders to the desired level or number. Each slider is named (A to D) and represents the following degree of assessment along with the recommended range.

A:Very Safe (90 to 100)

B: Moderately Safe (80-89)

C: Fairly Safe (70-79)

D: Suspicious (58-69)

E: Harmful (1-57). This is not reporesented as a slider.

Click Reset to position the slider to the recommended levels.

Table 200: Add Web Filtering Configuration Details

Field FunctionAction
Main

Profile Name

Displays the unique name of the Web filtering profile.

Enter a unique name for the Web filtering profile.

Note: The profile Name should not be longer than 29 characters.

Profile Type

Displays the profile type based on the Filtering Type selected. The options available are:

  • Websense—Select this option to use the Websense profile type.

  • Surf Control—Select this option to use Surf Control profile type.

  • Local—Select this option to use the Local profile type.

  • Juniper-Enhanced–Select this option to use the Juniper-enhanced profile type.

Select an option.

Account

Displays the user account for which this profile is intended.

Enter a user account name.

Server

Displays the server name.

Enter the server name.

Port

Displays the port number used to communicate with the server.

Enter the port number.

Sockets

Displays the number of sockets used for communicating between the client and server.

Enter the number of sockets.

Default Action

Displays the default action to be taken for Web filtering. The options available are:

  • Permit—Permits access to content.

  • Log and Permit—Logs details of the URL and permits access to content.

  • Block—Blocks access to content.

Select an option.

Timeout

Specifies the time interval to wait before the connection to the server is closed.

Type the interval in seconds.

Safe Search

Displays the search results based on the option selected.

A safe-search solution is used to ensure that the embedded objects such as images on the URLs received from the search engines are safe and that no undesirable content is returned to the client.

Safe-search is applicable to juniper-enhanced Web filtering type only.

Select this option to choose this type of search.

No Safe Search

Specifies not to perform safe-search for Juniper enhanced protocol.

Select this option to choose this type of search.

Base Filter

Specifies the base filter that is attached to the profile. All categories has a default action in a base filter. For categories that are not configured in the profile, the base filter is considered for action.

Select the base filter from the drop down list.

Custom Block Message

Specifies the customized block message to be displayed when content is blocked.

Enter a message to be displayed when content is blocked.

Note: The fields Account, Server, Port, and Sockets are displayed only when you select Websense-Redirect filtering type on the Global Configuration page.

Fallback Options

Default

Specifies all errors other than the categorized settings. These could include either unhandled system exceptions (internal errors) or other unknown errors. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Log and Permit.

Server Connectivity

Specifies that the server connection is not established during certain processes, for example, while the signature database is loading. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Log and Permit.

Timeout

Specifies that if the time taken to scan exceeds the timeout setting in the Web filtering profile, the processing is aborted and the content is passed or blocked without completing filtering. The decision is made based on the timeout fallback option. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Log and Permit.

Too Many Requests

Specifies that if the total number of messages received concurrently exceeds the device limits, the content is passed or blocked depending on the too-many-request fallback option. The available actions are block or log-and-permit.

Select Log and Permit. The default action is Log and Permit.

Site Reputation Action

Very Safe

Specifies that the device must take appropriate action (permit, log and permit, or block) if the site reputation reaches the % score that is defined by you. If you have not defined the percentage, the default score is 90 through 100.

Enter the percentage value in the % field.

Select Permit, Log and Permit, or Block.

Moderately Safe

Specifies that the device must take appropriate action (permit, log and permit, or block) if the site reputation reaches the % score that is defined by you. If you have not defined the percentage, the default score is 80 through 89.

Enter the percentage value in the % field.

Select Permit, Log and Permit, or Block.

Fairly Safe

Specifies that the device must take appropriate action (permit, log and permit, or block) if the site reputation reaches the % score that is defined by you. If you have not defined the percentage, the default score is 70 through 79.

Enter the percentage value in the % field.

Select Permit, Log and Permit, or Block.

Suspicious

Specifies that the device must take appropriate action (permit, log and permit, or block) if the site reputation reaches the % score that is defined by you. If you have not defined the percentage, the default score is 60 through 69.

Enter the percentage value in the % field.

Select Permit, Log and Permit, or Block.

Harmful

Specifies that the device must take appropriate action (permit, log and permit, or block) if the site reputation reaches the % score that is defined by you. If you have not defined the percentage, the default score is 0 through 59.

Enter the percentage value in the % field.

Select Permit or Log and Permit, or Block.

URL Category Action List

Categories

Specifies a unique customized list of categories.

  • Add—Adds the selected category and the corresponding action to the list of available categories for the Juniper Enhanced Web Ffiltering profile.

  • Delete—Deletes the selected category from the list of available categories for the Juniper Enhanced Web Filtering profile.

Select a category from the list.

Action

Specifies the action that the device must take for the category selected.

Select Permit, Log and Permit, or Block.

Category Update Configuration Page Options

The Category Update page enables you to download and install a new Juniper Enhanced Web Filtering category. You can either set for an automatic download or perform a manual download and installation of the new category. You can also check for the latest version of categories available or uninstall an existing category.

  1. Select Configure>Security>UTM>Category Update in the J-Web user interface to display the UTM category installed or to download and install a new UTM category.

    The Category Update page appears.

    The number of installed version is displayed in the left top corner of the page. Next to it, the download and installation status is displayed when you download and install a profile.

  2. Click one:
    • Install—Installs the already downloaded category.

    • Uninstall—Enables you to uninstall the existing category. Uninstall link appears only when there is an installed version.

      Note

      You cannot uninstall the category that is being used in web filtering profiles.

      You cannot uninstall a category if its base filters are being used in web filtering profiles.

      You cannot Install or uninstall if a commit is pending.

    • Check Latest—Opens a new browser page and displays the latest list of EWF category files.

    • Download—Enables you to download and install the latest Juniper Enhanced Web Filtering (EWF) category file. See Table 201 for available options.

    • Search icon—Enables you to search a category by name by using the search icon in the installed version row or by base filter by using the search icon in the Base Filters band.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

Table 201: Category Download Options

Field

Function

Download

Click Download. The Manually Download window opens and displays the available verions. You can check the available version by clicking the URL.

Version - You can choose the latest version or select the version number which you want to download.

Download and Install

Click Download and Install. The Manually Download and Install window opens and displays the available versions. You can check the available version by clicking the URL.

Version - You can choose the latest version or select the version number which you want to download and install.

Auto Download and Install

Click Auto Download and Install to enable J-Web to automatically detect for newer version of UTM category, download if found, and install it on your device. The Auto Download Settings window is displayed.

Select Download On to enter the following details.

  • URL—URL from where you download the category.

  • Interval time—Time period to download and check install category file.

  • Start time—Start date and time to initiate automatic download and installation process.

Select Download Off to turn off the Auto Download and Install feature.

Category Name—Lists the category names that are installed. UTM EWF License is required for installing the categories. You can launch License Management from this page, if there is no license installed. Once license is installed, initially the default Web Filtering Categories that comes with the software is displayed.

Base Filters—Lists the categories for the selected base filter. By default no base filters are listed. Base filters are listed once the categories are downloaded and installed on the device.

Antispam Configuration Page Options

  1. Select Configure>Security>UTM>Anti-Spam.

    The Antispam configuration page appears. Table 202 explains the contents of this page.

  2. Click one:
    • Global Options—Defines general specifications for antispam configuration. Enter information as specified in Table 203.

    • Add or +—Adds a new or duplicate antispam profile configuration. Enter information as specified in Table 204.

    • Edit or /—Edits the selected antispam configuration.

    • Delete or X—Deletes the selected antispam configuration.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 202: Antispam Configuration Page

Field

Function

Profile Name

Displays the unique name of the antispam profile.

Profile Type

Displays the profile type selected.

Custom Tag String

Displays the custom string used to identify a spam message.

Action

Displays the default action selected.

Table 203: Global Options Antispam Configuration Details

Field FunctionAction

Address Whitelist

Specifies the comprehensive list of MIME types that can bypass antivirus scanning.

Select the customized object from the list.

Address Blacklist

Specifies a list of MIME types to be excluded from the whitelist. The exception MIME whitelist is a subset of MIME types found in the MIME whitelist.

Select the customized object from the list.

Table 204: Add Antispam Configuration Details

Field FunctionAction
Main

Profile Name

Specifies a unique name for the antivirus profile.

Enter a unique name for the antispam profile.

Default SBL Server

Specifies the profile that uses SBL server. The SBL server is predefined on the device. It ships with the name and address of the Symantec SBL server preloaded. If you do not select this check box, you are disabling server-based spam filtering. Disable this function if you are using only local lists or if you do not have a license for server-based spam filtering.

Select the check box if you are using the default server.

Custom Tag String

Specifies the custom string that is used to identify a spam message.

Enter a custom string for identifying a message as spam. By default the devices uses ***SPAM***.

Default Action

Specifies the option to be taken when a spam message is detected. The options available are:

  • Tag Subject—Adds the custom string at the beginning of the subject of the e-mail.

  • Block email—Blocks the spam e-mail.

  • Tag Header—Adds the custom string to the e-mail header.

Select an option.

Content Filtering Configuration Page Options

  1. Select Configure>Security>UTM>Content Filtering.

    The Content Filtering configuration page appears. Table 205 explains the contents of this page.

  2. Click one:
    • Add or +—Adds a new or duplicate content-filtering profile configuration. Enter information as specified in Table 206.

    • Edit or /—Edits the selected content-filtering configuration.

    • Delete or X—Deletes the selected content-filtering configuration.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 205: Content Filtering Configuration Page

Field

Function

Profile Name

Displays the unique name of the antispam profile.

Permit Command List

Displays the permitted protocol command name.

Block Command List

Displays the blocked protocol command.

Notification Options Type

Displays the notification type opted.

Table 206: Add Content Filtering Configuration Details

Field FunctionAction
Main

Profile Name

Specifies a unique name for the antivirus profile.

Enter a unique name for the antispam profile.

Permit Command List

Specifies the permitted protocol command.

Select the protocol command name to be permitted from the list.

Block Command List

Specifies the blocked protocol command name. By blocking certain commands, traffic can be controlled on the protocol command level.

Select the protocol command name to be blocked from the list.

Block Extension List

Specifies the blocked extension list name.

Select the extension to be blocked from the list.

Block MIME List

Specifies the blocked MIME.

Select the MIME type from the list.

Block MIME Exception List

Specifies the blocked MIME list.

Select the MIME type to be excluded from the list.

Block Content Type

Specifies the blocked content type.

Select the content type to be blocked.

Notification Options

Notification Type

Specifies the type of notification sent when a content block is triggered.

Select the Protocol Only or the Message check box.

Notification Mail Sender

Specifies that when a virus is detected and a content block is triggered, an e-mail is sent to the administrator.

Select the Notify Mail Sender check box.

Custom Notification Message

Specifies the customized message text for the content-block notification.

Enter the text for this custom notification message (if you are using one).

Custom Objects Configuration Page Options

  1. Select Configure>Security>UTM>Custom Objects.

    The Custom Objects configuration page appears. Table 207 explains the contents of this page.

  2. Click one:
    • Add or +—Adds a new or duplicate custom objects configuration. Enter information as specified in Table 208.

    • Edit or /—Edits the selected custom objects configuration.

    • Delete or X—Deletes the selected custom objects configuration.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 207: Custom Objects Configuration Page

Field

Function

MIME Pattern List

Name

Displays the user-defined name or a predefined MIME pattern name.

Value

Displays the user-defined value or a predefined MIME pattern value.

Filename Extension List

Name

Displays the user-defined name or a predefined file extension name.

Value

Displays the user-defined value or a predefined file extension value.

Protocol Command List

Name

Displays only user-defined protocol command names.

Value

Displays only user-defined protocol command values.

URL Pattern List

Name

Displays only user-defined URL pattern names.

Value

Displays only user-defined URL pattern values.

URL Category List

Name

Displays only predefined URL categories.

Value

Displays only predefined URL categories from the SurfControl server. You can also configure URLs. The URLs configured in the URL pattern list are displayed here.

Custom Message List

The Custom Message List displays the custom messages that you have created and the type of action it takes when Enables you to create block message or URL, or quarantine message or URL for each category.

Name

Displays the name of the custom message that you have created.

Type

Displays the type of custom message. It is either Redirect-URL or User Message.

Content

Displays the content of the custom message. It is either a user message or an URL to be redirected to.

Table 208: Add Custom Objects Configuration Details

Field FunctionAction
MIME Pattern List
Add MIME Pattern

MIME Pattern Name

Displays the user-defined name or a predefined MIME pattern name.

Enter a MIME pattern name.

MIME Pattern Value

Displays the user-defined pattern value or a predefined MIME pattern value.

The options available are:

  • Delete—Deletes the selected MIME pattern value.

  • Add—Adds the selected MIME pattern value.

Select an option.

Filename Extension List
Add File Extension

File Extension Name

Displays the user-defined name or a predefined file extension name.

Enter a file extension name.

Available Values

Displays the user-defined value or a predefined file extension value.

Select a value to associate it with the file extension name.

Protocol Command List
Add Protocol Command

Protocol Command Name

Displays only user-defined protocol command names.

Enter a protocol command name.

Protocol Command Value

Displays only user-defined protocol command values.

The options available are:

  • Delete—Deletes the selected protocol command value.

  • Add—Adds the selected protocol command value.

Select an option.

URL Pattern List
 
Add URL Pattern

URL Pattern Name

Displays only user-defined URL pattern names.

Enter a URL pattern name.

URL Pattern Value

Displays only user-defined URL pattern values.

The options available are:

  • Delete—Deletes the selected URL pattern value.

  • Add—Adds the selected URL pattern value.

Select an option.

URL Category List
Add URL Category

URL Category Name

Displays only predefined URL categories.

Enter a URL category name.

Available Values

Displays only predefined URL categories from the SurfControl server. You can also configure URLs. The URLs configured in the URL pattern list are displayed here.

Select a value to associate it with the URL category name.

UTM Policies Configuration Page Options

  1. Select Configure>Security>Policy>Define UTM Policy.

    The UTM policy configuration page appears. Table 209 explains the contents of this page.

  2. Click one:
    • Add or +—Adds a new or duplicate UTM policy configuration. Enter information as specified in Table 210.

    • Edit or /—Edits the selected UTM policy configuration.

    • Delete or X—Deletes the selected UTM policy configuration.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 209: UTM Policy Configuration Page

Field

Function

UTM policy name

Displays the UTM policy name.

Anti-Virus

Displays the Anti-Virus profile.

Anti-Spam

Displays the Anti-Spam profile.

Web filtering

Displays the Web filtering profile.

Content filtering

Displays the content filtering profiles.

Table 210: Add UTM Policy Configuration Details

Field FunctionAction
Main

Policy name

Specifies the UTM policy name.

Enter a UTM policy name.

Session per client limit

Specifies the session per client limit.

Enter a value from 0 through 20000.

Session per client over limit

Specifies the session per client over limit. The options available are:

  • Log and permit

  • Block

Select an option.

Anti-Virus profiles

HTTP profile

Specifies the UTM policy for the HTTP protocol to be scanned.

Select the check box.

FTP upload profile

Specifies the UTM policy for the FTP protocol to be scanned.

Select the check box.

FTP download profile

Specifies the UTM policy for the FTP protocol to be scanned.

Select the check box.

IMAP profile

Specifies the UTM policy for the IMAP protocol to be scanned.

Select the check box.

SMTP profile

Specifies the UTM policy for the SMTP protocol to be scanned.

Select the check box.

POP3 profile

Specifies the UTM policy for the POP3 protocol to be scanned.

Select the check box.

Web filtering profiles

HTTP profile

Specifies the UTM policy for the HTTP protocol to be scanned.

Select an option from the list.

Anti-Spam profiles

SMTP profile

Specifies the UTM policy for the SMTP protocol to be scanned.

Select an option from the list.

Content filtering profiles

HTTP profile

Specifies the UTM policy for the HTTP protocol to be scanned.

Select an option from the list.

FTP upload profile

Specifies the UTM policy for the FTP protocol to be scanned.

Select an option from the list.

FTP download profile

Specifies the UTM policy for the FTP protocol to be scanned.

Select an option from the list.

IMAP profile

Specifies the UTM policy for the IMAP protocol to be scanned.

Select an option from the list.

SMTP profile

Specifies the UTM policy for the SMTP protocol to be scanned.

Select an option from the list.

POP3 profile

Specifies the UTM policy for the POP3 protocol to be scanned.

Select an option from the list.

IPS

Signature Update Configuration Page Options

  1. Select Configure>Security>IDP>Signature Update in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Security>IPS>Signature Update in the J-Web user interface.

    The Signature Update configuration page appears. Table 211 explains the contents of this page.

  2. Click one:
    • Download—Downloads the latest available version of the signature database from the security server. Enter information as specified in Table 212.

    • Install— Installs the selected signature. Enter information as specified in Table 213.

    • Check Status—Checks the install and download status of the signature. Table 214 explains the contents of this page.

    • Download Setting—Sets the URL for automatic download. Enter information as specified in Table 215.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 211: Signature Update Configuration Page

Field

Function

Name

Displays the field values for install or download operation.

Value

Displays the install or download status of the operation.

Table 212: Download Configuration Page

Field

Function

Action

Security Package Manual Download

Download

Downloads the existing signature database.

Click Download on the task bar.

URL

Specifies the predefined default URL used by the device to download the signature database.

Select the URL from the list.

Version

Specifies the version number of the security package from the portal.

Select the version from the list.

Full Package

Enables the device to download the latest security package with the full set of attack signature tables from the portal.

Select the check box.

Table 213: Install Configuration Page

Field

Function

Action

Security Package Manual Installation

Install

Installs the existing signature database.

Click Install on the task bar.

Do not set to active after installed

Specifies whether or not to activate the installed security package.

Select the check box.

Table 214: Check Status Options

Field

Function

Action

Check Status

Download Status

Shows the security package download status in the message box.

Select Download Status from the Check Status list.

Install Status

Shows the security package install status in the message box.

Select Install Status from the Check Status list.

Table 215: Download Setting Configuration Page

Field

Function

Action

Security Package Automatic Download

Download Setting

Sets the parameters of automatic download.

Click Download Setting.

URL Setting

Specifies the predefined default URL used by the device to download the signature database.

Click URL Setting and type a URL

Note: The URL configured in the URL Setting window is displayed by default in the Download window.

Auto Download Setting

Interval

Specifies the time interval for automatic download.

Enter an integer.

Start Time

Specifies that the latest policy templates are to be installed from the portal.

Enter a time value in MM-DD.hh:mm format.

Enable Schedule Update

Enables the auto-download settings feature.

Select the check box to activate automatic download settings.

Reset Setting

Resets the values configured in this tab.

Select the check box to reset the values.

Sensor Configuration Page Options

  1. Select Configure>Security>IDP>Sensor in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Security>IPS>Sensor in the J-Web user interface.

    The Sensor configuration page appears. explains the contents of this page.

  2. Click one:
    • Add or +—Adds the detector configuration. Enter information as specified in Table 216.

    • Edit or /—Updates the existing the detector configuration.

    • Delete or X— Deletes the existing the detector configuration

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 216: Configuring IDP Sensor Configuration Page

Field

Function

Action

Basic
IPS  

Minimum Log Supercade

Specifies the minimum number of logs to trigger the signature hierarchy feature.

Enter an integer.

LOG  

Cache Size

Specifies the size of the cache memory (MB) where IDP stores log records.

Enter an integer.

Disable Suppression

Specifies if the log suppression has to be disabled.

Click the check box.

Include Destination Address

Specifies to combine log records for events with a matching source address.

Select an option from the list.

Max Logs Operate

Specifies the maximum number of logs on which log suppression can operate. IDP can operate on 16,384 log records by default.

Enter an integer.

Max Time Report

Specifies the time (seconds) after which suppressed logs will be reported. IDP reports suppressed logs after 5 seconds by default.

Enter an integer.

Start Log

Specifies the number of log occurrences after which log suppression begins. Log suppression begins with the first occurrence by default.

Enter an integer.

Reassembler  

Ignore Memory Overflow

Specifies if the user has to allow per-flow memory to go out of limit.

Select an option from the list.

ignore Reassembly Memory Overflow

Specifies if the user has to allow per-flow reassembly memory to go out of limit.

Select an option from the list.

Max Flow Memory

Specifies maximum per-flow memory for TCP reassembly in kilobytes.

Enter an integer.

Max Packet Memory

Specifies maximum packet memory for TCP reassembly in kilobytes.

Enter an integer.

Advanced 

Select Advanced and click Edit and update the following fields.

IDP Flow  

Allow ICMP Without Flow

Specifies if ICMP has to be allowed without flow.

Select an option from the list.

Log Errors

Specifies if the flow errors have to be logged.

Select an option from the list.

Flow FIFO Max Size

Specifies the maximum FIFO size. The default value is 1.

Enter a value.

Hash Table Size

Specifies the hash table size. The default value is 1024.

Enter a value.

Max Timers Poll Ticks

Specifies the maximum amount of time at which the timer ticks at a regular interval.

Enter a value.

Reject Timeout

Specifies the amount of time in milliseconds within which a response must be received.

Enter a value.

UDP Anticipated Timeout

Specifies the amount of time in milliseconds within which a UDP response must be received.

Enter a value.

Global  

Enable All Qmodules

Specifies if all the qmodules of the global rulebase IDP security policy are enabled.

Select an option from the list.

Enable Packet Pool

Specifies if the packet pool is enabled to be used when the current pool is exhausted.

Select an option from the list.

Policy Lookup Cache

Specifies if the cache is enabled to accelerate IDP policy lookup.

Select an option from the list.

GTP Decapsulation

Specifies if the number of packets that are GPRS tunneling protocol (GTP) packets are decapsulated.

Select an option from the list.

Memory Limit Percent

Specifies to limit IDP memory usage at this percent of available memory.

Enter a value.

IPS  

Detect Shellcode

Specifies if shellcode detection has to be applied.

Select an option from the list.

Ignore Regular Expression

Specifies if the sensor has to bypass DFA and PCRE matching.

Select an option from the list.

Process Ignore Server-to-Client

Specifies if the sensor has to bypass IPS processing for server-to-client flows.

Select an option from the list.

Process Override

Specifies if the sensor has to execute protocol decoders even without an IDP policy.

Select an option from the list.

Process Port

Specifies a port on which the sensor executes protocol decoders.

Enter an integer.

IPS FIFO Max Size

Specifies the maximum allocated size of the IPS FIFO.

Enter an integer.

Detector

Protocol

Specifies the name of the protocol to enable or disable the detector.

Select the name of the protocol from the list.

Tunable Name

Specifies the name of the tunable parameter to enable or disable the protocol detector for each of the services.

Select the name of the specific tunable parameter from the list.

Tunable Value

Specifies the value of the tunable parameter to enable or disable the protocol detector for each of the services.

Enter the protocol value of the specific tunable parameter.

IDP Policies Configuration Page Options

  1. Select Configure>Security>IPS>Policy in the J-Web user interface.

    The IDP Policy configuration page appears. Table 217 explains the contents of this page.

    Note

    IDP policies that are created by root users in root-logical-system are not displayed in security profile advanced settings if you have logged in as a logical system user.

    The IPS Signature Package version and IPS Policy Status—Displays the version of IPS signature database and its status, if it is published or not.

  2. Click the following:
    • Template—Downloads, installs, and loads a template. Enter information as specified in Table 218.

      Note

      The Template option is available only for root users. It is not available for logical system users.

  3. Click the following:
    • Check Status—Checks download or install status. Enter information as specified in Table 219.

      Note

      The Check Status option is available only for root users. It is not available for logical system users.

  4. Set Default—Sets the selected IPS policy from the policy list as the default policy. Once you set it as default, (default-policy) is displayed next to the policy name.
  5. Click one:
    • Add or +—Adds a new or duplicate IDP policy configuration. Enter information as specified in Table 220.

    • Edit or /—Edits the selected IDP policy configuration.

    • Delete or X—Deletes the selected IDP policy configuration.

  6. Click the following:
    • Clone—Clones or copies a policy. Select a record in the Policy List. Enter information as specified in Table 221.

  7. Click Activate to validate and activate the configuration. Note

    Starting Junos OS Release 18.2R1, Activate is unavailable.

  8. Click Deactivate to remove the IDP active policy from the configuration. Note

    Starting Junos OS Release 18.2R1, Deactivate is unavailable.

  9. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 217: IDP Policy Configuration Page

Field

Function

Policy List

Note: IDP policies that are created by root users in root-logical-system are not displayed in security profile advanced settings if you have logged in as a logical system user.

Status

Displays the status of the policy.

Name

Displays the IDP policy name.

Type

Displays the IDP policy type.

IPS Rule Number

Displays the number of rule based IP profiles that are configured.

Exempt Rule Number

Displays the number of rule based exempt profiles that are configured.

Table 218: Template Details

Field FunctionAction

Template

Loads a predefined IDP template. The options available are:

  • Download Template—Downloads a template from the server.

  • Install Template—Installs the template to the router.

  • Load Template—Loads the predefined policies to the policy list.

Click Template and select an option.

Table 219: Check Status Details

Field FunctionAction

Check Status

Checks download or install status. The options available are:

  • Download Status—Downloads status information from the Check Status list.

  • Install Status—Installs status information from the Check Status list.

Click Check Status and select an option.

Table 220: Add IDP Policy Configuration Details

Field FunctionAction

Policy Name

Specifies the name of the IDP policy.

Enter a policy name.

Activate

Specifies whether or not the configured IDP policy is set as the active policy.

Select the check box.

IPS Rule

Specifies the IPS rule created. The options available are:

  • Add—Adds a new IPS rule.

  • Edit—Edits the selected IPS rule.

  • Delete—Deletes the selected record.

  • Move—Organize rows. Select Move up, Move down, Move to top, or Move to down.

Select an option.

Basic

Policy Name

Specifies the name of the IDP policy.

Displays the name of the IDP policy.

Rule Name

Specifies the name of the IPS rulebase rule.

Enter a rule name.

Rule Description

Specifies a description for the rule.

Enter the description for the rule.

Action

Specifies the list of all the rule actions for IDP to take when the monitored traffic matches the attack objects specified in the rules.

Select a rule action from the list.

Application

Specifies the list of one or multiple configured applications.

Select the applications to be matched.

Attack Type

Specifies the attack type that you do not want the device to match in the monitored network traffic. The options available are:

  • Predefined Attacks

  • Predefined Attack Groups

Select an option from the list and click the right arrow to match an attack object or attack group to the rule.

Category

Specifies the category used for scrutinizing rules of sets.

Select a category from the list.

Severity

Specifies the rule severity levels in logging to support better organization and presentation of log records on the log server.

Select a severity level from the list.

Direction

Specifies the direction of network traffic you want the device to monitor for attacks.

Select a direction level from the list.

Matched

Specifies the type of network traffic you want the device to monitor for attacks.

Select the traffic type and click the right arrow to move it to the matched list.

Advanced

IP Action

Specifies the action that IDP takes against future connections that use the same IP address.

Select an IP action from the list.

IP Target

Specifies the destination IP address.

Select an IP target from the list.

Timeout

Specifies the number of seconds the IP action should remain effective before new sessions are initiated within that specified timeout value.

Enter the timeout value, in seconds. The maximum value is 65,535 seconds.

Log IP Action

Specifies whether or not the log attacks are enabled to create a log record that appears in the log viewer.

Select the check box.

Enable Attack Logging

Specifies whether or not the configuring attack logging alert is enabled.

Select the check box.

Set Alert Flag

Specifies whether or not an alert flag is set.

Select the check box.

Severity

Specifies the rule severity level.

Select an option from the list.

Terminal

Specifies whether or not the terminal rule flag is set.

Select the check box.

Match

From Zone

Specifies the match criteria for the source zone for each rule.

Select the match criteria from the list.

To Zone

Specifies the match criteria for the destination zone for each rule.

Select the match criteria from the list.

Source Address

Specifies the zone exceptions for the from-zone and source address for each rule. The options available are:

  • Match—Matches the from-zone and source address/address sets to the rule.

  • Except—Enables the exception criteria.

Select the from-zone and source addresses/address sets from the list and do one of the following:

  • Click Match and the click the right arrow.

  • Click Except.

Destination Address

Specifies the zone exceptions for the to-zone and destination address for each rule. The options available are:

  • Match—Matches the from-zone and destination address/address sets to the rule.

  • Except—Enables the exception criteria.

Select the to-zone and destination addresses/address sets from the list and do one of the following:

  • Click Match and then click the right arrow.

  • Click Except.

Table 221: Clone Details

Field FunctionAction

Copy Policy

Displays the policy name that was created.

New Policy

Specifies the new policy name.

Enter a new policy name.

skyATP or Threat Prevention

Threat Prevention Policies Configuration Page Options

  1. Select Configure>Security>SkyATP or Threat Prevention>Policies in the J-Web user interface.

    The Threat Prevention Policies page appears.Table 189 explains the contents of this page.

  2. Click one:
    • +—Create a new or duplicate threat prevention policy. Enter information as specified in Table 109.

    • /—Edit the selected threat prevention policy.

    • X—Delete the selected threat prevention policy.

Table 222: Threat Prevention Policies Page

FieldFunction

Name

Displays the threat prevention policy name.

C&C Server

Displays the range value of threat score set for this policy on a C&C server. A C&C profile would provide information on C&C servers that have attempted to contact and compromise hosts on your network. If the threat score of a feed is between this range, the feed will be blocked or permitted based on the threat score.

Infected Host

Displays the range value of threat score set for this policy if . An infected host profile would provide information on compromised hosts and their associated threat levels.

Malware HTTP

A malware profile would provide information on files downloaded by hosts and found to be suspicious based on known signatures or URLs.

Malware SMTP

A malware profile would provide information on files downloaded by hosts and found to be suspicious based on known signatures or URLs.

Log

All traffic is logged by default. Use the pulldown to narrow the types of traffic to be logged.

Description

Displays the description of the policy.

IPSec VPN

VPN Global Settings Configuration Page Options

  1. Select Configure>IPSec VPN>Global Settings in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Security>IPSec VPN>Global Settings in the J-Web user interface.

    The VPN Global Settings configuration page appears. Table 223 explains the contents of this page.

  2. Click one:
    • Save—Applies changes to the configuration. Enter information as specified in Table 224.

    • Reset—Resets the configuration without saving changes.

Table 223: VPN Global Configuration Options

Field

Function

IKE Global Settings

Response Bad SPI

Displays the response to invalid IPsec SPI values.

Maximum Responses

Displays the number of times to respond to invalid SPI values per gateway.

IPsec Global Settings

VPN Monitor Options

Displays whether or not VPN monitoring options is selected.

Interval

Displays the interval at which ICMP requests are sent to the peer.

Threshold

Displays the number of consecutive unsuccessful pings before the peer is declared unreachable.

Internal SA

Enables secure login and prevents attackers from gaining privileged access through this control port by configuring the internal IPsec security association (SA).

Key (24 bytes)

Specifies the encryption key. You must ensure that the manual encryption key is in ASCII text and 24 characters long; otherwise, the configuration will result in a commit failure.

Table 224: Add VPN Global Configuration Details

Field

Function

Action

IKE Global Settings

Response Bad SPI

Provides response to invalid IPsec security parameter index values. If the SAs between two peers of an IPsec VPN become unsynchronized, the device resets the state of a peer so that the two peers are synchronized.

Select the check box if you want the device to respond to IPsec packets with bad SPI values.

Maximum Responses

Specifies the number of times to respond to invalid SPI values per gateway.

Enter a value from 1 through 30. The default is 5. This option is available when Response Bad SPI is selected.

IPSec Global Settings

VPN Monitor Options

Provides VPN monitoring options.

Select the check box if you want the device to monitor VPN liveliness.

Interval

Specifies the interval at which ICMP requests are sent to the peer.

Enter a value from 1 through 36,000 seconds.

Threshold

Specifies the number of consecutive unsuccessful pings before the peer is declared unreachable.

Enter a value from 1 through 65,536.

Internal SA

Enables secure login and prevents attackers from gaining privileged access through this control port by configuring the internal IPsec security association (SA).

Select the check box to enable Internal SA.

Key (24 bytes)

Specifies the encryption key.

Enter the encryption key. Ensure that the manual encryption key is in ASCII text and 24 characters long; otherwise, the configuration will result in a commit failure.

PowerMode IPSec

Pushes the relevant IPSec configuration required for the device.

Note: Starting in Junos OS Release 19.1R1, PowerMode IPSec (PMI) configuration supports only SRX4100, SRX4200, SRX4600, SRX5000 Series devices with SPC3 card, and vSRX2.0

Select the check box to enable PMI.

Note:

  • By default, PFE service restarts automatically after the commit. The PFE service will not explicitly restart.

  • The J-Web user interface allows you to enable or disable PMI depending on the configuration required for each of the devices.

IKE (Phase I) Configuration Page Options

  1. Select Configure>IPSec VPN>Auto Tunnel> Phase I in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Security>IPSec VPN>VPN Tunnel I in the J-Web user interface.

    The VPN Gateway configuration page appears.

  2. (Junos OS Release 18.3R1 and later releases) Select Configure > Security Services > IPsec VPN > IKE (Phase I) in the J-Web user interface.

    The IKE (Phase I) configuration page appears. Table 225 explains the contents of this page.

  3. Click one:
    • Add or +—Adds a new or duplicate VPN gateway configuration. Enter information as specified in Table 226.

    • Edit or /—Edits a selected VPN gateway configuration.

    • Delete or X—Deletes the selected VPN gateway configuration.

  4. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 225: IKE (Phase I) Configuration Page

Field

Function

Gateway

Gateway Name

Displays the name of the gateway to be searched.

Search

Displays the text box for searching a gateway.

Name

Displays the name of the destination peer gateway, specified as an alphanumeric string.

IKE Policy

Displays the name of the IKE policy.

External Interface

Displays the name of the interface to be used to send traffic to the IPsec VPN.

Remote Identity

Displays information about the remote peer.

IKE Policy

Name

Displays the name of the policy.

Description

Provides a description of the policy.

Mode

Displays the mode of configuration.

Authentication Method

Displays the authentication method configured.

Proposal

Displays the name of the proposal configured to be used by this policy in Phase 1.

Proposal

Name

Displays the name of the proposal selected.

Authentication Algorithm

Displays the hash algorithm configured or selected.

Authentication Method

Displays the authentication method selected.

Encryption Algorithm

Displays the supported IKE proposals.

Table 226: Add Gateway Configuration Details

Field

Function

Action

IKE Gateway

Name

Specifies the name of the gateway.

Enter the name of the gateway.

Policy

Specifies the name of the policy.

Enter the name of the policy you configured for Phase 1.

External Interface

Specifies the name of the interface to be used to send traffic to the IPsec VPN.

Specifies the outgoing interface for IKE SAs. This interface is associated with a zone that acts as its carrier, providing firewall security for it.

Select an outgoing interface from the list.

Site to Site VPN

Specifies the VPN configuration type as site to site.

Click the Site to Site radio button.

Address/FQDN

Specifies the address or FQDN of the peer.

Enter information about the peer IP or domain name.

Local ID

Identify Type

Specifies the identity type. The identify types are as follows:

  • IP Address

  • Host Name

  • Email Address

  • Distinguished Name

Select one of the identity type options.

Client Tunnel

Specifies the remote access dynamic VPN.

Select the Client Tunnel radio button.

Connections limit

Specifies the limit on connections.

Enter the connection limit.

IKE user type

Specifies the Internet Key Exchange user type. The IKE user types are as follows:

  • group-ike-id

  • shared-ike-id

Select one of the IKE user type options.

Remote ID

Identity type

Specifies the identity type. The identify types are as follows:

  • IP Address

  • Host Name

  • Email Address

  • Distinguished Name

Select one of the identity type options.

IKE Gateway Options

Identity Type

Specifies the local IKE identity to send in the exchange with the destination peer so that the destination peer can communicate with the local peer. If you do not configure a local identity, the device uses the IP address corresponding to the local endpoint. You can identify the local identity in any of the following ways:

  • IP Address—IPv4 IP address to identify the dynamic peer.

  • Hostname—Fully qualified domain name (FQDN) to identify the dynamic peer.

  • User at Hostname—E-mail address to identify the dynamic peer.

  • Distinguished Name—Name to identify the dynamic peer. The distinguished name appears in the subject line of the Public Key Infrastructure (PKI) certificate. For example: Organization: juniper, Organizational unit: slt, Common name: common.

Select one of the identity type options.

Dead Peer Detection

Specifies whether to enable DPD.

Select the check box.

Always send

Specifies the device to send DPD requests regardless of whether there is outgoing IPsec traffic to the peer.

Select the check box.

Interval

Specifies the amount of time that the peer waits for traffic from its destination peer before sending a DPD request packet.

Enter the interval at which to send DPD messages. Range: 1 through 60 seconds.

Threshold

Specifies the maximum number of unsuccessful DPD requests that can be sent before the peer is considered unavailable.

Enter the maximum number of unsuccessful DPD requests to be sent. Range: 1 through 5. Default: 5.

AAA

Provides AAA in addition to IKE authentication for remote users trying to access a VPN tunnel.

Select AAA from the list.

NAT-Traversal

Specifies whether to enable NAT-T. NAT-T is enabled by default.

Select the check box to disable or enable.

NAT-keepalive

Specifies the interval at which NAT keepalive packets can be sent so that NAT continues.

Enter the interval, in seconds, at which NAT keepalive packets can be sent. Default: 5 seconds. Range: 1 through 300 seconds.

Add Policy

IKE Policy

Name

Specifies the name of the IKE policy.

Enter the policy name.

Description

Provides a description of the policy.

Enter a description of the policy.

Mode

Specifies the mode. The available modes are as follows:

  • Main mode—This mode has three 2-way exchanges between the initiator and receiver. It is secure and preferred in the auto tunnel

  • Aggressive mode— This mode is faster than main mode. It is less secure and is used mostly for dial-up VPN.

Select a mode from the list.

Proposal

Predefined

Specifies the predefined Phase 1 proposals. Use one of the following types of predefined Phase 1 proposals:

  • Basic

  • Compatible

  • Standard

  • Prime-128

  • Prime-256

  • Suiteb-gcm-128

  • Suiteb-gcm-256

Click Predefined, and select a proposal type.

User defined

Specifies the user-defined Phase 1 proposal.

Click User Defined, select a proposal from the pop-up menu, and click Add.

Proposal List

Specifies one or more proposals that can be used during key negotiation:

Click the Predefined Proposal option button to select proposals preconfigured by JUNOS Software.

Click the User Defined Proposal option button to use proposals that you have created.

IKE Policy Options

Pre Shared Key

Specifies use of a preshared key for the VPN.

The available options are as follows:.

  • ASCII text

  • Hexadecimal

If a preshared key is selected, then configure the appropriate key.

Certificate

Specifies use of a certificate for the VPN.

Click the option button.

Local Certificate

Specifies use of a particular certificate when the local device has multiple loaded certificates.

Enter a local certificate identifier.

Peer Certificate Type

Specifies use of a preferred type of certificate.

The available options are as follows:

  • PKCS7

  • X509

Select a certificate type.

Trusted CA

Specifies the preferred CA to use when requesting a certificate from the peer. If no value is specified, then no certificate request is sent (although incoming certificates are still accepted).

The options that are available are as follows:

  • None—Use none of configured certificate authorities.

  • Use All—Device uses all configured certificate authorities.

  • CA Index—Preferred certificate authority ID for the device to use.

Select a trusted CA from the list.

Add Proposal

IKE Proposal

Name

Specifies the name of the proposal.

Enter the name of the proposal.

Authentication Algorithm

Specifies the AH algorithm that the device uses to verify the authenticity and integrity of a packet. Supported algorithms include the following:

  • md5—Produces a 128-bit digest.

  • sha1—Produces a 160-bit digest.

  • sha-256—Produces a 256-bit digest.

    Note: The sha-256 authentication algorithm is not supported with the dynamic VPN feature.

  • sha-384—Produces a 384-bit digest.

  • sha-512—Starting in Junos OS Release 19.1R1, this option is supported. Produces a 512-bit digest.

    Note: Starting in Junos OS Release 19.1R1, the new Authentication algorithm supports SRX5000 Series devices with SPC3 card upon installation of junos-ike package only. To install junos-ike package from J-Web, navigate to Configure > Security Services > IPsec VPN > Global Settings and click Install.

Select a hash algorithm from the available option.

Authentication Method

Specifies the method the device uses to authenticate the source of IKE messages. The available options are as follows:

  • pre-shared-key—Key for encryption and decryption that both participants must have before beginning tunnel negotiations.

  • rsa-key—Kinds of digital signatures, which are certificates that confirm the identity of the certificate holder.

Select an option.

Description

Provides a description of the proposal for easy identification .

Enter a brief description of the IKE proposal.

DH Group

Specifies the Diffie-Hellman group. The DH exchange allows participants to produce a shared secret value over an unsecured medium without actually transmitting the value across the connection.

The available options are as follows:

  • None

  • group1

  • group2

  • group5

  • group14

  • group19

  • group20

  • group24

  • group15—Starting in Junos OS Release 19.1R1, this option is supported.

  • group16—Starting in Junos OS Release 19.1R1, this option is supported.

  • group21—Starting in Junos OS Release 19.1R1, this option is supported.

Note: Starting in Junos OS Release 19.1R1, the new DH-Groups supports SRX5000 Series devices with SPC3 card upon installation of junos-ike package only. To install junos-ike package from J-Web, navigate to Configure > Security Services > IPsec VPN > Global Settings and click Install.

Select a group. If you configure multiple (up to four) proposals for Phase 1 negotiations, use the same Diffie-Hellman group in all proposals.

Encryption Algorithm

Specifies the supported Internet Key Exchange (IKE) proposals. It includes the following:

  • 3des-cbc—3DES-CBCencryption algorithm.

  • aes-128-cbc—AES-CBC128-bit encryption algorithm.

  • aes-192-cbc—AES-CBC 192-bit encryption algorithm.

  • aes-256-cbc—AES-CBC 256-bit encryption algorithm.

  • des-cbc—DES-CBC encryption algorithm.

Select an encryption algorithm from the list.

Lifetime seconds

Specifies the lifetime, in seconds, of an IKE SA. When the SA expires, it is replaced by a new SA and SPI or is terminated.

Select a lifetime for the IKE SA. Default: 3,600 seconds. Range: 180 through 86,400 seconds.

IKE (Phase II) Configuration Page Options

  1. Select Configure>IPSec VPN>Auto Tunnel>Phase II in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Security>IPSec VPN>VPN Tunnel II in the J-Web user interface.

    The VPN Auto Key configuration page appears.

  2. (Junos OS Release 18.3R1 and later releases) Select Configure > Security Services > IPsec VPN > IPsec (Phase II) in the J-Web user interface.

    The IKE (Phase II) configuration page appears. Table 227 explains the contents of this page.

  3. Click one:
    • Add or +—Adds a new or duplicate VPN AutoKey configuration. Enter information as specified in Table 228.

    • Edit or /—Edits a selected VPN AutoKey configuration.

    • Delete or X—Deletes the selected VPN AutoKey configuration.

  4. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 227: IKE (Phase II) Configuration Page

Field

Function

VPN

VPN name

Enter the name of the VPN to be searched.

Search

Displays the search specific to a VPN.

Name

Displays the name of the VPN.

Gateway

Displays the name of the gateway.

IPSec Policy

Displays the policy associated with this IPsec tunnel.

Bind Interface

Displays the tunnel interface to which the route-based VPN is bound.

Proxy Identity

Displays the IPsec proxy identity.

VPN Monitoring

Displays the name of the VPN monitoring option selected.

IPSec Policy

Name

Displays the name of the IPsec policy.

Description

Displays the description of the policy.

Perfect Forward Secrecy

Displays the method the device uses to generate the encryption key. PFS generates each new encryption key independent of the previous key.

Proposal

Displays the name of the proposal to be used by the IPsec policy in Phase 2.

Proposal

Name

Displays the name of the Phase 2 proposal.

Authentication Algorithm

Displays the hash algorithm that authenticates packet data.

Protocol

Displays the type of security protocol.

Encryption algorithm

Displays the IKE encryption algorithm type.

Table 228: Add VPN Configuration Details

Field

Function

Action

Add VPN

IPsec VPN

VPN Name

Specifies the name of the remote gateway.

Enter a name.

Remote Gateway

Provides association of a policy with IPsec tunnel.

Select a name.

IPsec Policy

Specifies the tunnel interface to which the route-based VPN is bound.

Select a policy.

Bind to tunnel interface

Specifies the tunnel interface to which the route-based VPN is bound.

Select an interface.

Establish tunnels

Specifies when IKE is activated.

  • immediately—IKE is activated immediately after VPN configuration and configuration changes are committed.

  • on-traffic—IKE is activated only when data traffic flows and must be negotiated.

  • responder-only—Starting in Junos OS Release 19.1R1, this option is supported. IKE is activated only when the device responds to negotiation request received from the peer.

    Note:

    • The responder-only mode supports SRX5000 Series devices with SPC3 card upon installation of junos-ike package only. To install junos-ike package from J-web, navigate to Configure > Security Services > IPsec VPN > Global Settings and click Install.

    • When responder-only mode is configured for multiple VPN objects with single gateway configuration, all VPN objects must be configured with responder-only mode only.

    • Responder-only mode is supported only for site-to-site VPN and it is not supported on AutoVPN.

  • responder-only-no-rekey—Starting in Junos OS Release 19.1R1, this option is supported. Disables rekey in the responder-only mode.

Select any of the available options.

Disable anti replay

Specifies to disable the antireplay checking feature of IPsec. By default, antireplay checking is enabled.

Select the check box.

Add St Logical Interface

Tunnel Interface st0

Specifies the logical unit number.

Enter the logical unit number.

Zone

Specifies the zones for the logical interface.

Select a zone.

Unnumbered

Disables the configuration for logical interface.

Select Unnumbered.

Numbered

Determines if the logical unit is numeric.

Select Numbered.

IPV4 Address

Displays the IPV4 address.

Note: This field is disabled if Unnumbered is selected.

Enter an IPV4 address.

IPV6 Address

Displays the IPV6 address.

Note: This field is disabled if Unnumbered is selected.

Enter an IPV6 address.

Multipoint

Multipoint

Enable to configure multipoint.

Select the check box.

St0 Interface Configuration

Automatic

Enables the configuration to automatically specify the next hop tunnel address and VPN name.

Select Automatic.

Manual

Enables the configuration to manually provide the next-hop tunnel address and VPN name. Enables the Add and Delete options.

Select Manual.

Next hop tunnel address

Specifies the next-hop tunnel address. Ensure that no two configurations have the same IP address.

Select the check box and enter the IP address.

VPN Name

Specifies the VPN name, displays a list of route-based VPNs.

Select a VPN name.

Routing Protocols

Enable routing protocols.

Enable the available routing protocols.

Select the check boxes to select protocols.

IPSec VPN Options

Enable VPN Monitor

Specifies whether to enable VPN monitor.

Select the check box.

Destination IP

Provides association of a policy with IPsec tunnel.

Enter an IP address.

Optimized

Specifies the tunnel interface to which the route-based VPN is bound.

Select the check box.

Source Interface

Specify the source interface for ICMP requests. If no source interface is specified, the device automatically uses the local tunnel endpoint interface.

Specify a source interface.

Use Proxy Identity

Local IP/Netmask

Specifies the local IP address and subnet mask for proxy identity.

Enter an IP address.

Remote IP/Netmask

Specifies the remote IP address and subnet mask for proxy identity.

Enter an IP address.

Service

Specifies the service (port and protocol combination) to protect.

Select a service.

Do not fragment bit

Specifies how the device handles the DF bit in the outer header.

The options available are as follows:

  • clear—Clear (disable) the DF bit from the outer header. This is the default.

  • copy—Copy the DF bit to the outer header.

  • set—Set (enable) the DF bit in the outer header.

Select an option from the list.

Idle Time

Specifies the maximum amount of idle time to delete an SA.

Enter the idle time. Range: 60 through 999999 seconds.

Install interval

Specifies the maximum number of seconds to allow installation of a rekeyed outbound security association (SA) on the device.

Specify a value from 0 through 10 seconds.

Add Policy

IPSec Policy

Name

Specifies the name of the remote gateway.

Enter a name.

Description

Provides a description for associating a policy with an IPsec tunnel.

Enter a text description.

Perfect Forward Secrecy

Displays the method the device uses to generate the encryption key. PFS generates each new encryption key independent of the previous key.

  • None.

  • group1—Diffie-Hellman Group 1.

  • group2—Diffie-Hellman Group 2.

  • group5—Diffie-Hellman Group 5.

  • group14—Diffie-Hellman Group 14.

  • group19—Diffie-Hellman Group 19.

  • group20—Diffie-Hellman Group 20.

  • group24—Diffie-Hellman Group 24.

  • group15—Starting in Junos OS Release 19.1R1, Diffie-Hellman Group 15 is supported.

  • group16—Starting in Junos OS Release 19.1R1, Diffie-Hellman Group 16 is supported.

  • group21—Starting in Junos OS Release 19.1R1, Diffie-Hellman Group 21 is supported.

Note: Starting in Junos OS Release 19.1R1, the new DH-Groups supports SRX5000 Series devices with SPC3 card upon installation of junos-ike package only. To install junos-ike package from J-Web, navigate to Configure > Security Services > IPsec VPN > Global Settings and click Install.

Select a method.

Proposal

Predefined

Specifies that the anti-replay checking feature of IPsec be disabled. By default, anti-replay checking is enabled.

The options available are as follows:

  • basic

  • compatible

  • standard

  • Prime-128

  • Prime-256

  • Suiteb-gcm-128

  • Suiteb-gcm-256

Click Predefined, and select one of the option.

User defined

Specifies a list of proposals previously defined by the user.

Click User Defined, select proposals from the pop-up menu, and then click Add.

Proposal List

Specifies the available proposal list.

Select the proposals for Phase 2 from the Available Phase 2 Proposal list. Rearrange the list as required.

Add Proposal

IPsec Proposal

Name

Specifies the name of the Phase 2 proposal.

Enter a name.

Description

Provides a description of the Phase 2 proposal.

Enter a text description.

Authentication Algorithm

Specifies the hash algorithm for authenticating packet data. The available options are as follows:

  • none

  • hmac-md5-96—Produces a 128-bit digest.

  • hmac-sha1-96—Produces a 160-bit digest.

  • hmac-sha-256-128—Produces a 256-bit digest.

  • hmac-sha-512—Starting in Junos OS Release 19.1R1, this option is supported. Produces a 512-bit digest.

  • hmac-sha-384—Starting in Junos OS Release 19.1R1, this option is supported. Produces a 384-bit digest.

Note: Starting in Junos OS Release 19.1R1, the new Authentication algorithm SRX5000 Series devices with SPC3 card upon installation of junos-ike package only. To install junos-ike package from J-Web, navigate to Configure > Security Services > IPsec VPN > Global Settings and click Install.

Select an option.

Encryption Algorithm

Specifies an IKE encryption algorithm.

  • none

  • 3des-cbc—Has a block size of 24 bytes; the key size is 192 bits long.

  • des-cbc—Has a block size of 8 bytes; the key size is 48 bits long.

  • aes-128-cbc—AES 128-bit encryption algorithm.

  • aes-192-cbc—AES 192-bit encryption algorithm.

  • aes-256-cbc—AES 256-bit encryption algorithm.

Select an option.

Lifetime Kilobytes

Specifies the lifetime, in kilobytes, of an IPsec SA. The SA is terminated when the specified number of kilobytes of traffic has passed.

Enter a value from 64 through 1,048,576 bytes.

Lifetime Seconds Protocol

Specifies the lifetime, in seconds, of an IKE SA. When the SA expires, it is replaced by a new SA and SPI or is terminated.

Enter a value from 180 through 86,400 seconds.

Protocol

Specifies the networking protocol name.

The options available are as follows:

  • none

  • ah—IP Security Authentication Header

  • esp—IPsec Encapsulating Security Payload

Select a protocol from the list.

VPN Manual Key Configuration Page Options

  1. Select Configure>IPSec VPN>Manual Tunnel in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Security>IPSec VPN>Manual Key VPN in the J-Web user interface.

    The VPN Manual Key configuration page appears. Table 229 explains the contents of this page.

  2. Click one:
    • Add or +—Adds a new or duplicate VPN manual key configuration. Enter information as specified in Table 230.

    • Edit or /—Edits a selected VPN manual key configuration.

    • Delete or X—Deletes the selected VPN manual key configuration.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 229: VPN Manual Key Configuration Page

Field

Function

Name

Displays the name of the manual tunnel.

Gateway

Displays the selected gateway.

Bind Interface

Displays the tunnel interface to which the route-based VPN is bound.

Df Bit

Displays the DF bit in the outer header.

Table 230: Add VPN Manual Key Configuration Details

Field

Function

Action

IPSec Manual Key

VPN Name

Specifies the name of the VPN for the IPsec tunnel.

Enter the VPN name.

Remote Gateway

Specifies the name of the remote gateway.

Enter the gateway.

External Interface

Specifies the external interface.

Select an interface from the list.

Protocol

Specifies the types of protocols available for configuration.

The available options are as follows:

  • ESP

  • AH

Select an option.

SPI

Specifies the SPI value.

Range: 256 through 16639.

Enter a value.

Bind to tunnel interface

Specifies the tunnel interface to which the route-based VPN is bound.

Select an interface from the list.

Do not fragment bit

Specifies how the device handles the DF bit in the outer header.

The available options are as follows:

  • clear—Clear (disable) the DF bit from the outer header. This is the default.

  • Set—Set the DF bit to the outer header.

  • copy—Copy the DF bit to the outer header.

Select an option from the list

Enable VPN Monitor

Destination IP

Specifies the IP address of the destination peer.

Enter an IP address.

Optimized

Specifies that the device uses traffic patterns as evidence of peer liveliness. If enabled, ICMP requests are suppressed. This feature is disabled by default.

Select the check box to enable the feature.

Source Interface

Specifies the source interface for ICMP requests (VPN monitoring “hellos”). If no source interface is specified, the device automatically uses the local tunnel endpoint interface.

Specify a source interface.

Key Values

Authentication

Algorithm

Specifies the hash algorithm that authenticates packet data. The options available are as follows:

  • hmac-md5-96—Produces a 128-bit digest.

  • hmac-sha1-96—Produces a 160-bit digest.

Select a hash algorithm from the available option.

ASCII Text

Specifies the preshared value of the key in ASCII format.

Select the ASCII Text option, and enter the key in the appropriate format.

Hexadecimal

Specifies the preshared value of the key in hexadecimal format.

Select the Hexadecimal option, and enter the key in the appropriate format.

Encryption

Encryption

Specifies the supported Internet Key Exchange (IKE) proposals, which includes the following:

  • 3des-cbc—3DES-CBC encryption algorithm.

  • aes-128-cbc—AES-CBC 128-bit encryption algorithm.

  • aes-192-cbc—AES-CBC 192-bit encryption algorithm.

  • aes-256-cbc—AES-CBC 256-bit encryption algorithm.

  • des-cbc—DES-CBC encryption algorithm.

Select an option.

ASCII Text

Specifies the preshared value of the key in ASCII format.

Enable the ASCII Text option and enter the key in the appropriate format.

Hexadecimal

Specifies the preshared value of the key in hexadecimal format.

Enable the Hexadecimal option and enter the key in the appropriate format.

Dynamic VPN Global Settings Configuration Page Options

  1. Select Configure>IPSec VPN>Dynamic VPN>Global Settings in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Security>IPSec VPN>Dynamic VPN in the J-Web user interface.

    The Dynamic VPN Global Settings configuration page appears. Table 231 explains the contents of this page.

  2. Click one:
    • Add or +—Adds a new client VPN configuration. Enter information as specified in Table 232.

    • /—Edits a selected VPN gateway configuration.

    • Apply—Applies the selected configuration.

    • Delete or X—Deletes the selected client VPN configuration.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 231: Add Dynamic VPN Global Settings Configuration Page

Field

Function

Action

Dynamic VPN

Access Profile

Specifies the access profile that controls the authentication of users who want to download Access Manager. (You will need to select these access profiles when configuring the IKE gateway and dynamic VPN global options. You can use the same access profile to authenticate users in both cases, or you can use separate access profiles to authenticate downloads and VPN sessions.)

Note: This Access Profile option does not control authentication for VPN sessions. For session authentication, use the Access Profile option on the IKE Gateway Configuration page. For more information, see "Configuring an IKE Gateway Configuration (Dynamic VPNs)."

Select a previously created access profile from the list that is displayed.

Force Upgrade

Specifies an option to set up a program to automatically download the latest client and install it on the user’s computer when the setup program detects a version mismatch between the client and server. Otherwise, the setup program prompts the user to upgrade the client when it detects a version mismatch, but does not force the upgrade. If the user does not choose to upgrade, the setup program will launch the existing client version on the user’s computer.

Select the check box to enable or disable force upgrade. (Enabled by default.)

Table 232: Add Client VPN Global Settings Configuration Details

Field

Function

Action

Name

Specifies the name of the client configuration.

Enter a name.

IPSec VPN

Specifies the IKE AutoKey configuration to use when establishing the VPN tunnel.

Select a previously configured IKE AutoKey configuration from the list that is displayed.

Remote Protected Resources IP

Specifies the IP address and net mask of a resource behind the firewall. Traffic to the specified resource will go through the VPN tunnel and therefore will be protected by the firewall’s security policies.

Note: The device does not validate that the IP/net mask combination that you enter here matches up with your security policies.

Enter an IP address and net mask and click Add.

Remote Exceptions IP

Specifies the IP address and net mask of exceptions to the remote protected resources list.

Enter an IP address and net mask and click Add.

Users

Specifies the list of users who can use this client configuration.

Note: The server does not validate the names that you enter here, but the names must be the names that the users use to log in to the device when downloading the client.

Enter an user name, and click Add.

User Firewall

Configuring Active Directory

Use the Create Active Directory Profile page to configure the IP address-to-user mapping information and the user-to-group mapping information to access the LDAP server.

  1. Select Configure>Security>User Firewall>Active Directory in the J-Web user interface.
  2. Click Create Active Directory.
  3. Complete the configuration by using the guidelines in Table 233.
  4. Click Finish.

    A Summary page providing a preview of the complete configuration.

    You can edit or delete the configuration by clicking the Edit icon (/) or Delete Icon (X).

Table 233: Active Directory Configuration Options

Field

Function

General Information

On Demand Probe

Enable the manual on-demand probing of a domain PC as an alternate method for the SRX Series device to retrieve address-to-user mapping information.

Timeout

Authentication Entry Timeout

Set the timeout to 0 to avoid having the user's entry being removed from the authentication table after the timeout.

Note that when a user is no longer active, a timer is started for that user’s entry in the Active Directory authentication table. When the time is up, the user’s entry is removed from the table. Entries in the table remain active as long as there are sessions associated with the entry.

The default authentication entry timeout is thirty minutes. To disable timeout, set the interval to zero. The range is 10 through 1440 minutes.

WMI Timeout

Configure the number of seconds that the domain PC has to respond to the SRX Series device’s query through Windows Management Instrumentation (WMI) or Distributed Component Object Module (DCOM).

If no response is received from the domain PC within the wmi-timeoutinterval, the probe fails and the system either creates an invalid authentication entry or updates the existing authentication entry as invalid. If an authentication table entry already exists for the probed IP address, and no response is received from the domain PC within the wmi-timeout interval, the probe fails and that entry is deleted from the table.

The range is 3 through 120 seconds.

Invalid Authentication Entry Timeout

When a user is no longer active, a timer is started for that user’s entry in the Active Directory authentication table. When the time is up, the user’s entry is removed from the table.

If this value is not configured, all the invalid auth entry from Active Directory will use the default value as 30 minutes.

The range is 10 through 1440 minutes.

Firewall Authentication Forced Timeout

This is the firewall authentication fallback time. Set the timeout to 0 to avoid having the user's entry being removed from the authentication table after the timeout.

The range is 10 through 1440 minutes.

Filter

Filter

Set the range of IP addresses that must be monitored or not monitored.

  • Include—Specify to include IP addresses from the Available column.

  • Exclude—Specify to exclude IP addresses from the Available column.

Click the Add icon (+) to create a new IP address and add it as either include or exclude from monitoring.

Click the Delete icon (X) to delete a new IP address and add it as either include or exclude from monitoring.

Domain Settings

Domain

The Add Domain Settings page appears.

Enter the name of the domain, username, and password.

The username and password are the Active Directory account name and password.

The range for the username is 1 through 64 characters. Example: admin

The range for the password is 1 through 128 characters. Example: A$BC123

Domain Controller(s)

Click the add icon (+) to add domain controller settings.

  • Domain Controller Name— Name can range from 1 through 64 characters. A maximum of 10 domain controllers can be configured.

  • IP Address—IP address of the domain controller.

Example: example.net

User Group Mapping (LDAP)

IP Address

Specify the IP address of the LDAP server. If no address is specified, the system uses one of the configured Active Directory domain controllers.

Example: 192.0.2.16

Port

Specify the port number of the LDAP server. If no port number is specified, the system uses port 389 for plaintext or port 636 for encrypted text.

Base DN

Enter the LDAP base distinguished name (DN).

Example: DC=example,DC=net

Username

Enter the username of the LDAP account. If no username is specified, the system will use the configured domain controller’s username.

Password

Enter the password for the account. If no password is specified, the system uses the configured domain controller’s password.

Use SSL

Enable Secure Sockets Layer (SSL) to ensure secure transmission with the LDAP server. Disabled by default, then the password is sent in plaintext.

Authentication Algorithm

Specify the algorithm used while the SRX Series device communicates with the LDAP server. By default simple is selected to configure simple(plaintext) authentication mode.

IP-User Mapping

Discovery Method

Enable the method of discovering IP address-to-user mappings.

WMI—Windows Management Instrumentation (WMI) is the discovery method used to access the domain controller.

Event Log Scanning Interval

Enter the scanning interval at which the SRX Series device scans the event log on the domain controller. The range is 5 through 60 seconds.

Initial Event Log TimeSpan

Enter the time of the earliest event log on the domain controller that the SRX Series device will initially scan. This scan applies to the initial deployment only. After WMIC and the user identification start working, the SRX Series device scans only the latest event log.

The range is 1 through 168 hours.

Authentication Priority Configuration Page Options

  1. Select Configure>Security>User Firewall>Auth Priority in the J-Web user interface.

    The authentication priority configuration page appears. Table 234 explains the contents of this page.

  2. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Actions>Commit—Commits the configuration and returns to the main configuration page.

    • Reset—Resets your entries and returns to the main configuration page.

Table 234: Authentication Priority Configuration Options

Field

Function

Action

Priority

Enable local authentication

Enables you to add local authentication and set a priority.

Select the Enable local authentication check box to enable local authentication.

Priority

Enables you to set an authentication priority.

Enter a priority value (1- 65,535) in the Priority field.

Note: The default local authentication priority value is 100.

Enable firewall authentication

Enables you to add firewall authentication and set a priority.

Select the Enable firewall authentication check box to enable firewall authentication.

Priority

Enables you to set an authentication priority.

Enter a priority value (1- 65,535) in the Priority field.

Note: The default firewall authentication priority value is 150.

Enable UAC authentication

Enables you to add UAC authentication and set a priority.

Select the Enable unified access control check box to enable UAC authentication.

Priority

Enables you to set an authentication priority.

Enter a priority value (1- 65,535) in the Priority field.

Note: The default local authentication priority value is 200.

Local Authentication Configuration Page Options

  1. Select Configure>Security>User Firewall>Local Auth in the J-Web user interface.

    The local authentication configuration page appears. Table 235 explains the contents of this page.

  2. Click one:
    • Add or +—Adds a new or duplicate local authentication configuration. Enter information as specified in Table 236.

    • Delete or /—Deletes the selected local authentication configuration.

    • Clear All—Clears all local authentication configuration entries.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Actions>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 235: Local Authentication Configuration Page

Field

Function

Filter by

Displays the local authentication configuration based on the selected filter.

IP

Displays the IP address.

User Name

Displays the name of the user.

Role List

Displays the list of roles assigned to the username.

Table 236: Add Local Authentication Configuration Details

Field FunctionAction

IP Address

Specifies the IP address.

Enter an IP address for the local authentication.

User Name

Specifies the username.

Enter a username for the local authentication.

Role List

Specifies the list of roles for the local authentication.

Enter roles for the local authentication entry. Enter the role and click + to add a role.

To delete a role, select the role and click .

Note: You can configure 200 roles for one local authentication entry.

Identity Management Configuration Page Options

  1. Select Configure>Security>User Firewall>Identity Management in the J-Web user interface.

    The Identity Management page appears.

    Note

    You cannot configure identity management if active directory is configured. Disable active directory to create a identity management profile.

    This page displays:

    • The values that you have configured for identity management. You can either edit a few values or delete the entire configuration.

    • The connection status of this SRX device with the Juniper Identity Management Service (JIMS), primary as well as secondary server.

    Note

    If you have not configured the identity management profile, the configure button is displayed; click Configure to create a profile.

    Table 237 explains the contents of this page.

  2. If you want to edit or delete the existing profile, click one:
    • /—Enables you to edit the existing profile.

    • X—Deletes the existing profile.

  3. Click one:
    • Finish—Saves the configuration and returns to the main configuration page.

    • Back—Displays the General Information page and enables you to edit it.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 237: Identity Management Profile Page

Field

Displays the

General Information

 

Connection Type

type of connection (HTTP or HTTPS).

Port Number

connection port to JIMS server.

Primary IP Address

primary IP address of the JIMS server.

Primary CA Certificate

primary CA certificate of the JIMS server.

Primary Client ID

client-id of the device to obtain access token from primary JIM Server

Secondary IP Address

secondary IP address of the JIMS server.

Secondary Connection Status

connection status to the secondary JIMS server.

Secondary CA Certificate

secondary CA certificate of the JIMS server.

Secondary Client ID

client-id of the device to obtain access token from secondary JIMS server.

Query API

path of the URL for querying user identities.

Token API

path of the URL for acquiring access token.

Advanced Settings

Note: Advanced query cannot be configured when active-directory auth or ClearPass Webapi is enabled. Disable active-directory-access and authentication-source under User-Identification and disable webapi services before committing identity management configuration.

 

Items per Batch

maximum items number in one batch query.

  
  

No IP Query

status of no-ip-query; Enabled/Disabled

Authentication Entry Timeout

timeout value of auth entry from identity-management.

No Authentication Entry Timeout

Address-book

Address-set

Domain

Table 238: Configure or Edit Identity Management Profile

Field FunctionAction

General Information - Connection for Primary and Secondary Identity

  

Connection Type

Specifies the type of connection that you want when the device accesses the JIMS server.

Enter a connection type. The options available are: HTTPS and HTTP.

Port

Specifies the connection port of JIMS server.

Enter the port number or press up or down arrow to either increment or decrement the port number. The default value is 443.

Primary IP Address

Specifies the primary IP address of JIMS server.

Primary CA Certificate

Specifies the primary certificate of the JIMS. SRX device will use it to verify JIMS’s certificate for SSL connection.

Select Upload CA certificate to device or Specify the path of the file on device.

Primary CA Certificate file upload

Enables you to locate and upload the CA certificate.

Click Browse to locate the CA certificate on your device and click Upload the selected CA certificate.

Primary Client ID

Specifies the primary client ID of the SRX device to obtain access token. It must be consistent with the configuration of the API client created on JIMS.

Enter an ID.

Primary Client Secret

Specifies the client secret of the SRX device to obtain access token. It must be consistent with the configuration of the API client created on JIMS.

Enter a password which enables you to access the primary identity management server.

Secondary Identity Management Server

Enables a secondary JIMS server, its IP address, CA certificate, client ID, and client secret.

Select Enable to enable the secondary server.

Note: If you enable, the Secondary IP Address, Secondary CA Certificate file upload, Secondary Client ID, Secondary Client Secret rows are displayed. Enter the IP address of the secondary server, browse and upload the secondary CA certificate, enter the secondary client ID and secret in the respective fields.

Token API

Specifies the path of the URL for acquiring access token.

Enter the token API. Default is ’oauth_token/oauth’.

Query API

Specifies the path of the URL for querying user identities.

Enter the path where the URL for querying is located. Default is ‘user_query/v2’.

Click Next. The Advanced Settings page is displayed.

Advanced Settings

  

Batch Query

  

Item Per Batch

Specifies the maximum number of items in one batch query.

Enter the number of items. Range is 100 to 1000 and the default number is 200.

Query Interval

Specifies the interval for querying the newly generated user identities.

Enter the number of seconds you need between each query. The range is 1~60 (seconds), and the default value is 5.

IP Query

  

Query Delay Time

Specifies the time delay to send individual IP query.

Enter the time in seconds. The range is 0~60 (seconds). The default value is 15 seconds, which depends on the delay time of auth entry retrieved from JIMS to SRX.

No IP Query

Allows you to disable IP query.

Select if you want to disable the IP query function that is enabled by default.

Authentication Timeout

  

Authentication Entry Timeout

Specifies the time out value for authentication entry in identity management. The timeout interval begins from when the authentication entry is added to the identity-management authentication table. If a value of 0 is specified, the entries will never expire.

Enter the value in minutes. The value range is 0 or 10~1440 (minutes). 0 means no need for a timeout. the default value is 60.

Invalid Authentication Entry Timeout

Specifies the timeout value of invalid auth entry in the SRX Series authentication table for either Windows active directory or Aruba ClearPass.

Enter the value in minutes. The value range is 0 or 10~1440 (minutes). 0 means no need for a timeout. the default value is 60.

Filter

  

Include IP Address Book

Specifies the predefined address book in which an address-set must be selected as IP filter.

Select an IP address book from the list.

Include IP Address Set

Specifies the predefined address set selected as IP filter.

Select an IP address set from the list.

To add a new address set for the IP address book, click Add New Address Set

Exclude IP Address Book

Specifies the IP address book that you want identity management profile to exclude.

Select an IP address set from the list that you want to exclude.

Exclude IP Address Set

Specifies the predefined address set that you want identity management profile to exclude.

Select an IP address book from the list.

Filter to Domain

Specified one or more active directory domains of interest to the SRX Series device. You can specify up to twenty domain names for the filter.

Enter the domain names separated by commas.

SSL Profiles

Configuring SSL Initiation Profile

As a part of SSL initiation profile, you can specify actions related to certification revocations checks and chose an option to ignore certificate validation, root CA expiration dates, and other such issues based on your requirements. Commonly ignored errors include the inability to verify CA signature, incorrect certificate expiration dates, and so forth. We do not recommend using this option for authentication because configuring it results in websites not being authenticated at all.

Note

SSL initiation profile is supported in SRX340, SRX345, SRX550m, SRX1500, SRX4100, SRX4200, and vSRX2.0 platforms.

  1. Select Configure>Security>SSL Initiation.

    The SSL Proxy Profiles page appears. Table 239 explains the contents of this page.

  2. Click one:
    • Add icon (+)—Create a new SSL initiation client profile. Enter information as specified in Table 240.

    • Edit icon (/)—Edits the selected SSL proxy configuration. Enter information as specified in Table 240.

    • Delete(X)—Deletes the selected SSL proxy configuration.

    • Search icon—Enables you to search a SSL proxy in the grid.

    • Show Hide Column Filter icon—Enables you to show or hide a column in the grid.

  3. Click Commit icon at the top of the J-Web page. The following commit options are displayed.

    • Commit—Commits the configuration and returns to the main configuration page.

    • Compare—Enables you to see the configuration changes that you have performed in the Show Pending Changes.

    • Discard—Discards the configuration changes you performed in the J-Web.

    • Preferences—There are two tab:

      Commit preferences—You can choose to just validate or validate and commit the changes.

      Startup page upon login—You can choose what page should be displayed as soon as you login to J-Web. The options are: Configuration, Monitoring, Dashboard, and Last accessed.

Table 239: SSL Initiation Profile Page

Field

Function

Name

Displays the name of the SSL initiation profile.

Flow Tracing

Displays whether flow trace is enabled or disabled for troubleshooting policy-related issues.

Protocol Version

Displays the accepted protocol SSL version.

Preferred Cipher

Displays the preferred cipher which the SSH server uses to perform encryption and decryption function.

Session Cache

Displays whether SSL session cache is enabled or not.

Server Authentication Failure

Displays the action that will be performed if errors are encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry).

Certificate Revocation

Displays the criterion for certificate revocation for the SSL initiation profile.

Table 240: Create-Edit SSL Initiation Profile - Configuration Details

Field FunctionAction
Policy Options

Name

Specifies the name of the SSL initiation profile.

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.

Flow Tracing

Specifies whether or not to enable flow tracing for this profile.

Select this option to enable flow trace for troubleshooting policy-related issues for this profile.

Protocol Version

Specifies the accepted protocol SSL version.

Select the protocol from the dropdown list: None, All, TSLv1, TSLv1.1, or TSLv1.2.

Preferred Cipher

Specify the cipher depending on their key strength. Ciphers are divided into the following categories.

  • Custom—Configure custom cipher suite and order of preference.

  • Medium—Use ciphers with key strength of 128 bits or greater.

  • Strong—Use ciphers with key strength of 168 bits or greater.

  • Weak—Use ciphers with key strength of 40 bits or greater.

Select a preferred cipher from the dropdown list.

Session Cache

Specifies whether SSL session cache is enabled or not.

Select this option to enable SSL session cache.

Certificate

Trusted CA

Specify the set of ciphers the SSH server can use to perform encryption and decryption functions. If this option is not configured, the server accepts any supported suite that is available.

Select the trusted certificate authority profile from the dropdown list.

Client Certificate

Specify a client certificate that is required to effectively authenticate the client.

  • None

  • SSLRP_Automation_Cert_2

  • SSLFP_Automation_Cert_1

  • SSLRP_Automation_Cert_1

  • SSLFP_Automation_Cert_2

  • SSL2

Select the appropriate client certificate from the dropdown list.

Actions

Server Authentication Failure

Specifies if you want to ignore server authentication completely.

In this case, SSL forward proxy ignores errors encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry).

We do not recommend this option for authentication, because configuring it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause for dropped SSL sessions.

Select this option to ignore server authentication completely.

CRL Validation

Specifies certificate revocation actions, whether CRL validation is enabled or disabled.

Select if you want to disable CRL validation.

Action

Specifies the action if CRL information is not present.

  • None

  • Allow

  • Drop

Select the action if CRL info is not present from the options: Allow session, Drop session, or None.

Hold Instruction Code

Specifies if you want to hold the instruction code for this profile.

Select Ignore if you want to keep the instruction code on hold.

Configuring SSL Proxy

Secure Sockets Layer (SSL) is an application-level protocol that provides encryption and decryption technology for the Internet by residing between the server and the client. SSL, also called Transport Layer Security (TLS), ensures the secure transmission of data between a client and a server through a combination of privacy, authentication, confidentiality, and data integrity. SSL relies on certificates and private-public key exchange pairs for this level of security.

J-Web supports both forward proxy and reverse proxy profiles.

Note

SSL proxy is supported in SRX340, SRX345, SRX550m, SRX1500, SRX4100, SRX4200, and vSRX2.0 platforms.

  1. Select Configure>Security>SSL Proxy.

    The SSL Proxy Profiles page appears. Table 241 explains the contents of this page.

  2. Click one:
    • Global Config—Configures the session cache timeout and applies it globally to all the policies.

    • Add icon (+)—Adds a new SSL proxy or global policy configuration. Enter information as specified in Table 242.

    • Edit icon (/)—Edits the selected SSL proxy configuration. Enter information as specified in Table 242.

    • Delete(X)—Deletes the selected SSL proxy configuration.

    • More— Enables you to clone an SSL proxy from the selected SSL proxy configuration, display a detailed view of the selected SSL proxy, and clear all selections in the grid.

    • Search icon—Enables you to search a SSL proxy in the grid.

    • Show Hide Column Filter icon—Enables you to show or hide a column in the grid.

  3. Click Commit icon at the top of the J-Web page. The following commit options are displayed.

    • Commit—Commits the configuration and returns to the main configuration page.

    • Compare—Enables you to see the configuration changes that you have performed in the Show Pending Changes.

    • Discard—Discards the configuration changes you performed in the J-Web.

    • Preferences—There are two tab:

      Commit preferences—You can choose to just validate or validate and commit the changes.

      Startup page upon login—You can choose what page should be displayed as soon as you login to J-Web. The options are: Configuration, Monitoring, Dashboard, and Last accessed.

Table 241: SSL Proxy Profiles Page

Field

Function

Name

Displays the name of the SSL Proxy profile.

Protection Type

Displays the type of protection the profile provides. One is client protection and the other one is server protection. Client protection is for SSL forward proxy and server protection is for reverse proxy.

Preferred Cipher

Displays the category of the profile depending on their key strength.

Custom Cipher

Displays the custom cipher which the SSH server uses to perform encryption and decryption function.

Flow Tracing

Displays whether flow trace is enabled or disabled for troubleshooting policy-related issues.

Exempted Addresses

Displays the addresses to whitelists that bypass SSL forward proxy processing.

Server Auth Failure

Displays the action that will be performed if errors are encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry).

Session Resumption

Displays whether the session resumption is disabled or not.

Table 242: Create-Update SSL Proxy Profile - Configuration Details

Field FunctionAction
Policy Options

Name

Specified the name of the SSL proxy profile.

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.

Preferred Cipher

Specify the cipher depending on their key strength. Ciphers are divided into the following categories.

  • Medium—Use ciphers with key strength of 128 bits or greater.

  • Strong—Use ciphers with key strength of 168 bits or greater.

  • Weak—Use ciphers with key strength of 40 bits or greater.

  • Custom—Configure custom cipher suite and order of preference.

Select a preferred cipher from the dropdown list.

Custom Ciphers

Specify the set of ciphers the SSH server can use to perform encryption and decryption functions. If this option is not configured, the server accepts any supported suite that is available.

The available custom ciphers are:

  1. rsa-with-RC4-128-md5—RSA, 128- bit RC4, MD5 hash

  2. rsa-with-RC4-128-sha—RSA, 128-bit RC4, SHA hash

  3. rsa-with-des-cbc-sha—RSA, DES/CBC, SHA hash

  4. rsa-with-3DES-ede-cbc-sha—RSA, 3DES EDE/CBC, SHA hash

  5. rsa-with-aes-128-cbc-sha—RSA, 128-bit AES/CBC, SHA hash

  6. rsa-with-aes-256-cbc-sha—RSA, 256 bit AES/CBC, SHA hash

  7. rsa-export-with-rc4-40-md5—RSA-export, 40 bit RC4, MD5 hash

  8. rsa-export-with-des40-cbc-sha—RSA-export, 40 bit DES/CBC, SHA hash

  9. rsa-with-aes-256-gcm-sha384—RSA, 256 bit AES/GCM, SHA384 hash

  10. rsa-with-aes-256-cbc-sha256—RSA, 256 bit AES/CBC, SHA256 hash

  11. rsa-with-aes-128-gcm-sha256—RSA, 128 bit AES/GCM, SHA256 hash

  12. rsa-with-aes-128-cbc-sha256—RSA, 256 bit AES/CBC, SHA256 hash

  13. ecdhe-rsa-with-aes-256-gcm-sha384—ECDHE, RSA, 256 bit AES/GCM, SHA384 hash

  14. ecdhe-rsa-with-aes-256-cbc-sha—ECDHE, RSA, 256 bit AES/CBC, SHA hash

  15. ecdhe-rsa-with-aes-256-cbc-sha384—ECDHE, RSA, 256 bit AES/CBC, SHA384 hash

  16. ecdhe-rsa-with-aes-3des-ede-cbc-sha—ECDHE, RSA, 3DES, EDE/CBC, SHA hash

  17. ecdhe-rsa-with-aes-128-gcm-sha256—ECDHE, RSA, 128 bit AES/GCM, SHA256 hash

  18. ecdhe-rsa-with-aes-128-cbc-sha—ECDHE, RSA, 128 bit AES/CBC, SHA hash

  19. ecdhe-rsa-with-aes-128-cbc-sha256—ECDHE, RSA, 128 bit AES/CBC, SHA256 hash

Select the set of ciphers from the dropdown list.

Flow Trace

Specify this option to enable flow trace for troubleshooting policy-related issues.

Select this option if you want to enable flow trace else leave it blank..

Certificate Type

Specifies whether the certificate that you want to associate with this profile is a root CA or server certificate. Server certificate is used for SSL reverse proxy. If you choose server certificate, the trusted CA, CRL, and server auth failure options will not be available. For forward proxy profile, choose the root CA

In a public key infrastructure (PKI) hierarchy, the root CA is at the top of the trust path. The root CA identifies the server certificate as a trusted certificate.

Note:

Certificate

Specifies the certificate that you created in the Administration > Certificate Management page of J-Web. In a public key infrastructure (PKI) hierarchy, the CA is at the top of the trust path. The CA identifies the server certificate as a trusted certificate.

Select the certificate that you want to associate with this SSL proxy profile from the dropdown list.

Trusted Certificate Authorities

Specifies the trusted CA associated with the certificate that you selected.

Select the trusted CA that are available on the device from the following options: All, None, Select specific.

If you choose Select specific, you need to select the Certificate Authorities from the Available window and move it to the Selected window.

Exempted Addresses

Specifies addresses to create whitelists that bypass SSL forward proxy processing.

Because SSL encryption and decryption are complicated and expensive procedures, network administrators can selectively bypass SSL proxy processing for some sessions. Such sessions mostly include connections and transactions with trusted servers or domains with which network administrators are very familiar. There are also legal requirements to exempt financial and banking sites. Such exemptions are achieved by configuring the IP addresses or domain names of the servers under whitelists.

Select the addresses from the from the Available window and move it to the Selected window.

Exempted URL Categories

Specifies URL categories to create whitelists that bypass SSL forward proxy processing.

These URL categories are exempted during SSL inspection. Only the predefined URL categories can be selected for the exemption.

Select URL categories from the from the Available window and move it to the Selected window.

Actions

Server Auth Failure

Specifies if you to ignore server authentication completely.

In this case, SSL forward proxy ignores errors encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry).

We do not recommend this option for authentication, because configuring it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause for dropped SSL sessions.

Select this option to ignore server authentication completely.

Session Resumption

To improve throughput and still maintain an appropriate level of security, SSL session resumption provides a session caching mechanism so that session information, such as the pre-master secret key and agreed-upon ciphers, can be cached for both the client and server.

Select the Disable Session Resumption option if you do not want session resumption.

Logging

Specifies whether to generate logs.

You can choose to log All events, Warnings, general Information, Errors, or different sessions (whitelisted, Allowed, Dropped, or Ignored).

Select this option to generate logs.

Renegotiation

After a session is created and SSL tunnel transport has been established, a change in SSL parameters requires renegotiation. SSL forward proxy supports both secure (RFC 5746) and nonsecure (TLS v1.0 and SSL v3) renegotiation.

You can specify whether to Allow nonsecure renegotiation, Allow-secure renegotiation, or Drop renegotiation.

When session resumption is enabled, session renegotiation is useful in the following situations:

  • Cipher keys need to be refreshed after a prolonged SSL session.

  • Stronger ciphers need to be applied for a more secure connection.

Select if a change in SSL parameters requires renegotiation. The options are: None (selected by default), Allow, Allow-secure, and Drop.

Certificate Revocation

Specifies if you want to revoke the certificate.

Select Disable if you want to revoke the certificate.

If CRL info not present

Specifies if you want to allow or drop if CRL info is not present.

Select the action if CRL info is not present from the options: Allow session, Drop session, or None.

Hold Instruction Code

Specifies if you want to hold the instruction code for this profile.

Select Ignore if you want to keep the instruction code on hold.

ALG

ALG Configuration Page Options

  1. Select Configure>Security>ALG.

    The ALG configuration page appears. Table 243 explains the contents of this page.

  2. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Reset—Resets your entries and returns to the main configuration page.

Table 243: ALG Configuration Options

Field

Function

Action

Main

Enable TFTP

Provides an ALG for Trivial File Transfer Protocol. The TFTP ALG processes TFTP packets that initiate a request and opens a gate to allow return packets from the reverse direction to the port that sends the request.

Select the check box to enable the ALG.

Enable PPTP

Provides an ALG for Point-to-Point Tunneling Protocol. PPTP is a Layer 2 protocol that tunnels PPP data across TCP/IP networks. The PPTP client is freely available on Windows systems and is widely deployed for building VPNs.

Select the check box to enable the ALG.

   

Enable RSH

Provides an ALG for the remote shell. The RSH ALG handles TCP packets destined for port 514 and processes the RSH port command. The RSH ALG performs NAT on the port in the port command and opens gates as necessary.

Select the check box to enable the ALG.

Enable RTSP

Provides an ALG for the Real-Time Streaming Protocol.

Select the check box to enable the ALG.

Enable SQL

Provides an ALG for Structured Query Language. The SQLNET ALG processes SQL TNS response frames from the server side. It parses the packet and looks for the (HOST=ipaddress), (PORT=port) pattern and performs NAT and gate opening on the client side for the TCP data channel.

Select the check box to enable the ALG.

Enable TALK

Provides an ALG for the TALK protocol. The TALK protocol uses UDP port 517 and port 518 for control-channel connections. The talk program consists of a server and a client. The server handles client notifications and helps to establish talk sessions. There are two types of talk servers: ntalk and talkd. The TALK ALG processes packets of both ntalk and talkd formats. It also performs NAT and gate opening as necessary.

Select the check box to enable the ALG.

DNS

Enable DNS

Provides an ALG for the domain name system. The DNS ALG monitors DNS query and reply packets and closes the session if the DNS flag indicates the packet is a reply message.

Select the check box to enable the ALG.

Doctoring

Specifies the sanity check.

Select the check box to enable the option.

Maximum Message length

Specifies the maximum message length.

Select a number from Size is (512-8192 bytes).

Enable Oversize message drop.

Specify to enable the oversize message drop.

Select the check box.

FTP

Enable FTP

Provides an ALG for File Transfer Protocol. The FTP ALG monitors PORT, PASV, and 227 commands. It performs Network Address Translation (NAT) on IP/port in the message and gate opening on the device as necessary. The FTP ALG supports FTP put and FTP get command blocking. When FTP_NO_PUT or FTP_NO_GET is set in the policy, the FTP ALG sends back a blocking command and closes the associated opened gate when it detects an FTP STOR or FTP RETR command.

Select the check box to enable the ALG.

Enable allow mismatch IP address

Allows any mismatch in IP address.

Select the check box to enable.

Enable FTP Extension

Enables the file extension.

Select the checkbox to enable File extension.

Enable line Break Extension

Enables the line break extension.

Select the checkbox to enable this option.

H323

Enable H323 ALG

Enables or disables the H.323 ALG.

Select the check box.

Application Screen

Message Flood Gatekeeper Threshold

Limits the rate per second at which remote access server (RAS) requests to the gatekeeper are processed. Messages exceeding the threshold are dropped. This feature is disabled by default.

Enter a value. The value range is 1 to 50000 messages per second.

Action On Receiving Unknown Message

Enable Permit NAT Applied

Specifies how unidentified H.323 (unsupported) messages are handled by the device. The default is to drop unknown messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown H.323 messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Select the check box.

Enable Permit Routed

Specifies that unknown messages be allowed to pass if the session is in route mode. (Sessions in transparent mode are treated as though they are in route mode.)

Select the check box.

DSCP Code Rewrite

Code Point

Specifies a rewrite-rule for the traffic that passes through a voice over IP Application Layer Gateway (VoIP ALG). The value of code point is in binary format.

The VoIP rewrite rules modifies the appropriate class of service (CoS) bits in an outgoing packets through Differentiated Services Code Point (DSCP) mechanism that improves the VoIP quality in a congested network.

Select a 6-bit string from the dropdown list.

Endpoints

Timeout For Endpoint

Controls the duration of the entries in the NAT table.

Enter a value with a range 10 to 65535 seconds.

Enable Permit Media From Any Source Port

Allows media traffic from any port number. By default, this feature is disabled. When enabled, the device allows a temporary opening, or pinhole, in the firewall as needed for media traffic.

Enter a value from 1 through 50,000 seconds.

 

IKE-ESP

Enable IKE-ESP

Enables the IKE-ESP option.

Select the checkbox to enable IKE-ESP.

ESP Gate Timeout

Specifies the ESP gate timeout.

Select the gate timeout from 2 to 30 secs.

ESP Session Timeout(sec)

Specifies the ESP session time out.

Select the timeout session from 60 to 2400 sec.

ALG State Timeout(Sec)

Specifies the ALG state time out.

Select the ALG state time out from 180 to 86400 sec.

MGCP

Enable MGCP

Enables or disables the Media Gateway Control Protocol.

Select the check box.

Inactive Media Timeout

Specifies the maximum time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the temporary openings (pinholes) in the firewall MGCP ALG opened for media are closed. The default setting is 120 seconds; the range is from 10 to 2550 seconds. Note that, upon timeout, while resources for media (sessions and pinholes) are removed, the call is not terminated.

Select a value from 10 through 2,550 seconds.

 

Maximum Call Duration

Sets the maximum length of a call. When a call exceeds this parameter setting, the MGCP ALG tears down the call and releases the media sessions. The default setting is 720 minutes; the range is from 3 to 720 minutes.

Select a value from 3 through 720 minutes.

 

Transaction Timeout

Specifies a timeout value for MGCP transactions. A transaction is a signalling message, for example, a NTFY from the gateway to the call agent or a 200 OK from the call agent to the gateway. The device tracks these transactions and clears them when they time out.

Enter a value from 3 through 50 seconds.

Application Screen

Message Flood Threshold

Limits the rate per second at which message requests to the Media Gateway are processed. Messages exceeding the threshold are dropped by the Media Gateway Control Protocol (MGCP). This feature is disabled by default.

Enter a value from 2 through 50,000 seconds per media gateway.

Connection Flood Threshold

Limits the number of new connection requests allowed per Media Gateway (MG) per second. Messages exceeding the ALG.

Enter a value from 2 through 10,000.

Action On Receiving Unknown Message

Enable Permit NAT Applied

Specifies how unidentified MGCP messages are handled by the Juniper Networks device. The default is to drop unknown (unsupported) messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown MGCP (unsupported) messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Select the check box.

Enable Permit Routed

Specifies that unknown messages be allowed to pass if the session is in route mode. (Sessions in transparent mode are treated as route mode.)

Select the check box.

MSRPC

Enable MSRPC

Provides a method for a program running on one host to call procedures in a program running on another host. Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service program's Universal Unique IDentifier (UUID). The specific UUID is mapped to a transport address.

Select the check box to enable the ALG.

Maximum Group Usage (%)

Specify the maximum group usage (%).

Select the usage % from 10 to 100%.

Map Entry Timeout(min)

Specify the map entry time out.

Select the timeout session from 5 to 4320 min.

SCCP

Enable SCCP

Enables or disables the Skinny Client Control Protocol.

Select the check box.

Inactive Media Timeout

Indicates the maximum length of time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the gates opened for media are closed.

Select a value from 10 through 600 seconds.

Application Screen

Call Flood Threshold

Protects SCCP ALG clients from flood attacks by limiting the number of calls they attempt to process

Select a value from 2 through 1,000.

Action On Receiving Unknown Messages

Enable Permit NAT Applied

Specifies how unidentified SCCP messages are handled by the device. The default is to drop unknown (unsupported) messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown SCCP (unsupported) messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Select the check box.

 

Enable Permit Routed

Specifies that unknown messages be allowed to pass if the session is in route mode. (Sessions in transparent mode are treated as though they are in route mode.)

Select the check box.

SIP

Enable SIP

Enables or disables Session Initiation Protocol.

Select the check box.

Enable Retain Hold Resource

Enables or disables whether the device frees media resources for a SIP, even when a media stream is placed on hold. By default, media stream resources are released when the media stream is held.

Select the check box.

Maximum Call Duration

Sets the absolute maximum length of a call. When a call exceeds this parameter setting, the SIP ALG tears down the call and releases the media sessions. The default setting is 720 minutes, the range is from 3 to 720 minutes.

Select a value from 3 through 720 minutes.

 

C Timeout

Specifies the INVITE transaction timeout at the proxy, in minutes; the default is 3. Because the SIP ALG is in the middle, instead of using the INVITE transaction timer value B (which is (64 * T1) = 32 seconds), the SIP ALG gets its timer value from the proxy.

Select a value from 3 through 10 minutes.

T4 Interval

Specifies the maximum time a message remains in the network. The default is 5 seconds; the range is 5 through 10 seconds. Because many SIP timers scale with the T4-Interval (as described in RFC 3261), when you change the value of the T4-Interval timer, those SIP timers also are adjusted.

Select a value from 5 through 10 seconds.

 

Inactive Media Timeout

Specifies the maximum time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the temporary openings (pinholes) in the firewall SIP ALG opened for media are closed. The default setting is 120 seconds; the range is 10 through 2550 seconds. Note that, upon timeout, while resources for media (sessions and pinholes) are removed, the call is not terminated.

Select a value from 10 through 2,550 seconds.

 

T1 Interval

Specifies the roundtrip time estimate, in seconds, of a transaction between endpoints. The default is 500 milliseconds. Because many SIP timers scale with the T1-Interval (as described in RFC 3261), when you change the value of the T1-Interval timer, those SIP timers also are adjusted.

Select a value from 500 through 5000 milliseconds.

 

Action On Receiving Unknown Message

Enable Permit NAT Applied

Specifies how unidentified SIP messages are handled by the device. The default is to drop unknown (unsupported) messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown SIP messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Select the check box.

Enable Permit Routed

Specifies that unknown messages be allowed to pass if the session is in route mode. (Sessions in transparent mode are treated as route mode.)

Select the check box.

Protect Options
Application Screen

SIP Invite Attack Table Entry Timeout

Specifies the time (in seconds) to make an attack table entry for each INVITE, which is listed in the application screen.

Enter a value from 1 through 3,600 seconds.

Enable Attack Protection

Protects servers against INVITE attacks. Configures the SIP application screen to protect the server at some or all destination IP addresses against INVITE attacks.

Select All Servers or Selected Servers as the options.

When Selected Servers option is selected, UI provides the option to add/delete Destination IPs.

SUNRPC

Enable SUNRPC

Provides amethod for a program running on one host to Select the check box to enable the ALG. call procedures in a program running on another host. Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service's program number and version number. Several binding protocols are defined for mapping the RPC program number and version number to a transport address.

Select the checkbox to enable SUNRPC.

Maximum Group Usage (%)

Specify the maximum group usage (%).

Select the usage % from 10 to 100%.

Map Entry Timeout

Specify the map entry time out.

Select the timeout session from 5 to 4320 min.

Firewall Filters

IPv4 Firewall Filters Configuration Page Options

  1. Select Configure>Security>Filters>IPv4 Firewall Filters in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Security>Firewall Filters>IPV4 in the J-Web user interface.

    The IPv4 Firewall Filters configuration page appears.

  2. Click one:
    • Add—Adds a new or duplicate IPv4 firewall filters configuration. Enter information as specified in Table 244.

    • Edit—Edits the selected IPv4 firewall filters configuration.

    • Delete—Deletes the selected IPv4 firewall filters configuration.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 244: Add IPv4 Firewall Filters Configuration Details

Field FunctionAction

IPv4 Filter Summary

Action column

Displays up and down arrows and a X, allowing you to delete or change the order of a filter or term. The order of an item is important because it determines the order in which corresponding actions are carried out.

The options available are:

  • To move an item upward—Locate the item and click the up arrow from the same row.

  • To move an item downward—Locate the item and click the down arrow from the same row.

  • To delete an item—Locate the item and click the X from the same row.

Select an option.

Filter Name

Displays the name of the filter and when expanded, lists the terms attached to the filter.

Displays the match conditions and actions that are set for each term.

Allows you to add more terms to a filter or modify filter terms.

The options available are:

  • To display the terms added to a filter—Click the plus sign next to the filter name. This also displays the match conditions and actions set for the term.

  • To edit a filter—Click the filter name. To edit a term, click the name of the term.

Select an option.

Search

Filter Name

Searches for existing filters by filter name.

The options available are:

  • To find a specific filter—Enter the name of the filter in the Filter Name box.

  • To list all filters with a common prefix or suffix—Use the wildcard character (*) when you enter the name of the filter. For example, te* lists all filters with a name starting with the characters te.

Select an option.

Term Name

Searches for existing terms by term name.

The options available are:

  • To find a specific term—Enter the name of the term in the Term Name box.

  • To list all terms with a common prefix or suffix—Use the wildcard character (*) when typing the name of the term. For example, ra* lists all terms with a name starting with the characters ra .

Select an option.

Number of Items to Display

Specifies the number of filters or terms to display on one page. Select the number of items to be displayed on one page.

Select a number from the list.

Add New IPv4 Filter

Name

Positions the new filter in one of the following locations:

  • After Final IPv4 Filter—At the end of all filters.

  • After IPv4 Filter—After a specified filter.

    Before IPv4 Filter—Before a specified filter.

Select an option.

Add

Adds a new filter name. Opens the term summary page for this filter allowing you to add new terms to this filter.

Click Add.

Add New IPv4 Term

Name

Positions the new term in one of the following locations:

  • After Final IPv4 Filter—At the end of all term.

  • After IPv4 Filter—After a specified term.

    Before IPv4 Filter—Before a specified term.

Select an option.

Add

Opens the Filter Term page allowing you to define the match conditions and the action for this term.

Click Add.

Match Source

Source Address

Specifies IP source addresses to be included in, or excluded from, the match condition. Allows you to remove source IP addresses from the match condition.

If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses, and also search for them.

The options available are:

  • Add—To include the address in the match condition.

  • Except —To exclude the address from the match condition and then select Add -To include the address in the match condition.

  • Delete—To remove an IP source address from the match condition.

Enter an IP source address and prefix length, and select an option.

Source Prefix List

Specifies source prefix lists, which you have already defined, to be included in the match condition. Allows you to remove a prefix list from the match condition.

The options available are:

  • Add—To include a predefined source prefix list in the match condition, type the prefix list name.

  • Delete—To remove a prefix list from the match condition.

Select an option.

Source Port

Specifies the source port type to be included in, or excluded from, the match condition. Allows you to remove a source port type from the match condition.

Note: This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term.

The options available are:

  • Add—To include the port in the match condition.

  • Except—To exclude the port from the match condition and then select Add—To include the port in the match condition.

  • Delete—To remove a port from the match condition.

Select the port from the port name list; enter the port name, number, or range and then select an option.

Match Destination

Destination Address

Specifies destination addresses to be included in, or excluded from, the match condition. Allows you to remove a destination IP address from the match condition.

If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses, and also search for them.

The options available are:

  • Add—To include the address in the match condition.

  • Except —To exclude the address from the match condition and then select Add—To include the address in the match condition.

  • Delete—To remove an IP address from the match condition.

Enter an IP destination address and prefix length and select an option.

Destination Prefix List

Specifies destination prefix lists, which you have already defined, to be included in the match condition. Allows you to remove a prefix list from the match condition.

The options available are:

  • Add—To include a predefined destination prefix list, enter the prefix list name.

  • Delete—To remove a prefix list from the match condition.

Select an option.

Destination Port

Specifies destination port types to be included in, or excluded from, the match condition. Allows you to remove a destination port type from the match condition.

Note: This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term.

The options available are:

  • Add—To include the port in the match condition.

  • Except—To exclude the port from the match condition and then select Add—To include the port in the match condition.

  • Delete—To remove a port type from the match condition.

Select the port from the port name list; enter the port name, number, or range; and then select an option.

Match Source or Destination

Address

Specifies IP addresses to be included in, or excluded from, the match condition for a source or destination. Allows you to remove an IP address from the match condition.

If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses and also search for them.

Note: This address match condition cannot be specified in conjunction with the source address or destination address match conditions in the same term.

The options available are:

  • Add—To include the address in the match condition.

  • Except—To exclude the address from the match condition and then select Add—To include the address in the match condition.

  • Delete—To remove an IP address from the match condition.

Enter an IP destination address and prefix length and select an option.

Prefix List

Specifies prefix lists, which you have already defined, to be included in the match condition for a source or destination. Allows you to remove a prefix list from the match condition.

Note: This prefix list match condition cannot be specified in conjunction with the source prefix list or destination prefix list match conditions in the same term.

The options available are:

  • Add—To include a predefined destination prefix list, type the prefix list name.

  • Delete—To remove a prefix list from the match condition.

Select an option.

Port

Specifies a port type to be included in, or excluded from, a match condition for a source or destination. Allows you to remove a destination port type from the match condition.

Note: This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term.

Also, this port match condition cannot be specified in conjunction with the source port or destination port match conditions in the same term.

The options available are:

  • Add—To include the port in the match condition.

  • Except—To exclude the port from the match condition and then select Add—To include the port in the match condition.

  • Delete—To remove a port type from the match condition.

Select the port from the port name list; enter the port name, number, or range; and then select an option.

Match Interface

Interface

Specifies interfaces to be included in a match condition. Allows you to remove an interface from the match condition.

The options available are:

  • Add—To include an interface in a match condition.

  • Delete—To remove an interface from the match condition.

Select a name from the interface name list or Enter the interface name and select an option.

Interface Set

Specifies interface sets, which you have already defined, to be included in a match condition. Allows you to remove an interface set from the match condition.

The options available are:

  • Add—To include the group in the match condition.

  • Delete—To remove an interface group from the match condition.

Enter the interface set name and select an option.

Interface Group

Specifies interface groups, which you have already defined, to be included in, or excluded from, a match condition. Allows you to remove an interface group from the match condition.

The options available are:

  • Add—To include the port in the match condition.

  • Except—To exclude the port from the match condition and then select Add—To include the port in the match condition.

  • Delete—To remove a port type from the match condition.

Enter the name of the group and select an option.

Match Packet and Network

First Fragment

Matches the first fragment of a fragmented packet.

Select the check box.

Is Fragment

Matches trailing fragments (all but the first fragment) of a fragmented packet.

Select the check box.

Fragment Flags

Specifies fragmentation flags to be included in the match condition.

Enter a text or numeric string defining the flag.

TCP Established

Matches all Transmission Control Protocol packets other than the first packet of a connection.

Note: This match condition does not verify that the TCP is used on the port. Make sure to specify the TCP as a match condition in the same term.

Select the check box.

TCP Initial

Matches the first Transmission Control Protocol packet of a connection.

Note: This match condition does not verify that the TCP is used on the port. Make sure to specify the TCP as a match condition in the same term.

Select the check box.

TCP Flags

Specifies Transmission Control Protocol flags to be included in the match condition.

Note: This match condition does not verify that the TCP is used on the port. Make sure to specify the TCP as a match condition in the same term.

Enter a text or numeric string defining the flag.

Protocol

Specifies IPv4 protocol types to be included in, or excluded from, the match condition. Allows you to remove an IPv4 protocol type from the match condition.

The options available are:

  • Add—To include the protocol in the match condition.

  • Except—To exclude the protocol from the match condition and then select Add—To include the protocol in the match condition.

  • Delete—To remove an IPv4 protocol type from the match condition.

Select a protocol name from the list or enter a protocol name or number and then select an option.

ICMP Type

Specifies ICMP packet types to be included in, or excluded from, the match condition. Allows you to remove an ICMP packet type from the match condition.

Note: This protocol does not verify that ICMP is used on the port. Make sure to specify an ICMP type match condition in the same term.

The options available are:

  • Add—To include the packet type in the match condition.

  • Except—To exclude the packet type from the match condition and then select Add—To include the packet type in the match condition.

  • Delete—To remove an ICMP packet type from the match condition.

Select a packet type from the list or enter a packet type name or number and then select an option.

ICMP Code

Specifies the ICMP code to be included in, or excluded from, the match condition. Allows you to remove an ICMP code from the match condition.

Note: The ICMP code is dependent on the ICMP type. Make sure to specify an ICMP type match condition in the same term.

The options available are:

  • Add—To include the packet type in the match condition.

  • Except—To exclude the packet type from the match condition and then select Add—To include the packet type in the match condition.

  • Delete—To remove an ICMP packet type from the match condition.

Select a packet code from the list or enter the packet code as text or a number and select an option.

Fragment Offset

Specifies the fragment offset value to be included in, or excluded from, the match condition. The fragment offset value specifies the location of the fragment in the packet. For example, fragment offset zero specifies the first fragment. Allows you to remove a fragment offset value from the match condition.

The options available are:

  • Add—To include the offset in the match condition.

  • Except—To exclude the offset from the match condition and then select Add—To include the offset in the match condition.

  • Delete—To remove a fragment offset value from the match condition.

Enter a fragment offset number or range and then select an option.

Precedence

Specifies IP precedences to be included in, or excluded from, the match condition. Allows you to remove an IP precedence entry from the match condition.

The options available are:

  • Add—To include the precedence in the match condition.

  • Except—To exclude the precedence from the match condition and then select Add—To include the precedence in the match condition.

  • Delete—To remove an IP precedence from the match condition.

Select IP precedences from the list; or enter the precedence as a keyword, a decimal integer from 0 through 7, or a binary string; and then select an option.

DSCP

Specifies Differentiated Services code points to be included in, or excluded from, the match condition. Allows you to remove a DSCP entry from the match condition.

The options available are:

  • Add—To include the DSCP in the match condition.

  • Except—To exclude the DSCP from the match condition and then select Add—To include the DSCP in the match condition.

  • Delete—To remove a DSCP from the match condition.

Select DSCP from the list; or enter the DSCP value as a keyword, a decimal integer from 0 through 7, or a binary string; and then select an option.

TTL

Specifies the IPv4 time-to-live value to be included in, or excluded from, the match condition. Allows you to remove an IPv4 TTL value from the match condition.

The options available are:

  • Add—To include the TTL in the match condition.

  • Except—To exclude the TTL from the match condition and then select Add—To include the TTL in the match condition .

  • Delete—To remove an IPv4 TTL type from the match condition.

Specify an IPv4 TTL value by entering a number from 1 through 255, and select an option.

Packet Length

Specifies the length of received packets, in bytes, to be included in, or excluded from, the match condition. Allows you to remove a packet length value from the match condition.

The options available are:

  • Add—To include the packet length in the match condition.

  • Except—To exclude the packet length from the match condition and then select Add—To include the packet length in the match condition.

  • Delete—To remove a packet length value from the match condition.

Specify a packet length, enter a value or range.

Select an option.

Forwarding Class

Specifies forwarding classes to be included in, or excluded from, the match condition. Allows you to a remove forwarding class entry from the match condition.

The options available are:

  • Add—To include the forwarding class in the match condition.

  • Except—To exclude the forwarding class from the match condition and then select Add—To include the forwarding class in the match condition.

  • Delete—To remove a forwarding class from the match condition.

Specify a forwarding class by selecting a forwarding class from the list or entering a forwarding class, and then select an option.

IP Options

Specifies IP options to be included in, or excluded from, the match condition. Allows you to remove an IP option from the match condition.

The options available are:

  • Add—To include the IP option in the match condition.

  • Except—To exclude the IP option from the match condition and then select Add—To include the IP option in the match condition.

  • Delete—To remove an IP option from the match condition.

Specify option by selecting an IP option from the list or entering a text or numeric string identifying the option, and then select an option.

IPSec ESP SPI

Specifies IPSec Encapsulating Security Payload security parameter index values to be included in, or excluded from, the match condition. Allows you to remove an ESP SPI value from the match condition.

The options available are:

  • Add—To include the value in the match condition.

  • Except—To exclude the value from the match condition and then select Add—To include the value in the match condition.

  • Delete—To remove an ESP SPI value from the match condition.

Specify an ESP SPI value by entering a binary, hexadecimal, or decimal SPI value or range, and then select an option.

Action

Nothing

Specifies that no action is performed. By default, a packet is accepted if it meets the match conditions of the term, and packets that do not match any conditions in the firewall filter are dropped.

Select Nothing.

Accept

Accepts a packet that meets the match conditions of the term.

Select Accept.

Discard

Discards a packet that meets the match conditions of the term. Names a discard collector for packets.

Select Discard.

Reject

Rejects a packet that meets the match conditions of the term and returns a rejection message. Allows you to specify a message type that denotes the reason the packet was rejected.

Note: To log and sample rejected packets, specify log and sample action modifiers in conjunction with this action.

Select Reject and then select a message type from the reason list.

Next Term

Evaluates a packet with the next term in the filter if the packet meets the match conditions in this term. This action makes sure that the next term is used for evaluation even when the packet matches the conditions of a term. When this action is not specified, the filter stops evaluating the packet after it matches the conditions of a term, and takes the associated action.

Select Next Term.

Routing Instance

Accepts a packet that meets the match conditions, and forwards it to the specified routing instance.

Select Routing Instance, and enter the routing instance name in the box next to Routing Instance.

Load Balance

Specifies a load-balance group, which you have already defined, to be used by packets that meet the match conditions. A load-balance group contains interfaces that use the same next-hop group to balance the traffic load.

Select Load Balance and enter the group name in the box next to Load Balance.

Action Modifiers

Forwarding Class

Classifies the packet as a specific forwarding class.

Select Forwarding Class from the list.

Count

Counts the packets passing this term. Allows you to name a counter that is specific to this filter. This means that every time a packet transits any interface that uses this filter, it increments the specified counter.

Select Count and enter a 24-character string containing letters, numbers, or hyphens to specify a counter name.

Virtual Channel

Specifies the virtual channel to be set on a particular logical interface.

Enter a string identifying the virtual channel.

Log

Logs the packet header information in the routing engine.

Select Log.

Syslog

Records packet information in the system log.

Select Syslog.

Sample

Samples traffic on the interface.

Note: You must enable traffic sampling for this action to work.

Select Sample.

Loss Priority

Sets the loss priority of the packet. This is the priority of dropping a packet before it is sent, and it affects the scheduling priority of the packet.

Select Loss Priority from the list.

IPv6 Firewall Filters Configuration Page Options

  1. Select Configure>Security>Filters>IPv6 Firewall Filters in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Security>Firewall Filters>IPV6 in the J-Web user interface.

    The IPv6 Firewall Filters configuration page appears.

  2. Click one:
    • Add—Adds a new or duplicate IPv6 firewall filters configuration. Enter information as specified in Table 245.

    • Edit—Edits the selected IPv6 firewall filters configuration.

    • Delete—Deletes the selected IPv6 firewall filters configuration.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 245: Add IPv6 Firewall Filters Configuration Details

Field FunctionAction

IPv6 Filter Summary

Action column

Displays up and down arrows and an X, allowing you to delete or change the order of a filter or term. The order of an item is important because it determines the order in which corresponding actions are carried out.

The options available are:

  • To move an item upward—Locate the item and click the up arrow from the same row.

  • To move an item downward—Locate the item and click the down arrow from the same row.

  • To delete an item—Locate the item and click the X from the same row.

Select an option.

Filter Name

Displays the name of the filter and, when expanded, lists the terms attached to the filter.

Displays the match conditions and actions that are set for each term.

Allows you to add more terms to a filter or to modify filter terms.

The options available are:

  • To display the terms added to a filter—Click the plus sign next to the filter name. This also displays the match conditions and actions set for the term.

  • To edit a filter—Click the filter name. To edit a term, click the name of the term.

Select an option.

Search

Filter Name

Searches for existing filters by filter name.

The options available are:

  • To find a specific filter—Enter the name of the filter in the Filter Name box.

  • To list all filters with a common prefix or suffix—Use the wildcard character (*) when you enter the name of the filter. For example, te* lists all filters with a name starting with the characters te.

Select an option.

Term Name

Searches for existing terms by name.

The options available are:

  • To find a specific term—Enter the name of the term in the Term Name box.

  • To list all terms with a common prefix or suffix—Use the wildcard character (*) when typing the name of the term. For example, ra* lists all terms with a name starting with the characters ra.

Select an option.

Number of Items to Display

Specifies the number of filters or terms to display on one page. Selects the number of items to be displayed on one page.

Select a number from the list.

Add New IPv6 Filter

Name

Positions the new filter in one of the following locations:

  • After Final IPv4 Filter—At the end of all filters.

  • After IPv6 Filter—After a specified filter.

    Before IPv6 Filter—Before a specified filter.

Select an option.

Add

Adds a new filter name. Opens the term summary page for this filter allowing you to add new terms to this filter.

Click Add.

Add New IPv6 Term

Name

Positions the new term in one of the following locations:

  • After Final IPv6 Filter—At the end of all terms.

  • After IPv6 Filter—After a specified term.

    Before IPv6 Filter—Before a specified term.

Select an option.

Add

Opens the Filter Term page, allowing you to define the match conditions and the action for this term.

Click Add.

Match Source

Source Address

Specifies IP source addresses to be included in, or excluded from, the match condition. Allows you to remove source IP addresses from the match condition.

If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses, and also search for them.

The options available are:

  • Add—To include the address in the match condition.

  • Except —To exclude the address from the match condition and then select Add -To include the address in the match condition.

  • Delete—To remove an IP source address from the match condition.

Enter an IP source address and prefix length, and select an option.

Source Prefix List

Specifies source prefix lists, which you have already defined, to be included in the match condition. Allows you to remove a prefix list from the match condition.

The options available are:

  • Add—To include a predefined source prefix list in the match condition, type the prefix list name.

  • Delete—To remove a prefix list from the match condition.

Select an option.

Source Port

Specifies the source port type to be included in, or excluded from, the match condition. Allows you to remove a source port type from the match condition.

Note: This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term.

The options available are:

  • Add—To include the port in the match condition.

  • Except—To exclude the port from the match condition and then select Add—To include the port in the match condition.

  • Delete—To remove a port type from the match condition.

Select the port from the port name list; enter the port name, number, or range; and then select an option.

Match Destination

Destination Address

Specifies destination addresses to be included in, or excluded from, the match condition. Allows you to remove a destination IP address from the match condition.

If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses, and search for them.

The options available are:

  • Add—To include the address in the match condition.

  • Except —To exclude the address from the match condition and then select Add—To include the address in the match condition.

  • Delete—To remove an IP address from the match condition.

Enter an IP destination address and prefix length, and select an option.

Destination Prefix List

Specifies destination prefix lists, which you have already defined, to be included in the match condition. Allows you to remove a prefix list from the match condition.

The options available are:

  • Add—To include a predefined destination prefix list, enter the prefix list name.

  • Delete—To remove a prefix list from the match condition.

Select an option.

Destination Port

Specifies destination port types to be included in, or excluded from, the match condition. Allows you to remove a destination port type from the match condition.

Note: This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term.

The options available are:

  • Add—To include the port in the match condition.

  • Except—To exclude the port from the match condition and then select Add—To include the port in the match condition.

  • Delete—To remove a port type from the match condition.

Select the port from the port name list; enter the port name, number, or range; and then select an option.

Match Source or Destination

Address

Specifies IP addresses to be included in, or excluded from, the match condition for a source or destination. Allows you to remove an IP address from the match condition.

If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses and also search for them.

Note: This address match condition cannot be specified in conjunction with the source address or destination address match conditions in the same term.

The options available are:

  • Add—To include the address in the match condition.

  • Except—To exclude the address from the match condition and then select Add—To include the address in the match condition.

  • Delete—To remove an IP address from the match condition.

Enter an IP destination address and prefix length and select an option.

Prefix List

Specifies prefix lists, which you have already defined, to be included in the match condition for a source or destination. Allows you to remove a prefix list from the match condition.

Note: This prefix list match condition cannot be specified in conjunction with the source prefix list or destination prefix list match conditions in the same term.

The options available are:

  • Add—To include a predefined destination prefix list, type the prefix list name.

  • Delete—To remove a prefix list from the match condition.

Select an option.

Port

Specifies a port type to be included in, or excluded from, a match condition for a source or destination. Allows you to remove a destination port type from the match condition.

Note: This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term.

Also, this port match condition cannot be specified in conjunction with the source port or destination port match conditions in the same term.

The options available are:

  • Add—To include the port in the match condition.

  • Except—To exclude the port from the match condition and then select Add—To include the port in the match condition.

  • Delete—To remove a port type from the match condition.

Select the port from the port name list; enter the port name, number, or range; and then select an option.

Match Interface

Interface

Specifies interfaces to be included in a match condition. Allows you to remove an interface from the match condition.

The options available are:

  • Add—To include an interface in a match condition.

  • Delete—To remove an interface from the match condition.

Select a name from the interface name , or enter the interface name, and select an option.

Interface Set

Specifies interface sets, which you have already defined, to be included in a match condition. Allows you to remove an interface set from the match condition.

The options available are:

  • Add—To include the group in the match condition.

  • Delete—To remove an interface group from the match condition.

Enter the interface set name and select an option.

Interface Group

Specifies interface groups, which you have already defined, to be included in, or excluded from, a match condition. Allows you to remove an interface group from the match condition.

The options available are:

  • Add—To include the port in the match condition.

  • Except—To exclude the port from the match condition and then select Add—To include the port in the match condition.

  • Delete—To remove a port type from the match condition.

Enter the name of the group and select an option.

Match Packet and Network

TCP Established

Matches all Transmission Control Protocol packets other than the first packet of a connection.

Note: This match condition does not verify that the TCP is used on the port. Make sure to specify the TCP as a match condition in the same term.

Select the check box.

TCP Initial

Matches the first Transmission Control Protocol packet of a connection.

Note: This match condition does not verify that the TCP is used on the port. Make sure to specify the TCP as a match condition in the same term.

Select the check box.

TCP Flags

Specifies Transmission Control Protocol flags to be included in the match condition.

Note: This match condition does not verify that the TCP is used on the port. Make sure to specify the TCP as a match condition in the same term.

Enter a text or numeric string defining the flag.

ICMP Type

Specifies Internet Control Message Protocol packet types to be included in, or excluded from, the match condition. Allows you to remove an ICMP packet type from the match condition.

Note: This protocol does not verify that ICMP is used on the port. Make sure to specify an ICMP type match condition in the same term.

The options available are:

  • Add—To include the packet type in the match condition.

  • Except—To exclude the packet type from the match condition and then select Add—To include the packet type in the match condition.

  • Delete—To remove an ICMP packet type from the match condition.

Select a packet type from the list or enter a packet type name or number, and select an option.

Next Header

Specifies IPv6 protocol types to be included in, or excluded from, the match condition. Allows you to remove an IPv6 protocol type from the match condition.

  • Add—To include the protocol in the match condition.

  • Except—To exclude the protocol from the match condition and then select Add—To include the protocol in the match condition.

  • Delete—To remove an IPv6 protocol type from the match condition.

Select a protocol name from the list or enter the protocol name number, and select an option.

ICMP Code

Specifies the Internet Control Message Protocol code to be included in, or excluded from, the match condition. Allows you to remove an ICMP code from the match condition.

Note: The ICMP code is dependent on the ICMP type. Make sure to specify an ICMP type match condition in the same term.

The options available are:

  • Add—To include the packet type in the match condition.

  • Except—To exclude the packet type from the match condition and then select Add—To include the packet type in the match condition.

  • Delete—To remove an ICMP packet type from the match condition.

Select a packet code from the list, or enter the packet code as text or a number, and select an option.

Traffic Class

Specifies the traffic class to be included in, or excluded from, the match condition. Allows you to remove a traffic class value from the match condition.

The options available are:

  • Add—To include the traffic class in the match condition.

  • Except—To exclude the traffic class from the match condition and then select Add—To include the traffic class in the match condition.

  • Delete—To remove a traffic class value from the match condition.

Select a traffic class from the list or enter the traffic class as text number or a length by entering a value or range, and select an option.

Packet Length

Specifies the length of received packets, in bytes, to be included in, or excluded from, the match condition. Allows you to remove a packet length value from the match condition.

The options available are:

  • Add—To include the packet length in the match condition.

  • Except—To exclude the packet length from the match condition and then select Add—To include the packet length in the match condition.

  • Delete—To remove a packet length value from the match condition.

Specify a packet length by entering a value or range, and select an option.

Forwarding Class

Specifies forwarding classes to be included in, or excluded from, the match condition. Allows you to a remove forwarding class entry from the match condition.

The options available are:

  • Add—To include the forwarding class in the match condition.

  • Except—To exclude the forwarding class from the match condition and then select Add—To include the forwarding class in the match condition.

  • Delete—To remove a forwarding class from the match condition.

Specify a forwarding class by selecting a forwarding class from the list or entering a forward class, and then select an option.

Action

Nothing

Specifies that no action is performed. By default, a packet is accepted if it meets the match conditions of the term, and packets that do not match any conditions in the firewall filter are dropped.

Select Nothing.

Accept

Accepts a packet that meets the match conditions of the term.

Select Accept.

Discard

Discards a packet that meets the match conditions of the term. Names a discard collector for packets.

Select Discard.

Reject

Rejects a packet that meets the match conditions of the term and returns a rejection message. Allows you to specify a message type that denotes the reason the packet was rejected.

Note: To log and sample rejected packets, specify log and sample action modifiers in conjunction with this action.

Select Reject and Select a message type from the reason list.

Next Term

Evaluates a packet with the next term in the filter if the packet meets the match conditions in this term. This action makes sure that the next term is used for evaluation even when the packet matches the conditions of a term. When this action is not specified, the filter stops evaluating the packet after it matches the conditions of a term, and takes the associated action.

Select Next Term.

Routing Instance

Accepts a packet that meets the match conditions, and forwards it to the specified routing instance.

Select Routing Instance and enter the routing instance name in the box next to Routing Instance.

Load Balance

Specifies a load-balance group, which you have already defined, to be used by packets that meet the match conditions. A load-balance group contains interfaces that use the same next-hop group to balance the traffic load.

Select Load Balance and enter the group name in the box next to Load Balance.

Action Modifiers

Forwarding Class

Classifies the packet as a specific forwarding class.

Select Forwarding Class from the list.

Count

Counts the packets passing this term. Allows you to name a counter, which is specific to this filter. This means that every time a packet transits any interface that uses this filter, it increments the specified counter.

Select Count and then enter a 24–character string containing letters, numbers, or hyphens to specify a counter name.

Log

Logs the packet header information in the routing engine.

Select Log.

Syslog

Records packet information in the system log.

Select Syslog.

Loss Priority

Sets the loss priority of the packet. This is the priority of dropping a packet before it is sent, and it affects the scheduling priority of the packet.

Select Loss Priority from the list.

Assign to Interfaces Configuration Page Options

  1. Select Configure>Filters>Assign to Interfaces in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Security>Firewall Filters>Assign to Interfaces in the J-Web user interface.

    The Assign to Interfaces configuration page appears.

  2. Click one:
    • Add—Adds a new or duplicate assign to interfaces configuration. Enter information as specified in Table 246.

    • Edit—Edits the selected assign to interfaces configuration.

    • Delete—Deletes the selected assign to interfaces configuration.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 246: Add Assign to Interfaces Configuration Details

Field FunctionAction
Firewall Filters

Logical Interface Name

Displays the logical interfaces on a router. Allows you to apply IPv4 and IPv6 firewall filters to packets received on the interface and packets transmitted from the interface.

The options available are:

  • To apply an input firewall filter, follow instructions in the input firewall filters section.

  • To apply an output firewall filter, follow instructions in the ouput firewall filters section.

Select an interface name.

Link State

Displays the status of the logical interface.

Input Firewall Filters

Displays the input firewall filter applied on an interface. This filter evaluates all packets received on the interface.

Output Firewall Filters

Displays the output firewall filter applied on an interface. This filter evaluates all packets transmitted from the interface.

Input Firewall Filters

IPv4 Input Filter

IPv6 Input Filter

Allows you to apply an input firewall filter to an interface. This filter evaluates all packets received on the interface.

Select the name of the firewall filter from the list.

Output Firewall Filters

IPv4 Output Filter

IPv6 Output Filter

Allows you to apply an output firewall filter to an interface. This filter evaluates all packets received on the interface.

Select the name of the firewall filter from the list.

ICAP Redirect

ICAP Redirect Profile Configuration Page Options

The Internet Content Adaptation Protocol (ICAP) is a lightweight protocol used to extend transparent proxy servers, thereby freeing up resources and standardizing the way in which new features are implemented. ICAP is generally used to implement virus scanning and content filters in transparent HTTP proxy caches. It also concentrates on leveraging edge-based devices (caching proxies) to help deliver value-added services. At the core of this process is a cache that will proxy all client transactions and will process them through ICAP web servers.

On SRX devices, the device works as SSL proxy and decrypts pass through traffic with proper SSL profile under the permission of policy. It decrypts the HTTPS traffic and redirects HTTP message to third party on premises DLP server using Internet Content Adaptation Protocol (ICAP) channel.

  1. Select Configure>Security>ICAP Redirect Profile in the J-Web user interface.

    The ICAP Redirect Profile configuration page appears.

  2. Click one:
    • Server Status—Fetches and displays the ICAP Redirect server details in a new window. It shows the ICAP profile name, server name, and its status.

    • Add—Create a new ICAP Redirect profile configuration. Enter information as specified in Table 247.

    • Edit—Edits the selected ICAP Redirect profile configuration.

    • Delete—Deletes the selected assign to interfaces configuration.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 247: Create-Edit ICAP Redirect Profile

Field FunctionAction
Firewall Filters

Name

Displays the ICAP Service profile name.

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.

Timeout

Displays the server response timeout in miliseconds.

Enter the server response timeout in milliseconds. The range is between 100 milliseconds to 50000 milliseconds.

HTTP Redirect Option

Request

Enables redirect service on HTTP request

Select to enable redirect service on HTTP request.

Response

Enables redirect service on HTTP response.

Select to enable redirect service on HTTP response.

ICAP Server

You can configure ICAP Redirection server by the following options:

Add—Create an ICAP Redirect server. Enter information as specified in Table 248.

Edit—Edit an ICAP Redirect server configuration. Enter information as specified in Table 248.

Fallback Opion

Timeout Action

Specifies the request timeout action when the request is sent to the server.

Select the timeout action from he dropdown list. The available options are: None, Permit, Log Permit, and Block.

Connectivity Action

Specifies that request cannot be sent out due to connection issues.

Default Action

Specifies the default failure action to be taken when there are scenarios other than the above two mentioned ones.

Table 248: Create-Edit ICAP Redirect Server

Field FunctionAction
 

Name

Displays the ICAP Redirect server name.

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.

Host Type*

Specifies whether the host type is a host name or host IP address..

Select Name or IP address.

Host

Specifies the host name or host IP address depending on what host type you chose as the Host Type.

Enter the host name or host IP address.

Port

Specifies the port in the server. This is the server listening post and the default port will be reached according to protocol defined.

Enter the port number. The range is between 1025 and 65534.

Sockets

Specifies the number of connections to be created.

Enter the number of connections. The range is between 1 and 64.

Authentication

Authorization Type

Specifies the type of authentication.

Credential Type

Credentials

Specifies the credentials for the server.

Select the credential type as ASCII or Base64.

Based on the Credential Type that you choose, enter the ASCII string or Base64 string.

URL

Request MOD

Specifies the reqmod uri that can be configured for ICAP server only.

Select to enable redirect service on HTTP request.

Response MOD

Specifies the respmod uri that can be configured for ICAP server only.

Select to enable redirect service on HTTP response.

Routing Instance

Specifies the virtual router that is used for launching.

Select the routing instance from the dropdown list.

SSL Initiation Profile

Specifies the TLS profile.

Select the SSL initiation profile from the dropdown list.

DS-Lite

DS-Lite Configuration Page Options

  1. Select Configure>Security>DS-Lite in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Network>DS-Lite in the J-Web user interface.

    The DS-Lite configuration page appears. Table 249 explains the contents of this page.

  2. Click one:
    • Add or +—Adds a new or duplicate DS-Lite configuration. Enter information as specified in Table 250.

    • Edit or /—Edits the selected DS-Lite configuration.

    • Delete or X—Deletes the selected DS-Lite configuration.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 249: DS-Lite Configuration Page

Field

Function

Name

Displays the name of the DS-Lite configuration.

Concentrator

Displays the name of the softwire concentrator.

Type

Displays the type of DS-Lite used.

Table 250: Add DS-Lite Configuration Details

Field FunctionAction

Name

Specifies the name of the DS-Lite configuration.

Enter a name for the DS-Lite configuration.

Concentrator

Specifies the IP address of the softwire concentrator.

Enter the IP address of the softwire concentrator.

Type

Specifies the softwire type.

Select the softwire type from the list.

Release History Table
Release
Description
Starting in Junos OS Release 19.1R1, list of local authentication users are available in the source identity list for logical system and tenant users.
Starting in Junos OS Release 19.1R1, PowerMode IPSec (PMI) configuration supports only SRX4100, SRX4200, SRX4600, SRX5000 Series devices with SPC3 card, and vSRX2.0
sha-512—Starting in Junos OS Release 19.1R1, this option is supported. Produces a 512-bit digest.
Starting in Junos OS Release 19.1R1, the new Authentication algorithm supports SRX5000 Series devices with SPC3 card upon installation of junos-ike package only. To install junos-ike package from J-Web, navigate to Configure > Security Services > IPsec VPN > Global Settings and click Install.
group15—Starting in Junos OS Release 19.1R1, this option is supported.
group16—Starting in Junos OS Release 19.1R1, this option is supported.
group21—Starting in Junos OS Release 19.1R1, this option is supported.
Starting in Junos OS Release 19.1R1, the new DH-Groups supports SRX5000 Series devices with SPC3 card upon installation of junos-ike package only. To install junos-ike package from J-Web, navigate to Configure > Security Services > IPsec VPN > Global Settings and click Install.
responder-only—Starting in Junos OS Release 19.1R1, this option is supported. IKE is activated only when the device responds to negotiation request received from the peer.
responder-only-no-rekey—Starting in Junos OS Release 19.1R1, this option is supported. Disables rekey in the responder-only mode.
group15—Starting in Junos OS Release 19.1R1, Diffie-Hellman Group 15 is supported.
group16—Starting in Junos OS Release 19.1R1, Diffie-Hellman Group 16 is supported.
group21—Starting in Junos OS Release 19.1R1, Diffie-Hellman Group 21 is supported.
hmac-sha-512—Starting in Junos OS Release 19.1R1, this option is supported. Produces a 512-bit digest.
hmac-sha-384—Starting in Junos OS Release 19.1R1, this option is supported. Produces a 384-bit digest.
IDP policies that are created by root users in root-logical-system are not displayed in security profile advanced settings if you have logged in as a logical system user.
The Template option is available only for root users. It is not available for logical system users.
The Check Status option is available only for root users. It is not available for logical system users.
IDP policies that are created by root users in root-logical-system are not displayed in security profile advanced settings if you have logged in as a logical system user.
Starting Junos OS Release 18.2R1, Activate is unavailable.
Starting Junos OS Release 18.2R1, Deactivate is unavailable.
Starting Junos Release 18.1R1, the option to add UDP IP addresses and white list them is available.
Starting Junos Release 18.1R1, the option to add TCP IP addresses and white list them is available.