Understanding Application Firewall Services for Tenant Systems
Application firewall is a group of fine-grained application control policies that allow or deny the traffic based on the dynamic application name or the group names. It enhances the security policy creation and enforcement based on the applications rather than the traditional port and protocol analysis.
An application firewall enables administrators of tenant systems to create security policies for traffic, based on application identification defined by application signatures. The application firewall provides additional security protection against the dynamic-application traffic that might not be adequately controlled by the standard network firewall policies. The application firewall controls information transmission by allowing or blocking traffic originating from certain applications.
The application firewall (AppFW) functionality is deprecated—rather than immediately removed—to provide backward compatibility and an opportunity to bring your configuration into compliance with the new configuration. All the legacy AppFW features are supported on the tenant systems. The [edit security application-firewall] hierarchy and all the configuration options under this hierarchy are deprecated on SRX Series devices.
To configure an application firewall, you define a rule set that contains rules specifying the action to be taken on the identified dynamic applications. The rule set is configured independently and assigned to a security policy. Each ruleset contains at least two rules, a matched rule (consisting of match criteria and action) and a default rule.
Following are the available rules with application firewall:
A matched rule defines the action to be taken on matching traffic. When the traffic matches an application and other criteria specified in the rule, the traffic is allowed or blocked based on the action specified in the rule.
A default rule is applied when the traffic does not match any other rule in the rule set.
Configuring an application firewall on a tenant system is similar to configuring an application firewall on a device that is not configured with tenant systems. The application firewall applies only to the tenant system for which it is configured.
Starting in Junos OS Release 18.4R1, the tenant system administrator can configure the application firewall profile, trace options, and resources (appfw-rule-set and appfw-rule) in a tenant system.The appfw rules can be reordered using the insert tenants tenant-id security application-firewall rule-sets ruleset-name rule rule-name1 after rule rule-name2 command.