Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring Application Firewall Services for a Tenant System


This example shows how to configure application firewall ruleset, rules, and the profile. After configuring the application firewall rulesets and rules, the application firewall ruleset information is added to the security policy in the tenant system.


This example uses the following hardware and software components:

  • An SRX1500 device

  • Junos OS Release 18.4R1 or later


Evasive applications could remain undetected with a standard firewall that functions at Layer 3 or Layer 4 by transmitting other protocols over these well-known ports that are usually open by a firewall. AppFW enforces protocol and policy control at Layer 7. It inspects the actual content of the payload and ensures that it conforms to the policy, rather than identifying the application based on Layer 3 and Layer 4 information.

Additionally, with the growing popularity of Web applications and the shift from traditional full client-based applications to the Web, more and more traffic is being transmitted over HTTP. An application firewall identifies not only HTTP but also any application running on top of it, letting you properly enforce the policies.

The tenant administrator can configure an application firewall rule set and create different rules to permit, reject, or deny traffic based on the application ID on a tenant system. The application firewall traffic control rule is configured for junos:HTTP . The security policy match condition is applied for any dynamic application to permit the traffic.

Create application an firewall services on the tenant system called TSYS1 and the rule set called ruleset1. The rule set ruleset1 has a rule defined to permit traffic. A default rule is also created to specify the action that is specified opposite to the other rules in the rule set.


CLI Quick Configuration

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure application firewall for a tenant system:

  1. Define a security profile and assign a security profile to a tenant system.
  2. Configure the routing instances and add interfaces to routing instances.
  3. Configure the interfaces for the tenant.
  4. Define the profile to send the notification to the clients when HTTP or HTTPS traffic is blocked by a reject or deny action from an application firewall.
  5. Configure an application firewall rule set for the tenant system and create a rule for this rule set and specify which dynamic application and dynamic application groups that the rule should match.
  6. Configure the default rule for this rule set and specify the action when the identified dynamic application is not specified in any rules of the rule set.
  7. Configure a policy p1 to process the traffic that pass through the HTTP static ports with the application firewall rule set ruleset1.
  8. Configure the security zones.


From configuration mode, confirm your policy configuration by entering the show tenants TSYS1 security application-firewall, show tenants, and show security policies command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.


Confirm that the configuration is working properly.

Verifying Application Firewall


View the application firewall configuration on the tenant system.


From operational mode, enter the show security application-firewall rule-set ruleset1 tenant TSYS1 command.

user@host> show security application-firewall rule-set ruleset1 tenant TSYS1

From operational mode, enter the show security flow session application-firewall extensive command.

user@host> show security flow session application-firewall extensive


The output displays information about the current active sessions on the device.