Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring Firewall Security Policy Rules

 
  1. Select Configure>Security Services>Security Policy>Rules.

    The Rules configuration page appears displaying all the rules based on grouping of rules as zone pairs or zone contexts. Each row displays the from and to zones (zone pairs) and the number of rules present in that zone pair. Table 1 explains the contents of this page.

  2. Click one:
    • Global Options—Configures global options for the firewall security policy. Enter information as specified in Table 2.

    • Add icon (+)—Adds a new firewall or global security policy configuration. Enter information as specified in Table 3.

    • Edit icon (/)—Edits the selected firewall policy configuration. Enter information as specified in Table 3.

    • Delete icon (X)—Deletes the selected firewall security policy configuration.

    • Save—Saves the rule that you edited or cloned. This is enabled if you edit or clone a rule.

    • Discard—Discards the rule that you selected from the grid.

    • More— Enables you to add rule before or after, copy, cut, paste, clone a rule, and so on. For more information see Table 4.

    • Search icon—Enables you to search a firewall policy or rule from the grid.

    • Show Hide Column Filter icon—Enables you to show or hide a column in the grid.

  3. Click Commit icon at the top of the J-Web page. The following commit options are displayed.

    • Commit—Commits the configuration and returns to the main configuration page.

    • Compare—Enables you to compare the current configuration with the previous configuration.

    • Discard—Discards the configuration changes you performed in the J-Web.

    • Preferences—There are two tab:

      Commit preferences—You can choose to just validate or validate and commit the changes.

      Startup page upon login—You can choose what page should be displayed as soon as you login to J-Web. The options are: Configuration, Monitoring, Dashboard, and Last accessed.

Table 1: Rules Configuration Page

Field

Function

Seq.

Displays the sequence number of rules in a zone pair.

Hit Count

Displays the number of hits the rule has encountered.

Rule Name

Displays the rule name.

Source Zone

Displays the source zone that is specified in the zone pair for the rule.

Source Address

Displays the name of the source address or address set for the rule.

Identity or User ID

Displays the user identity of the rule.

Destination Zone

Displays the destination zone that is specified in the zone pair for the rule.

Destination Address

Displays the name of the destination address or address set for the rule.

Dynamic Application

Displays the dynamic application names for match criteria in application firewall rule set.

An application firewall configuration permits, rejects, or denies traffic based on the application of the traffic.

Service

Displays the type of service for the destination of the rule.

Action

Displays the actions that need to take place on the traffic as it passes through the firewall.

Rule Options

Displays the rule option while permitting the traffic.

Advanced Security

Displays the security option that apply for this rule.

Description

Displays the description of the rule.

Table 2: Global Options Firewall Policy Configuration Details

Field FunctionAction
Policy Options

Default policy action

Specifies that specific protocol actions are overridden. This action is also nonterminating. The options available are:

  • permit-all

  • deny-all

Select a value from the list.

Policy rematch

Specifies that a policy is added that has just been modified to a deferred action list for reevaluation. For every session associated with the policy, the device reevaluates the policy lookup. If the policy is different from the one associated with the session, the device drops the session. If the policy matches, the session continues.

Select the check box.

Flow - Main

Early ageout

Specifies the amount of time before the device aggressively ages out a session from its session table.

Enter a value from 1 through 65,535 seconds. The default value is 20 seconds.

High watermark

Specifies the percentage of session table capacity at which the aggressive aging-out process begins.

Enter a value from 0 through 100 percent. The default value is 100 percent.

Low watermark

Specifies the percentage of session table capacity at which the aggressive aging-out process ends.

Enter a value from 0 through 100 percent. The default value is 100 percent.

Enable SYN cookie protection

Enables SYN cookie defenses against SYN attacks.

Select the check box.

Enable SYN proxy protection

Enables SYN proxy defenses against SYN attacks.

Select the check box.

Allow DNS reply

Specifies that an incoming DNS reply packet without a matched request is allowed.

Select the check box.

Force IP reassembly

Specifies reassemble all IP fragmented packets before forwarding.

Enable Routing Mode

Enables routing mode on uPIM and ePIM ports that correspond to the interfaces that will carry the VPLS traffic.

Route change to nonexistent route timeout

Specifies the session timeout value on a route change to a nonexistent route.

Enter a value from 6 through 1800 seconds.

Flow - TCP MSS

Enable MSS override for all packets

Enables maximum segment size override for all TCP packets for network traffic.

Select the check box.

Enter an maximum segment size value from 64 through 65,535.

Enable MSS override for all GRE packets coming out of an IPSec tunnel

Enables maximum segment size override for all generic routing encapsulation packets exiting an IPsec tunnel.

Select the check box.

Enter a maximum segment size value from 64 through 65,535 bytes. The default value is 1320 bytes.

Enable MSS override for all GRE packets entering an IPsec tunnel

Enables maximum segment size override for all generic routing encapsulation packets entering an IPsec tunnel.

Select the check box.

Enter a maximum segment size value from 64 through 65,535 bytes. The default value is 1320 bytes.

Enable MSS override for all packets entering IPSec tunnel

Enables maximum segment size override for all packets entering an IPsec tunnel.

Select the check box.

Enter a maximum segment size value from 64 through 65,535 bytes. The default value is 1320 bytes.

Flow - TCP Session

Disable sequence-number checking

Disables checking of sequence numbers in TCP segments during stateful inspections. By default, the device monitors the sequence numbers in TCP segments.

Select the check box.

Strict SYN-flag check

Enables the strict three-way handshake check for the TCP session. This check enhances security by dropping data packets before the three-way handshake is done. By default, this check is disabled.

Select the check box.

Disable SYN-flag check

Disables the checking of the TCP SYN bit before creating a session. By default, the device checks that the SYN bit is set in the first packet of a session. If it is not set, the device drops the packet.

Select the check box.

Disable SYN-flag check (tunnel packets)

Disables the first packet check for the SYN flag when forming a TCP flow session.

Select the check box.

RST invalidate session

Specifies that a session is marked for immediate termination when it receives a TCP RST segment. By default, this statement is unset. When unset, the device applies the normal session timeout interval—for TCP, session timeout is 30 minutes; for HTTP, it is 5 minutes; and for UDP, it is 1 minute.

Select the check box.

RST sequence check

Specifies that the TCP sequence number in a TCP segment can be checked, with the RST bit enabled. This matches the previous sequence number for a packet in that session or is the next higher number incrementally.

Select the check box.

TCP Initial Timeout

Specifies the length of time (in seconds) that the device keeps an initial TCP session in the session table before dropping it, or until the device receives a FIN or RST packet.

Select the check box.

Table 3: Add Firewall Policy Rule Configuration Details

Field FunctionAction
General

Rule Name

Specifies the name of the security policy.

Enter a name for the new rule or policy.

Rule Description

Specifies a description for the security policy.

Enter a description for the security policy.

Global Policy

Specifies that the policy defined is a global policy and zones are not required.

Source

Zone

Specifies the source zone.

Identify and select the source zone to which you want the rule to be associated with from the dropdown menu.

Address(es)

Specifies the source address of the rule.

Select the Address(es) for the policy by clicking Select The Source Address page appears.

Select the Address for this policy. The options available are:

  • Any Address—Selecting this will include any address as the source address.

  • Include Specific—Selects an address book entry from the available list or you can make a new address book entry by selecting Add New Source Address and creating a new source address in the Create Address page.

  • Exclude Specific—Selects an address book entry from the available list or you can make a new address book entry by selecting Add New Source Address and creating a new source address in the Create Address page.

Identity

Select the user identity that you want to permit or deny in the rule.

Select the user identity to permit or deny.

Click Select to choose a user identity from the available list or you can make a new user identity by selecting Add New Identity and creating a new user name or identity in the Create Identity page.

Note: Starting in Junos OS Release 19.1R1, list of local authentication users are available in the source identity list for logical system and tenant users.

Destination

Zone

Specifies the destination zone.

Identify and select the destination zone to which you want the rule to be associated with from the dropdown menu.

Address(es)

Specifies the source address of the rule.

Select the Address(es) for the policy by clicking Select The Destination Address page appears.

Select the Address for this policy. The options available are:

  • Any Address—Selecting this will include any address as the destination address.

  • Include Specific—Selects an address book entry from the available list or you can make a new address book entry by selecting Add New Source Address and creating a new source address in the Create Address page.

  • Exclude Specific—Selects an address book entry from the available list or you can make a new address book entry by selecting Add New Source Address and creating a new source address in the Create Address page.

Dynamic Application

Select the dynamic application names for match criteria in application firewall rule set.

Select the application from the Available list and move it to Selected list.

Service(s)

Select the services that you want to permit or deny in the rule.

Select the services to permit or deny. You can choose a service from the available list.

Advanced Security

Rule Action

Specifies the action taken when traffic matches the criteria. Available options are:

  • Permit

  • Deny

  • Reject

Select an option.

Permit —Allow packet to pass through the firewall. It enables the following Permit options:

  1. App Firewall—Select the application firewall from the dropdown list.
  2. IPS—Select Off or On from the dropdown list. If you select On, the IPS Policy field will be disabled. If you select Off, you may select the IPS Policy from the dropdown list.
  3. UTM—Select the UTM policy to associate with this rule from the dropdown list, which shows all the UTM policies available.

    If you want to create a new UTM policy, click Add New, which enables you to create a new UTM policy in the Create UTM Policies Wizard. To know more about this wizard refer Configure>Security>UTM page in J-Web.

  4. SSL Proxy—Select the SSL proxy policy to associate with this rule from the dropdown list, which shows all the SSL proxy profiles that are created using the Configure>Security>SSL Proxy page in J-Web. After you associate, the SSL proxy policy will be applied to the traffic.
  5. IPSec VPN—Select the IPsec VPN tunnel from the dropdown list.
  6. Pair Policy Name—Select the name of the policy with the same IPsec VPN in the opposite direction to create a pair policy.
  7. Threat Prevention Policy—Select the configured threat prevention policy from the dropdown list. To create a threat prevention policy go to Configure>Security>SkyATP or Threat Prevention>Policies.
  8. ICAP Redirect Profile—Select the configured ICAP Redirect profile name from the dropdown list.

Deny—Block and drop the packet, but do not send notification back to the source.

Reject—Block and drop the packet and send a notice to the source host.

  • For TCP traffic—Sends TCP RST.

  • For UDP traffic—Sends ICMP destination unreachable, port unreachable message (type 3, code 3).

  • For TCP and UDP traffic—Specifies action denied.

Rule Options

Logging/Count

  

Log at Session Close Time

Specifies that an event is logged when the session closes.

Select the check box.

Log at Session Init Time

Specifies that an event is logged when the session is created.

Select the check box.

Enable Count

Specifies statistical counts and triggers alarms whenever traffic exceeds specified packet and byte thresholds. When this count is enabled, statistics are collected for the number of packets, bytes, and sessions that pass through the firewall with this policy.

Select the check box.

Note: Alarm threshold fields are disabled if Enable Count is not enabled.

Authentication

  

Push Auth Entry to JIMS

Pushes authentication entries from firewall authentication, that are in auth-success state, to Juniper Identity Management Server (JIMS). This will enable the SRX device to query JIMS to get IP/user mapping and device information.

Select the check box.

Type

Specify the type of firewall authentication for this rule.

Select the type of firewall authentication from the dropdown list. The options available are: None, Pass-through, User-firewall, and Web-authentication.

Advanced Settings

Destination Address Translation

Specifies the action to be taken on a destination address translation.

Select the action to be taken on a destination address translation. The options available are: None, Drop Translated, Drop Untranslated.

Redirect Options

Specifies the action to be taken if redirect is needed.

Select the action to redirect. The options available are: None, Redirect Wx, and Reverse Redirect Wx.

Enable TCP-SYN

Disables or enables the checking of the TCP SYN bit before creating a session. By default, the device checks that the SYN bit is set in the first packet of a session. If it is not set, the device drops the packet.

Select if you want enable TCP-SYN.

Log TCP Sequence

Disables or enables checking of sequence numbers in TCP segments during stateful inspections. By default, the device monitors the sequence numbers in TCP segments.

Select if you want to log TCP sequencing.

Table 4: More options on Rules

Field

Function

Add Rule Before

Adds a new rule before the selected rule.

Add Rule After

Adds a new rule after the selected rule.

Copy

Copies a selected rule and enables you to paste it before or after the selected rule.

Cut

Removes the selected rule from its row and enables you to paste it before or after the selected rule.

Paste

Pastes the copied or cut rule before or after the rule selected for copy.

Clone

Clones or copies the selected firewall policy configuration and enables you to update the details of the rule.

Move Rule

Organizes records. Select a rule and choose Move up, Move down, Move to top, or Move to bottom to reposition the rule.

Disable

Disables the selected rule.

Enable

Enables the selected rule if it was disabled.

Clear Selection

Clears the selection of those rules that are selected.

Release History Table
Release
Description
Starting in Junos OS Release 19.1R1, list of local authentication users are available in the source identity list for logical system and tenant users.