Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Add a Rule

 

You are here: Configure > Security Services > Security Policy > Rules.

To add a Rule:

  1. Click the add icon (+) on the upper right side of the Rules page.

    The Create Rule page appears.

  2. Complete the configuration according to the guidelines provided in Table 1.
  3. Click OK to save the changes or click Cancel to discard the changes.

Table 1: Fields on Create Rule page

Field

Action

General

Rule Name

Enter a name for the new rule or policy.

Rule Description

Enter a description for the security policy.

Global Policy

Specifies that the policy defined is a global policy and zones are not required.

Source 

Zone

Identify and select the source zone to which you want the rule to be associated with from the menu.

Address(es)

Select the Address(es) for the policy by clicking Select The Source Address page appears.

Select the Address for this policy. The options available are:

  • Include Any Address—Selecting this will include any address as the source address.

  • Include Specific—Selects an address book entry from the available list or you can make a new address book entry by selecting Add New Source Address and creating a new source address in the Create Address page.

  • Exclude Specific—Selects an address book entry from the available list or you can make a new address book entry by selecting Add New Source Address and creating a new source address in the Create Address page.

Identity

Select the user identity to permit or deny.

Click Select to choose a user identity from the available list or you can make a new user identity by selecting Add New Identity and creating a new user name or identity in the Create Identity page.

Note: Starting in Junos OS Release 19.1R1, list of local authentication users are available in the source identity list for logical system and tenant users.

Destination

Zone

Identify and select the destination zone to which you want the rule to be associated with from the dropdown menu.

Address(es)

Select the Address(es) for the policy by clicking Select The Destination Address page appears.

Select the Address for this policy. The options available are:

  • Include Any Address—Selecting this will include any address as the destination address.

  • Include Specific—Selects an address book entry from the available list or you can make a new address book entry by selecting Add New Source Address and creating a new source address in the Create Address page.

  • Exclude Specific—Selects an address book entry from the available list or you can make a new address book entry by selecting Add New Source Address and creating a new source address in the Create Address page.

Dynamic Application

Select the dynamic application names for match criteria in application firewall rule set.

Select the application from the Available list and move it to Selected list.

Starting in Junos OS Release 19.2R1, you can add an application or application group for a dynamic application using the Add New Application or Add New Application Group button.

  1. Click Select to select a dynamic application. Enter the following details in the Dynamic Application page:

    The Dynamic Application page appears.

  2. Application/Group—Select an option from the list.

    To add a new application:

    1. Select Application from the list.

    2. Click Add New Application. The Create Application Signature page appears.

    3. Follow the steps mentioned in the Application Signature Configuration Page Options section to create application signature.

    4. Click OK. The Dynamic Application page appears.

    To add a new application group:

    1. Select Group from the list.

    2. Click Add New Application Group.

      The Create Application Signature Group page appears.

    3. Enter name of the application group in the Name field.

    4. Select the group members or click + to add application signatures to the group member.

    5. Click OK. The Dynamic Application page appears.

    Note: After adding an application or group, it should be auto-selected in Dynamic Application. The values None or any should be moved to available list. By default, None value is auto-populated when the Selected list is empty.

  3. Predefined/Custom—Select an option from the list: Predefined, Custom, or All.

  4. Category—Select an option from the list.

  5. Dynamic Application—Select the application from the Available list and move it to Selected list.

  6. Click OK.

Service(s)

Click Select to select the services to permit or deny. You can choose a service from the available list.

Starting in Junos OS Release 19.2R1, you can add a new service using the Add New Service button.

To add a new service:

  1. Click Add New Service on the Service page.

    The Create Service page appears.

  2. Enter the following details for global settings:

    • Name—Enter a unique name for application.

    • Description—Enter description of application.

    • Application Protocol—Select an option from the list for application protocol.

    • Match IP protocol—Select an option from the list to match IP protocol.

    • Source Port—Select an option from the list for source port.

    • Destination Port—Select an option from the list for destination port.

    • ICMP Type—Select an option from the list for ICMP message type.

    • ICMP Code—Select an option from the list for ICMP message code.

    • RPC program numbers—Enter a value for RPC program numbers.

      The format of the value must be W or X-Y. Where, W, X, and Y are integers between 0 and 65535.

    • Inactivity Timeout—Select an option from the list for application specific inactivity timeout.

    • UUID—Enter a value for DCE RPC objects.

      Note: The format of the value must be 12345678-1234-1234-1234-123456789012.

  3. Enter the following details for terms if you want to define individual application protocols:

    1. Click + to create a term.

    2. Name—Enter the name for term.

    3. ALG—Select an option from the list for ALG.

    4. Match IP protocol—Select an option from the list to match IP protocol.

    5. Source Port—Select an option from the list for source port.

    6. Destination Port—Select an option from the list for destination port.

    7. ICMP Type—Select an option from the list for ICMP message type.

    8. ICMP Code—Select an option from the list for ICMP message code.

    9. RPC program numbers—Enter a value for RPC program numbers.

      Note: The format of the value must be W or X-Y. Where, W, X, and Y are integers between 0 and 65535.

    10. Inactivity Timeout—Select an option from the list for application specific inactivity timeout.

    11. UUID—Enter a value for DCE RPC objects.

      Note: The format of the value must be 12345678-1234-1234-1234-123456789012.

  4. Click Create to create a service.

  5. Click OK.

Note: After adding a service, it should be auto-selected in Service(s). The values None or any should be moved to available list.

URL Category

Select the URL category that you want to match criteria for web filtering category.

Select the URL category by clicking Select.

URL Category page appears.

  • Predefined/Custom—Select an option from the list: Predefined, Custom, or All.

  • URL Category—Select an option from the list.

Advanced Security

Rule Action

Select an option.

Specifies the action taken when traffic matches the criteria. Available options are:

  • Permit

  • Deny

  • Reject

Permit —Allow packet to pass through the firewall. It enables the following Permit options:

  1. App Firewall—Select the application firewall from the list.

  2. IPS—Select Off or On from the list. If you select On, the IPS Policy field will be disabled. If you select Off, you may select the IPS Policy from the list.

  3. UTM—Select the UTM policy to associate with this rule from the list, which shows all the UTM policies available.

    If you want to create a new UTM policy, click Add New, which enables you to create a new UTM policy in the Create UTM Policies Wizard. To know more about this wizard refer Configure>Security>UTM page in J-Web.

  4. SSL Proxy—Select the SSL proxy policy to associate with this rule from the list, which shows all the SSL proxy profiles that are created using the Configure>Security>SSL Proxy page in J-Web. After you associate, the SSL proxy policy will be applied to the traffic.

  5. IPSec VPN—Select the IPsec VPN tunnel from the list.

  6. Pair Policy Name—Select the name of the policy with the same IPsec VPN in the opposite direction to create a pair policy.

  7. Threat Prevention Policy—Select the configured threat prevention policy from the list. To create a threat prevention policy go to Configure>Security>SkyATP or Threat Prevention>Policies.

  8. ICAP Redirect Profile—Select the configured ICAP Redirect profile name from the list.

Deny—Block and drop the packet, but do not send notification back to the source.

Reject—Block and drop the packet and send a notice to the source host.

  • For TCP traffic—Sends TCP RST.

  • For UDP traffic—Sends ICMP destination unreachable, port unreachable message (type 3, code 3).

  • For TCP and UDP traffic—Specifies action denied.

Rule Options
Logging/Count

Log at Session Close Time

Select the check box.

Specifies that an event is logged when the session closes.

Log at Session Init Time

Select the check box.

Specifies that an event is logged when the session is created.

Enable Count

Select the check box.

Specifies statistical counts and triggers alarms whenever traffic exceeds specified packet and byte thresholds. When this count is enabled, statistics are collected for the number of packets, bytes, and sessions that pass through the firewall with this policy.

Note: Alarm threshold fields are disabled if Enable Count is not enabled.

Authentication

Push Auth Entry to JIMS

Select the check box.

Pushes authentication entries from firewall authentication, that are in auth-success state, to Juniper Identity Management Server (JIMS). This will enable the SRX device to query JIMS to get IP/user mapping and device information.

Type

Select the type of firewall authentication from the list. The options available are: None, Pass-through, User-firewall, and Web-authentication.

Advanced Settings

Destination Address Translation

Select the action to be taken on a destination address translation. The options available are: None, Drop Translated, Drop Untranslated.

Redirect Options

Select the action to redirect. The options available are: None, Redirect Wx, and Reverse Redirect Wx.

Enable TCP-SYN

Disables or enables the checking of the TCP SYN bit before creating a session. By default, the device checks that the SYN bit is set in the first packet of a session. If it is not set, the device drops the packet.

Select if you want enable TCP-SYN.

Log TCP Sequence

Disables or enables checking of sequence numbers in TCP segments during stateful inspections. By default, the device monitors the sequence numbers in TCP segments.

Select if you want to log TCP sequencing.

Related Documentation