Understanding Policy Rules

The security policy applies the security rules to the transit traffic within a context (from-zone to to-zone). Each policy is uniquely identified by its name. The traffic is classified by matching its source and destination zones, the source and destination addresses, and the application that the traffic carries in its protocol headers with the policy database in the data plane.

Each policy is associated with the following characteristics:

• A source zone
• A destination zone
• One or many source address names or address set names
• One or many destination address names or address set names
• One or many application names or application set names

These characteristics are called the match criteria. Each policy also has actions associated with it: permit, deny, and reject. You have to specify the match condition arguments when you configure a policy, source address, destination address, and application name. If you do not want to specify a specific application, enter any as the default application, indicating all possible applications. For example, if you do not supply an application name, then the policy is installed with the application as a wildcard (default). Therefore, any data traffic that matches the rest of the parameters in a given policy would match the policy regardless of the application type of the data traffic.

When you are creating a policy, the following policy rules apply:

• Security policies are configured in a from-zone to to-zone direction. Under a specific zone direction, each security policy contains a name, match criteria, an action, and miscellaneous options.
• The policy name, match criteria, and action are required.
• The policy name is a keyword.
• The source address in the match criteria is composed of one or more address names or address set names in the from-zone.
• The destination address of the match criteria is composed of one or more address names or address set names in the to-zone.
• The application name in the match criteria is composed of the name of one or more applications or application sets.
• One of the following actions is required: permit, deny, or reject.
• When logging is enabled, the system logs at session close time by default. You can enable logging at session creation, too.
• When the count alarm is turned on, you can, optionally, specify alarm thresholds in bytes per second and kilobytes per minute.
• You cannot specify global as either the from-zone or the to-zone except under following condition:

  Any policy configured with the to-zone as a global zone must have a single destination address to indicate that either static NAT or incoming NAT has been configured in the policy.

• In SRX-series services gateways, policy permit option with NAT is simplified. Each policy will optionally indicate whether it allows NAT translation, no NAT translation or do not care.
• Address names cannot begin with the following reserved prefixes. These are used only for address NAT configuration:
  • static_nat_
  • incoming_nat_
  • junos_
• Application names cannot begin with the junos_ reserved prefix.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.