Security Hierarchy and Statements

Use the statements in the security configuration hierarchy to configure certificates, dynamic virtual private networks (VPNs), firewall authentication, flow, forwarding options, group VPNs, Intrusion Detection Prevention (IDP), Internet Key Exchange (IKE), Internet Protocol Security (IPsec), logging, Network Address Translation (NAT), public key infrastructure (PKI), policies, resource manager, screens, secure shell known hosts, trace options, Unified Threat Management (UTM), and zones.

For configuration instructions, see the Junos OS Security Configuration Guide.
For information about features supported on different SRX Series and J Series devices, see the Junos OS Feature Support Reference for SRX Series and J Series Devices.
For information about security statements that are shared across Juniper Networks devices, see the Junos System Basics Configuration Guide.

This chapter contains the following topics:

Security Configuration Statement Hierarchy
access profile
ack-number
action
action (Application-Level DDoS)
action (web filtering)
active-policy
action-profile
address
address-book
address-blacklist
address-mapping
address-persistent
address-set
address-whitelist
admin-email
administrator
aging
alarm-threshold
alarm-without-drop
alert
alg
algorithm
all-tcp
allow-dns-reply
allow-icmp-without-flow
always-send
anomaly
antispam
antivirus
apn (gtp)
application
application-identification
application-screen
application-services
application-system-cache
application-system-cache-timeout
application-tracking
association-timeout
attack-threshold
attacks
attack-type
authentication
authentication-algorithm
authentication-method
auto-re-enrollment
automatic
bind-interface
block-command
block-content-type
block-mime
bridge
c-timeout
ca-identity
ca-profile
ca-profile-name
cache
cache-size
call-flood
category
category (Security Logging)
category (web filtering)
certificate
certificate-id
chain
challenge-password
clear-threshold
clients
co-location
code
connection-flood
connection-rate-threshold
connections-limit
container
content-filtering
content-size
content-size-limit
context
context (Application-Level DDoS)
corrupt-file
count
crl
custom-attack
custom-attack-group
custom-attacks
custom-block-message
custom-message
custom-message-subject
custom-objects
custom-tag-string
custom-url-category
data-length
datapath-debug
dead-peer-detection
decompress-layer
decompress-layer-limit
default
default-policy
deny
description
destination
destination-address
destination-except
destination-ip
destination-ip-based
destination-nat
destination-port
destination-threshold
detect-shellcode
detector
df-bit
dh-group
direction
disable-call-id-hiding
distinguished-name
dns
download-profile
download-timeout
drop (gtp)
drop (SCTP)
dynamic
dynamic-vpn
dynamic-attack-group
early-ageout
email-notify
enable-all-qmodules
enable-packet-pool
encryption
encryption-algorithm
endpoint-registration-timeout
engine-not-ready
enrollment
establish-tunnels
event-rate
exception
exclude-context-values
expression
external-interface
fallback-block
fallback-options
fallback-settings
fallback-settings (web-filtering juniper-local)
false-positives
family
feature-profile
filename-extension
filters
fin-no-ack
firewall-authentication
first-update
first-update-interval
flood
flow
force-upgrade
format (first use in Security Logging)
format (second use in Security Logging)
forwarding-options
forwarding-process
fragment
from
from-zone
ftp
ftp (utm)
functional-zone
gatekeeper
gateway
global
gre-in
gre-out
group (Group VPN Server)
group-members
group-vpn
gtp
h323
handshake-timeout
header-length
hit-rate-threshold
high-watermark
host
host (Security Logging)
host (IDP Sensor Configuration)
host-address-base
host-inbound-traffic
hostname
http-profile
icmp
identification
idle-time
idp
idp-policy
ids-option
ignore-mem-overflow
ignore-regular-expression
ike
ike-policy
ike-user-type
imap-profile
inactive-media-timeout
inactivity-timeout
include-destination-address
inet
inet6
inline-tap
install-interval
intelligent-prescreening
interface
interfaces
interval
interval (anti-virus)
ip
ip-action
ip-action (Application-Level DDoS)
ip-block
ip-close
ip-connection--rate-limit
ip-flags
ip-notify
ips
ipsec
ipsec-group-vpn (Group VPN)
ipsec-policy
ipsec-vpn
ip-sweep
iso
juniper-express-engine
juniper-local
kaspersky-lab-engine
land
large
lifetime-kilobytes
lifetime-seconds
limit
limit (SCTP)
limit-session
list
local
local-address
local-certificate
local-identity
log
log-attacks
log-errors
log-supercede-min
low-watermark
management
manual
match
max-context-values
max-flow-mem
max-logs-operate
max–message–length
max-packet-mem
max-packet-memory
max-session-number
max-sessions
max-sessions (packet-log)
max-tcp-session-packet-memory
max-time-report
max-timers-poll-ticks
max-udp-session-packet-memory
maximize-idp-sessions
maximum-call-duration
maximum-message-length
mcc–mnc (gtp)
media-source-port-any
member
message-flood
mgcp
mime-pattern
mime-whitelist
min–message–length
mode
mpls
msrpc
mss
nat
nat-keepalive
negate
nested-application-identification
nested-application-system-cache
no-allow-icmp-without-flow
no-anti-replay
no-enable-all-qmodules
no-enable-packet-pool
no-log-errors
no-nat-traversal
no-policy-lookup-cache
no-reset-on-policy
no-sequence-check
no-syn-check
no-syn-check-in-tunnel
notification
notification-options
notify-mail-sender
optimized
option
order
out-of-resources
over-limit
overflow-pool
packet-filter
packet-log (IDP Policy)
pair-policy
packet-log (Sensor Configuration)
pass-through
password-file
pattern
pattern-update
peer-certificate-type
perfect-forward-secrecy
performance
permit
permit-command
persistent-nat
ping-death
pki
policies
policy
policy-lookup-cache
policy-rematch
pool
pool-utilization-alarm
pop3–profile
port
port (web filtering)
port-randomization
port-scan
post-attack
post-attack-timeout
pptp
pre-attack
pre-filter-shellcode
predefined-attack-groups
predefined-attacks
pre-shared-key
process-ignore-s2c
process-override
process-port
products
profile
profile (web-filtering juniper-local)
proposal
proposal-set
proposals
protect
protocol
protocol-binding
protocol-command
protocol-name
protocols
proxy-arp
proxy-identity
raise-threshold
rate-limit
real
re-assembler
re-enroll-trigger-time-percentage
recommended
recommended-action
regexp
reject
reject-timeout
remote
remote-exceptions
remote-protected-resources
remove-r6
reset
reset-on-policy
respond-bad-spi
retain-hold-resource
revocation-check
route-change-timeout
routing-instance
rpc
rsh
rst-invalidate-session
rst-sequence-check
rtsp
rule
rulebase-ddos
rule-set
rulebase-exempt
rulebase-ips
sbl
sbl-default-server
scan-mode
scan-options
sccp
scheduler-name
scope
screen
sctp
security-package
security-zone
sensor-configuration
seq-number-validated
server
server-connectivity
sessions
session-close
session-init
sessions-per-client
sequence-number
server (Group VPN)
service
session-update-interval
severity
shellcode
signature
sip
smtp-profile
sockets
source
source-address
source-except
source-interface
source-ip-based
source-nat
source-port
source-threshold
spam-action
spi
sql
ssh-known-hosts
ssl-inspection
start-log
start-time
static
static-nat
statistics
strict-syn-check
sunrpc
suppression
surf-control-integrated
syn-ack-ack-proxy
syn-fin
syn-flood
syn-flood-protection-mode
syn-frag
system-services
t1-interval
t4-interval
talk
target
tcp
tcp-flags
tcp-initial-timeout
tcp-mss
tcp-no-flag
tcp-rst
tcp-session
tcp-sweep
terminal
test
tftp
then
threshold
time-binding
time-binding-count
time-binding-period statement
timeout
timeout (utm)
to
to-zone
too-many-requests
tos
total-length
total-memory
traceoptions
traffic-options
transaction-timeout
trickling
trusted-ca
ttl
tunable-name
tunable-value
tunnel
type
type (utm)
udp
udp-sweep
unknown-message
upload-profile
urgent-pointer
url
url (antivirus)
url-blacklist
url-pattern
url-whitelist
user
user-at-hostname
utm
utm-policy
value-hit-rate-threshold
virus-detection
vpn
vpn-monitor
vpn-monitor-options
web-authentication
web-redirect
weight
wildcard
window-scale
window-size
winnuke
xauth
zones