Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Security Configuration Statement Hierarchy
To configure security rules, actions, and zones, use the configuration statements in the security configuration hierarchy. Statement descriptions that are exclusive to the J Series and SRX Series devices running Junos OS are described in this chapter. The statements that are not described in this chapter are common to a variety of devices running Junos OS and are described in the Junos System Basics Configuration Guide.
security { alg { dns { disable; maximum-message-length number; traceoptions
{ flag { all <extensive>;}}} ftp { disable; traceoptions
{ flag { all <extensive>;}}} h323 { application-screen
{ message-flood
{ gatekeeper
threshold rate;} unknown-message
{ permit-nat-applied; permit-routed;} disable; endpoint-registration-timeout seconds; media-source-port-any; traceoptions
{ flag
{ all <detail
| extensive | terse>; cc <detail
| extensive | terse>; h225-asn1
<detail | extensive | terse>; h245
<detail | extensive | terse>; h245-asn1
<detail | extensive | terse>; q931
<detail | extensive | terse>; ras <detail
| extensive | terse>; ras-asn1
<detail | extensive | terse>; }}}}ike-esp-nat {enable;state-timeout timeout-in-seconds;esp-gate-timeout timeout-in-seconds;esp-session-timeout timeout-in-seconds;} mgcp { application-screen
{ connection-flood
threshold rate; message-flood
threshold rate; unknown-message
{ permit-nat-applied; permit-routed;}} disable; inactive-media-timeout seconds; maximum-call-duration minutes; traceoptions
{ flag
{ all <extensive>; call
<extensive>; cc <extensive>; decode
<extensive>; error
<extensive>; nat <extensive>; packet
<extensive>; rm <extensive>;}} transaction-timeout seconds; } msrpc { disable; traceoptions
{ flag
{ all <extensive>}}} pptp { disable; traceoptions
{ flag
{ all <extensive>;}}} real { disable; traceoptions
{ flag
{ all <extensive>;}}} rsh { disable; traceoptions
{ flag
{ all <extensive>;}}} rtsp { disable; traceoptions
{ flag
{ all <extensive>;}}} sccp { application-screen
{ call-flood
threshold rate; unknown-message
{ permit-nat-applied; permit-routed;}} disable;
inactive-media-timeout seconds; traceoptions
{ flag
{ all <extensive>;
call
<extensive>; cc <extensive>;
cli <extensive>;
decode
<extensive>; error
<extensive>; init
<extensive>; nat <extensive>;
rm <extensive>;
}}} sip { application-screen
{ protect
{ deny
{ all
| destination-ip address; timeout seconds; }} unknown-message
{ permit-nat-applied;
permit-routed;
}} c-timeout minutes; disable;
disable-call-id-hiding;
inactive-media-timeout seconds; maximum-call-duration minutes; retain-hold-resource;
t1-interval milliseconds; t4-interval seconds; traceoptions
{ flag
{ all <detail
| extensive | terse>; call
<detail | extensive | terse>; cc <detail
| extensive | terse>; nat <detail
| extensive | terse>; parser
<detail | extensive | terse>; rm <detail
| extensive | terse>; }}} sql { disable; traceoptions
{ flag
{ all <extensive>;}}} sunrpc { disable; traceoptions
{ flag
{ all <extensive>;}}} talk { disable; traceoptions
{ flag
{ all <extensive>;}}} tftp { disable; traceoptions
{ flag
{ all <extensive>;}}}application-tracking {first-update;first-update-interval number;session-update-interval number;}authentication-key-chains
{key-chain key-chain-name
{description text ;tolerance seconds ;}}dynamic-vpn {access-profileprofile-name; force-upgrade;clients {configuration-name {remote-protected-resources{ip-address/mask;}remote-exceptions{ip-address/mask;}ipsec-vpn configuration-name;user{username;}}}}datapath-debug{action-profile{event (jexec | lbt | mac-egress | mac-ingress | np-egress
| np-ingress | pot) {count;packet-dump;packet-summary;trace; }module{flow{flag{all; }}}preserve-trace-order;record-pic-history;capture—file;packet—filter{action-profile (action-profile name| default) ;destination-port (port-range| protocol name);destination-prefix destination-prefixprotocol (protocol number | (ah |
egp | esp | gre | icmp | igmp | ipip | ospf | pim | rsvp | sctp |
tcp | udp));source-port (port-range| protocol name);source-prefix source-prefix;}trace-options{file{filename;files filesnumber;match regular expression;size maximum file-size;(world-readable | no-world-readable);}no-remote-trace;}} firewall-authentication
{ traceoptions
{ flag {
all <detail
| extensive | terse>; authentication
<detail | extensive | terse>; proxy <detail
| extensive | terse>; }}} flow {
aging {
early-ageout seconds; high-watermark percent; low-watermark percent;} allow-dns-reply; bridge {
block-non-ip-all; bypass-non-ip-unicast; no-packet-flooding
{ no-trace-route;}} route-change-timeout seconds; syn-flood-protection-mode
(syn-cookie | syn-proxy); tcp-mss {
all-tcp
{ mss value;} gre-in
{ mss value;} gre-out
{ mss value;} ipsec-vpn
{ mss value;}} tcp-session
{ no-sequence-check;
no-syn-check;
no-syn-check-in-tunnel;
rst-invalidate-session;
rst-sequence-check;
tcp-initial-timeout seconds;} traceoptions
{ file filename <files number > <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>; flag flag; }} forwarding-options
{ family {
inet6 {
mode (packet-based
| flow-based | drop ); default: drop } iso {
mode packet-based;
} mpls {
mode packet-based;
}}}forwarding-process {application-services {mazimize-alg-sessions;maximize-idp-sessions {inline-tap;weight {equal;firewall;idp;}}}}gprs {gtp {enable;profile profile name {apn pattern-string {mcc-mnc <mcc-mnc-number> {action <drop | pass | selection <ms | net | vrf>
{}}drop {aa-create-pdp {<0 | 1 | All>;}aa-delete-pdp {<0 | 1 | All>;}create pdp {<0 | 1 | All>;}data-record {<0 | 1 | All>;}delete-pdp {<0 | 1 | All>;}echo {<0 | 1 | All>;}error-indication {<0 | 1 | All>;}failure-report {<0 | 1 | All>;}fwd-relocation {<0 | 1 | All>;}fwd-srns-context {<0 | 1 | All>;}g-pdu {<0 | 1 | All>;}identification {<0 | 1 | All>;}node-alive {<0 | 1 | All>;}note-ms-present {<0 | 1 | All>;}pdu-notification {<0 | 1 | All>;}ran-info {<0 | 1 | All>;}redirection {<0 | 1 | All>;}relocation-cancel {<0 | 1 | All>;}send-route {<0 | 1 | All>;}sgsn-context {<0 | 1 | All>;}supported-extension {<0 | 1 | All>;}update-pdp {<0 | 1 | All>;}ver-not-supported {<0 | 1 | All>;}log {forwarded <basic | detail>;prohibited <basic | detail>;rate-limited <basic | detail>;frequency-number <number>;}state-invalid <basic | detail>;}max-message-length number;min-message-length number;rate-limit messages per second;remove-r6;seq-number-validated;timeout <number of hours>;}}traceoptionsfile filename {<files | match | no-world-readable | size | world-readable>;}flag {< all | chassis-cluster | configuration | flow | parser
| >;}no-remote-trace;} sctp {
log {
configuration;
decoding-error;
dropped-packet;
exceeding-rate-limit;
} profile name { association-timeout time in minutes; handshake-timeout time in seconds; drop {
m3ua-service
{ isup;
sccp;
tup;
} payload-protocol
{ all;
asap;
bicc;
ddp-segment;
ddp-stream;
dua;
enrp;
h248;
h323;
iua;
m2pa;
m2ua;
m3ua;
qipc;
simco;
sua;
tali;
v5ua;
}} limit
{ rate {
address ip-address { sccp number; ssp number; sst number; } sccp number; ssp number; sst number; }}} traceoptions
{ file;
flag {
all;
chassis-cluster;
configuration;
flow;
parser;
}}}}group-vpn {co-location;member {ike {gateway gateway-name {address [(ip-address | hostname)];ike-policy policy-name;local-address address;local-identity (distinguished-name string | hostname hostname | inet ipv4-ip-address | user-at-hostname e-mail-address);}policy name {certificate {local-certificate identifier;peer-certificate-type [pkcs7 | x509-signature);trusted-ca (ca-index | use-all);}description text;mode (aggressive | main); pre-shared-key (ascii-text text |
hexadecimal hex);proposal-set (basic | compatible | standard);proposals name;}proposal name {authentication-algorithm (md5 | sha-256 | sha1);authentication-method (pre-shared-keys | rsa-signatures);description text;dh-group (group1 | group2 | group5);encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc
| aes-256-cbc | des-cbc);lifetime-seconds seconds;}}ipsec vpn name {group id;group-vpn-external-interface interface;heartbeat-threshold number;ike-gateway name;}}server {group name{activation-time-delay seconds;anti-replay-time-window seconds;description text;group-id number;ike-gateway gateway-name;ipsec-sa name {proposal name;match-policy name {destination ip-address/netmask;destination-port number;protocol number;source ip-address/netmask;source-port number;}}no-anti-replay;server-address ip-address;server-member-communication {certificate certificate-id;communication-type (multicast | unicast);encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc
| aes-256-cbc | des-cbc);heartbeat seconds;lifetime-seconds seconds;multicast-group address;multicast-outgoing-interface interface;number-of-retransmission number;retransmission-period seconds;sig-hash-algorithm (md5 | sha1);}}ike {gateway name {address ( ip-address | hostname );dynamic {distinguished-name {container string; wildcard string;}hostname name;inet ip-address;user-at-hostname email-address;}ike-policy name;local-identity {distinguished-name;hostname name;inet ip-address;user-at-hostname emailaddress;}}policy name {certificate {local-certificate identifier;peer-certificate-type [pkcs7 | x509-signature);trusted-ca (ca-index | use-all);}description text;mode (aggressive | main); pre-shared-key (ascii-text text |
hexadecimal hex);proposal-set (basic | compatible | standard);proposals name;}proposal name {authentication-algorithm (md5 | sha-256 | sha1);authentication-method (pre-shared-keys | rsa-signatures);description text;dh-group (group1 | group2 | group5);encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc
| aes-256-cbc | des-cbc);lifetime-seconds seconds;}}ipsec proposal name {authentication-algorithm (hmac-md5-96 | hmac-sha1-96);description text;encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc
| aes-256-cbc | des-cbc);lifetime-seconds seconds;}traceoptions {file {files number;match regexp;(no-world-readable | world-readable);size size;}flag {all | certificates | config | database | general | high-availability
| ike| next-hop-tunnels | parse | policy-manager | routing-socket
| thread | timer}no-remote-trace;}}} idp {
active-policy policy-name; application-ddos <name> {connection-rate-threshold number;context <context-name> {exclude-context-values regular-expression;hit-rate-threshold number;max-context-values number;time-binding-count number;time-binding-period seconds;value-hit-rate-threshold seconds;}service <dns | http>;} custom-attack attack-name {attack-type {anomaly {direction (any | client-to-server | server-to-client);service service-name;shellcode (all | intel | no-shellcode | sparc);test test-condition;} chain {expression boolean-expression; member member-name {attack-type {(anomaly | signature);}} order;protocol-binding {application application-name;icmp;ip {protocol-number transport-layer-protocol-number;} rpc { program-number rpc-program-number; }tcp {minimum-port port-number maximum-port port-number;} udp { minimum-port port-number maximum-port port-number;} }reset; scope (session | transaction);}signature {context context-name;direction (any | client-to-server | server-to-client);negate; pattern signature-pattern;protocol {icmp {code { match (equal | greater-than | less-than | not-equal); value code-value;} data-length { match (equal | greater-than | less-than | not-equal); value data-length;} identification {match (equal | greater-than | less-than | not-equal);value identification-value;}sequence-number {match (equal | greater-than | less-than | not-equal);value sequence-number; }type {match (equal | greater-than | less-than | not-equal);value type-value; }} ip {destination {match (equal | greater-than | less-than | not-equal);value hostname;}identification {match (equal | greater-than | less-than | not-equal);value identification-value;}ip-flags {(df | no-df);(mf | no-mf);(rb | no-rb);}protocol {match (equal | greater-than | less-than | not-equal);value transport-layer-protocol-id;}source {match (equal | greater-than | less-than | not-equal);value hostname;}tos {match (equal | greater-than | less-than | not-equal);value type-of-service-in-decimal;}total-length {match (equal | greater-than | less-than | not-equal);value total-length-of-ip-datagram;}ttl {match (equal | greater-than | less-than | not-equal);value time-to-live;}}tcp {ack-number {match (equal | greater-than | less-than | not-equal);value acknowledgement-number;} data-length {match (equal | greater-than | less-than | not-equal);value tcp-data-length;}destination-port {match (equal | greater-than | less-than | not-equal);value destination-port;}header-length {match (equal | greater-than | less-than | not-equal);value header-length;}mss {match (equal | greater-than | less-than | not-equal);value maximum-segment-size;}option {match (equal | greater-than | less-than | not-equal);value tcp-option;}sequence-number {match (equal | greater-than | less-than | not-equal);value sequence-number;}source-port {match (equal | greater-than | less-than | not-equal);value source-port;}tcp-flags {(ack | no-ack);(fin | no-fin);(psh | no-psh);(r1 | no-r1);(r2 | no-r2);(rst | no-rst);(syn | no-syn);(urg | no-urg);}urgent-pointer {match (equal | greater-than | less-than | not-equal);value urgent-pointer;}window-scale {match (equal | greater-than | less-than | not-equal);value window-scale-factor;}window-size {match (equal | greater-than | less-than | not-equal); value window-size; }}udp {data-length {match (equal | greater-than | less-than | not-equal);value data-length;}destination-port {match (equal | greater-than | less-than | not-equal);value destination-port;}source-port {match (equal | greater-than | less-than | not-equal);value source-port;}}}protocol-binding {application application-name;icmp;ip { protocol-number transport-layer-protocol-number;}rpc {program-number rpc-program-number;}tcp {minimum-port port-number maximum-port port-number;}udp {minimum-port port-number maximum-port port-number;}}regexp regular-expression;shellcode (all | intel | no-shellcode | sparc);}}recommended-action (close | close-client | close-server
| drop | drop-packet | ignore | none); severity (critical | info | major | minor | warning); time-binding {count count-value;scope (destination | peer | source);}}custom-attack-group custom-attack-group-name { group-members [attack-group-name | attack-name]; }dynamic-attack-group dynamic-attack-group-name { filters {category { values [list-of-values];} direction { values [any | client-to-server | exclude-any | exclude-client-to-server
| exclude-server-to-client | server-to-client];} false-positives { values [frequently | occasionally | rarely | unknown]; } performance { values [fast | normal | slow | unknown];} products { values [list-of-values];} recommended;service { values [list-of-values];} severity { values [critical | info | major | minor | warning]; } type { values [anomaly | signature]; } } } idp-policy policy-name {rulebase-ddos {rule rule-name {description text ;match {application [ any | default ];application-ddos ddos-application-name;destination-address [ address-name ];from-zone zone-name;source-address [ address-name ];to-zone zone-name;}then {action <close-server | drop-connection | drop-packet
| no-action>;ip-action {<ip-block | ip-close | ip–connection–rate-limit value | ip-notify | log>;timeout secconds;}}}} rulebase-exempt
{ rule rule-name { description
text; match
{ attacks
{ custom-attacks
[attack-name]; predefined-attack-groups
[attack-name]; predefined-attacks
[attack-name]; } destination-address
[address-name]; destination-except
[address-name]; from-zone
zone-name; source-address
[address-name]; source-except
[address-name]; to-zone zone-name; }}} rulebase-ips
{ rule rule-name { description text; match
{ attacks
{ custom-attacks
[ attack-name ]; predefined-attack-groups
[ attack-name ]; predefined-attacks
[ attack-name ]; } destination-address
[ address-name ]; destination-except
[ address-name ]; from-zone zone-name; source-address
[ address-name ]; source-except
[ address-name ]; to-zone zone-name; } terminal;
then
{ action
{ (close-client
| close-client-and-server | close-server | drop-connection
| drop-packet | ignore-connection | mark-diffserv value | no-action | recommended);} ip-action
{ (ip-block
| ip-close | ip-notify); log;
target
(destination-address | service | source-address |
source-zone
| zone-service); timeout seconds; } notification
{
log-attacks {
alert; }packet-log {pre-attack number;post-attack number;post-attack-timeout seconds;}} severity
(critical | info | major | minor | warning); }}}} security-package
{ automatic
{ download-timeout;
enable;
interval hours; start-time start-time; } url url-name; } sensor-configuration
{ application-identification
{ application-system-cache;
application-system-cache-timeout
value; disable;
max-packet-memory value; max-sessions
value; max-tcp-session-packet-memory
value; max-udp-session-packet-memory
value; no-application-system–cache; }application-ddos {statistics interval;} detector
{ protocol-name protocol-name { tunable-name tunable-name { tunable-value protocol-value; } ssl-inspection
}} flow {
(allow-icmp-without-flow
| no-allow-icmp-without-flow); (log-errors
| no-log-errors); max-timers-poll-ticks value; reject-timeout
value; (reset-on-policy
| no-reset-on-policy); } global
{ (enable-all-qmodules
| no-enable-all-qmodules); (enable-packet-pool
| no-enable-packet-pool); (policy-lookup-cache
| no-policy-lookup-cache); } ips {
detect-shellcode;
ignore-regular-expression;
log-supercede-min
minimum-value; pre-filter-shellcode;
process-ignore-s2c;
process-override;
process-port port-number; } log {
cache-size size; suppression
{ disable;
include-destination-address;
max-logs-operate value; max-time-report value; start-log value;}}packet-log {total-memory percentage;max-sessions percentage;source-address ip-address;host ip-address port number;} re-assembler
{ ignore-mem-overflow;
max-flow-mem value; max-packet-mem value;} ssl-inspection
{ sessions number;}} traceoptions
{ file filename { <files number>; <match regular-expression>; <size maximum-file-size>; <world-readable
| no-world-readable>; } flag all;
level (all
| error | info | notice | verbose | warning); no-remote-trace;
}} ike {
gateway gateway-name { address [(ip-address | hostname)] | dead-peer-detection
{ always-send;
interval seconds; threshold number; } dynamic
{ connections-limit number; distinguished-name
{ container container-string; wildcard wildcard-string; } hostname domain-name; ike-user-type
(group-ike-id | shared-ike-id); inet ip-address; user-at-hostname user-at-hostname; } external-interface external-interface-name; ike-policy policy-name; local-identity
(distinguished-name string | hostname hostname | inet ip-address | user-at-hostname e-mail-address); nat-keepalive seconds; no-nat-traversal; xauth {
access-profile profile-name; }} policy policy-name { certificate
{ local-certificate certificate-id; peer-certificate-type
(pkcs7 | x509-signature); trusted-ca
(ca-index | use-all);} description description; mode (aggressive
| main); pre-shared-key
(ascii-text | hexadecimal); proposal-set
<basic | compatible | standard>; proposals [proposal-names];} proposal proposal-name { authentication-algorithm
(md5 | sha1 | sha-256); authentication-method
(dsa-signatures | pre-shared-keys | rsa-signatures); description description; dh-group
(group1 | group2 | group5); encryption-algorithm
(des-cbc | 3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc);lifetime-seconds seconds;} respond-bad-spi number; traceoptions
{ file filename { <files number>; <match regular-expression>; <size maximum-file-size>;} flag {
all;
certificates;
database;
general;
ike;
parse;
policy-manager;
routing-socket;
timer;
snmp;
}}}ipsec { policy policy-name { description description; perfect-forward-secrecy
keys (group1 | group2 | group5); proposal-set
(basic | compatible | standard); }proposal proposal - name
{ description description; encryption-algorithm (des-cbc
| 3des-cbc | aes-128-cbc | aes-192-cbc| aes-256-cbc); lifetime-kilobytes kilobytes; lifetime-seconds seconds; protocol
(ah | esp); } traceoptions
{ flag {
all;
next-hop-tunnel-binding;
packet-drops;
packet-processing;
security-associations;
}} vpn vpn-name
{ bind-interface interface-name; df-bit (clear
| copy | set); establish-tunnels
(immediately | on-traffic); ike {
gateway gateway-name; idle-time seconds; install-interval seconds; ipsec-policy ipsec-policy-name; no-anti-replay;
proxy-identity
{ local ip-prefix; remote ip-prefix; service service-name; }} manual
{ authentication
{ algorithm
(hmac-md5-96 | hmac-sha1-96); key (ascii-text key | hexadecimal key);} encryption
{ algorithm
(3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc
| des-cbc); key (ascii-text
key | hexadecimal key); } external-interface external-interface-name; gateway ip-address; protocol
(ah | esp); spi spi value; } vpn-monitor
{ destination-ip ip-address; optimized;
source-interface interface-name; }} vpn-monitor-options
{ interval seconds; threshold number; }}log {mode (event | stream);event-rate rate;format (syslog | sd-syslog)
; stream stream-name format (syslog | sd-syslog | welf) category (all | content-security)
host ip-address; traceoptions {file filename; files number;match regular-expression;size maximum-file-size;(world-readable | no-world-readable);}flag (all | configuration | source);no-remote-trace;} nat {
destination
{ pool pool-name { address
<ip-address> (to ip-address | port port-number): routing-instance routing-instance-name; } rule-set rule-set-name { from interface
[interface-name] | routing-instance
[routing-instance-name] | zone [zone-name]; rule rule-name { match
{ destination-address destination-address; destination-port port-number; source-address
[source-address]; } then
{ destination-nat
(off | pool pool-name);}}}} proxy-arp
{ interface interface-name { address ip-address to ip-address; }} source {
address-persistent;
interface {port-overloading { off };} pool pool-name { address ip-address to ip-address; host-address-base ip-address; overflow-pool
(interface | pool-name); port no-translation
| range high ip-address low ip-address; routing-instance routing-instance-name; } pool-utilization-alarm
{ clear-threshold threshold-value; raise-threshold threshold-value; }port-randomization {disable;} rule-set rule-set-name { from interface
[interface-name] | routing-instance
[routing-instance-name] | zone [zone-name]; rule rule-name { match
{ destination-address
[destination-address];destination-port port-number; source-address
[source-address];} then
{ source-nat
(off | interface | pool pool-name);persistent-nat {address-mapping;inactivity-timeout seconds;max-session-number number;permit ( any-remote-host | target-host | target-host-port
);}}} to interface
[interface-name] | routing-instance
[routing-instance-name] | zone [zone-name]; }} static {
rule-set rule-set-name { from interface
[interface-name] | routing-instance
[routing-instance-name] | zone [zone-name]; rule rule-name { match
{ destination-address
[destination-address]; } then
{ static-nat
prefix <addr-prefix> <routing-instance routing-instance-name>;}}}} traceoptions
{ file filename { <files number>; <match regular-expression>; <size maximum-file-size>; <world-readable
| no-world-readable>; } flag {
all;
destination-nat-pfe;
destination-nat-re;
destination-nat-rt;
source-nat-pfe;
source-nat-re;
source-nat-rt;
static-nat-pfe;
static-nat-re;
static-nat-rt;
} no-remote-trace;
}} pki {
auto-re-enrollment
{ certificate-id certificate-id-name { ca-profile-name ca-profile-name; challenge-password password; re-enroll-trigger-time-percentage percentage; re-generate-keypair; }} ca-profile ca-profile-name { administrator
{ e-mail-address e-mail-address; } ca-identity ca-identity; enrollment
{ retry number; retry-interval seconds ; url url-name; } revocation-check
{ crl {
disable
{ on-download-failure;
} refresh-interval hours; url url-name; } disable;
}} traceoptions
{ file filename <files number> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>; flag flag; }} policies {
default-policy
{ (deny-all
| permit-all); } from-zone zone-name to-zone zone-name { policy policy-name { match
{ application
[application-name-or-set]; destination-address
{ address-name; } source-address
{ address-name;}} scheduler-name scheduler-name; then
{ count
{ alarm
{ per-minute-threshold number; per-second-threshold number;}} (deny
| reject); permit
{ application-services {gprs-gtp-profile;idp;redirect-wx;reverse-redirect-wx;uac-policy;utm-policy;} destination-address
{ drop-translated;
drop-untranslated;
} firewall-authentication
{
pass-through {
access-profile profile-name>;
client-match match-name>;
web-redirect; }
web-authentication {
client-match user-or-group; }} tunnel
{ ipsec-group-vpn group-vpn; ipsec-vpn vpn-name; pair-policy pair-policy; }} log
{ session-close;
session-init;
}}}} policy-rematch;
traceoptions
{ file filename
<files number> <match regular-express> <size maximum-file-size> <world-readable | no-world-readable>; flag flag; }} screen {
ids-option screen-name{ alarm-without-drop; icmp
{ flood
{ threshold number; } fragment;
ip-sweep
{ threshold number;} large;
ping-death;
} ip {
bad-option;
block-frag;
loose-source-route-option;
record-route-option;
security-option;
source-route-option;
spoofing;
stream-option;
strict-source-route-option;
tear-drop;
timestamp-option;
unknown-protocol;
} limit-session
{ destination-ip-based number; source-ip-based number;} tcp {
fin-no-ack;
land;
port-scan
{ threshold number;} syn-ack-ack-proxy
{ threshold number;} syn-fin;
syn-flood
{ alarm-thresholdnumber; attack-thresholdnumber; destination-threshold number; source-threshold number; timeout
seconds; } syn-frag;
tcp-no-flag;
tcp-sweep {threshold number;} winnuke;
} udp {
flood
{ threshold number;}udp-sweep {threshold number;}}} traceoptions
{ file filename
<files number> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>; flag flag; }} ssh-known-hosts
{ fetch-from-server fetch-from-server; host hostname { dsa-key base64-encoded-dsa-key; rsa-key base64-encoded-dsa-key; rsa1-key base64-encoded-dsa-key; } load-key-file key-file; }utm {custom-objects {filename-extension {value [list];}mime-pattern {value [list];}custom-url-category {value [list];}protocol-command {value [list];}url-pattern {value [list];}}feature-profile {anti-virus {type kaspersky-lab-engine;kaspersky-lab-engine {pattern-update {url;interval value;}profile profile-name { fallback-options {default (log-and-permit | block);corrupt-file (log-and-permit | block);password-file (log-and-permit | block);decompress-layer (log-and-permit | block);content-size (log-and-permit | block);engine-not-ready (log-and-permit | block); timeout (log-and-permit | block);out-of-resources (log-and-permit | block);too-many-requests (log-and-permit | block);}scan-options {intelligent-prescreening;scan-mode (scan-all | by--extension);content-size-limit value; timeout value; decompress-layer-limit value;}notification-options {virus-detection { type (message | protocol-only);notify-mail-sender; custom-message;}fallback-block {custom-message;notify-mail-sender;type;}}trickling {timeout value;}}}type juniper-express-engine;juniper-express-engine {pattern-update {url; interval value;}profile profile-name { fallback-options {default (log-and-permit | block);content-size (log-and-permit | block); engine-not-ready (log-and-permit | block);timeout (log-and-permit | block);out-of-resources (log-and-permit | block);too-many-requests (log-and-permit | block);}scan-options {intelligent-prescreening;scan-mode (scan-all | by--extension);content-size-limit value; timeout value; decompress-layer-limit value;}notification-options {virus-detection { type (message | protocol-only);notify-mail-sender;custom-message;}fallback-block {custom-message;notify-mail-sender;type;}}trickling {timeout value;}}mime-whitelist {list listname {exception listname;}url-whitelist {listname;}}}web-filtering {surf-control-integrated {cache {timeout value;}server {host host-name;port number;}profile profile-name{default (log-and-permit | block);custom-block-message value;fallback-settings {default (log-and-permit | block);server-connectivity (log-and-permit | block);timeout (log-and-permit | block);too-many-requests (log-and-permit | block);}category customurl-list name {action (log-and-permit | block);}}websense-redirect { profile profile-name {server {host host-name;port number;}sockets value;timeout value;fallback-settings {default (log-and-permit | block);server-connectivity (log-and-permit | block);timeout (log-and-permit | block);too-many-requests (log-and-permit | block);}}url-whitelist {listname;}url-blacklist {listname;}juniper-local {profile profile-name{custom-block-message value;default (block | log-and-permit | permit);fallback-settings {default (block | log-and-permit);timeout;too-many-requests (block | log-and-permit);}timeout}anti-spam { sbl { profile profile-name{ sbl-default-server; spam-action (log-and-permit | block); custom-tag-string [***SPAM***]; }address-whitelist{listname;}}}content-filtering {profile profile-name{ block-command protocol-command-list;block-content-type (java-applet | exe | http-cookie);block-mime {list list-name {exception list-name;}}permit-command protocol-command-list;notification-options {type (message | protocol-only);custom-message [message];}}}utm-policy policy-name {anti-virus {http-profile profile-name;ftp {upload-profile profile-name;download-profile profile-name;}smtp-profile profile-name;pop3-profile profile-name;imap-profile profile-name;}content-filtering {http-profile profile-name;ftp {upload-profile profile-name;download-profile profile-name;}smtp-profile profile-name;pop3-profile profile-name;imap-profile profile-name;} anti-spam {smtp-profile profile-name;}web-filtering {http-profile profile-name;}traffic-options {sessions-per-client {limit value;over-limit (log-and-permit | block);}}}} zones {
functional-zone
{ management
{ host-inbound-traffic
{ protocols
{ protocol-name; protocol-name <except>;} system-services
{ service-name; service-name <except>;}} interfaces interface-name { host-inbound-traffic
{
protocols {
protocol-name;
protocol-name <except>; }
system-services {
service-name;
service-name <except>;}}} screen screen-name; }} security-zone zone-name { address-book
{ address address-name (ip-prefix | dns-name dns-address-name); address-set address-set-name { address address-name; }} host-inbound-traffic
{ protocols
{ protocol-name; protocol-name <except>; } system-services
{ service-name; service-name <except>; }} interfaces interface-name { host-inbound-traffic
{ protocols
{ protocol-name; protocol-name <except>; } system-services
{ service-name; service-name <except>; }}} screen screen-name; tcp-rst;}}} traceoptions
{ file filename { <files number>; <match regular-expression>; <size maximum-file-size>; <world-readable
| no-world-readable>; } flag flag; no-remote-trace;
rate-limit rate;}}}
