Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Understanding Security Policy Rules
The security policy applies the security rules to the transit traffic within a context (from-zone to to-zone). Each policy is uniquely identified by its name. The traffic is classified by matching its source and destination zones, the source and destination addresses, and the application that the traffic carries in its protocol headers with the policy database in the data plane.
Each policy is associated with the following characteristics:
- A source zone
- A destination zone
- One or many source address names or address set names
- One or many destination address names or address set names
- One or many application names or application set names
These characteristics are called the match criteria. Each policy also has actions associated with it: permit, deny, reject, count, and log. You have to specify the match condition arguments when you configure a policy, source address, destination address, and application name.
You can specify to configure a policy with IPv4 or IPv6 addresses using the wildcard entry any. When flow support is not enabled for IPv6 traffic, any matches IPv4 addresses. For example, if you want to include both IPV4 and IPv6 addresses in the match criteria, then any is used. You can also specify the wildcard any-ipv4 or any-ipv6 for the source and destination address match criteria to include only IPv4 or only IPv6 addresses, respectively.
If you do not want to specify a specific application, enter any as the default application. To look up the default applications, from configuration mode, enter show groups junos-defaults | find applications (predefined applications). For example, if you do not supply an application name, the policy is installed with the application as a wildcard (default). Therefore, any data traffic that matches the rest of the parameters in a given policy would match the policy regardless of the application type of the data traffic.
The action of the first policy that the traffic matches is applied to the packet. If there is no matching policy, the packet is dropped. Policies are searched from top to bottom, so it is a good idea to place more specific policies near the top of the list. You should also place IPsec VPN tunnel policies near the top. Place the more general policies, such as one that would allow certain users access to all Internet applications, at the bottom of the list. For example, place deny-all or reject-all policies at the bottom after all of the specific policies have been parsed before and legitimate traffic has been allowed/count/logged.
Policies are looked up during flow processing after firewall filters and screens have been processed and route look up has been completed by the Services Processing Unit (SPU) (for high-end SRX devices). Policy look up determines the destination zone, destination address, and egress interface.
When you are creating a policy, the following policy rules apply:
- Security policies are configured in a from-zone to to-zone direction. Under a specific zone direction, each security policy contains a name, match criteria, an action, and miscellaneous options.
- The policy name, match criteria, and action are required.
- The policy name is a keyword.
- The source address in the match criteria is composed of one or more address names or address set names in the from-zone.
- The destination address of the match criteria is composed of one or more address names or address set names in the to-zone.
- The application name in the match criteria is composed of the name of one or more applications or application sets.
- One of the following actions is required: permit, deny, reject, count, or log.
- When logging is enabled, the system logs at session close (session-close) time by default. To enable logging at session creation, use the session-init command.
- When the count alarm is turned on, you can, optionally, specify alarm thresholds in bytes per second and kilobytes per minute.
- You cannot specify global as either the from-zone or the to-zone except under following condition:
Any policy configured with the to-zone as a global zone must have a single destination address to indicate that either static NAT or incoming NAT has been configured in the policy.
- In SRX Series Services Gateways, the policy permit option with NAT is simplified. Each policy will optionally indicate whether it allows NAT translation, does not allow NAT translation, or does not care.
Address names cannot begin with the following reserved prefixes. These are used only for address NAT configuration:
- static_nat_
- incoming_nat_
- junos_
- Application names cannot begin with the junos_ reserved prefix.
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Security Policies Overview
- Understanding Security Policy Elements
- Security Policies Configuration Overview
- Understanding Security Policy Ordering
