[Prev][Next][Report an Error]

Configuring Policies—Quick Configuration

To configure the security policies using the J-Web procedure:

  1. In the J-Web interface, select Configure>Security>Policy>FW Policies.
  2. Select one of the following policy configuration options:
  3. Select the Policy tab to specify the basic configuration requirements for the policy, including the name, from-zone, to-zone, source address, destination address, policy applications, and policy action. See Table 162 for more information.
  4. Select the Logging/Count tab to specify logging requirements for the policy. See Table 163 for more information.
  5. Select the Scheduling tab to select a scheduler whose schedule determines when the policy is active. (You must create the scheduler that you want to include in the policy before creating the policy.)
  6. Select the Permit Action tab to specify the VPN, NAT, and authentication settings for the policy. See Table 164 for more information. (This tab appears only if you select Permit as the policy action in the Policy tab.)
  7. Select the Application Services tab to specify the IDP, UTM, and WX settings for the policy. See Table 165 for more information. (This tab appears only if you select Permit as the policy action in the Policy tab.)
  8. Click one:

Table 161: Global Options Configuration Options

Field Description Action
Policy Options  

Default policy action

Specifies that any action that is intrinsic to the protocol is overridden. This action is also non terminating. The available options are:

  • permit-all
  • deny-all

Select a value from the list.

Policy rematch

Enable the device to add a policy that has just been modified to a deferred action list for reevaluation. For every session associated with the policy, the device reevaluates the policy lookup. If the policy is different from the one associated with the session, the device drops the session. If the policy matches, the session continues.

Select this check box to enable policy rematch option.

Flow - Main > Aging

Early Ageout

Defines the ageout value before the router aggressively ages out a session from its session table.

Specify a value between 1 and 65535 seconds. The default value is 20 seconds.

High Watermark

Sets percentage of session table capacity at which the aggressive aging-out process begins.

Specify a value between 0 and 100 percent. The default value is 100 percent.

Low Watermark

Sets percentage of session-table capacity at which aggressive aging-out ends.

Specify a value between 0 and 100 percent. The default value is 100 percent.

Allow DNS reply

Allows an incoming DNS reply packet without a matched request. By default, if the query request does not match, the router drops the packet, does not create a session, and increments the illegal packet flow counter for the interface. Using the allow-dns-reply statement directs the router to skip the check.

Select this check box to enable DNS replies.

Route change to non existent route timeout

Applies the session timeout value on a route change to a nonexistent route. By default, this feature is disabled. If the timeout is not defined, sessions discovered to have no route are aged out using their current session timeout values.

Specify a value between 6 and 1800 seconds.

Enable SYN cookie protection

Enables SYN-cookie defenses against SYN attacks

SYN Cookie is enabled globally on the security router and is activated when the configured syn-flood attack-threshold is exceeded.

Select the radio button to enable SYN Cookie protection option.

Enable SYN proxy protection

Enables SYN-proxy defenses against SYN attacks

Select the radio button to enable SYN proxy protection option.

Flow TCP-MSS    

Enable MSS override for all packets

MSS Value

Enables MSS override for all TCP packets for network traffic.

Specify a value between 64 and 65535.

Select the check box to enable all TCP packets.

Specify a value between 64 and 65535.

     

Enable MSS override for all GRE packets coming out of an IPsec tunnel

MSS Value

Enables MSS override for all Generic Routing Encapsulation (GRE) packets exiting an IPsec tunnel.

Enables and specifies the TCP-MSS for GRE packets that are about to go into an IPsec VPN tunnel. By default, a TCP-MSS for GRE packets is not set

Select the GRE in check box to enable TCP-MSS for GRE.

Specify a value between 64 and 65,535 bytes. The default value is 1320 bytes.

Enable MSS override for all GRE packets entering an IPsec tunnel

MSS Value

Enables MSS override for all GRE packets entering an IPsec tunnel.

Enables and specifies the TCP-MSS for GRE packets that are leaving an IPsec VPN tunnel. By default, a TCP-MSS for GRE packets is not set.

Select the GRE out check box to enable.

Specify a value between 64 and 65,535 bytes. The default value is 1320 bytes.

Enable MSS override for all packets entering an IPsec tunnel

MSS Value

Enables MSS override for all packets entering an IPsec tunnel.

Enables and specifies the TCP-MSS for all packets that are entering an IPsec VPN tunnel.

Select the IPSec VPN check box to enable MSS override for all packets that enter an IPsec tunnel.

Specify a value between 64 and 65,535 bytes. The default value is 1320 bytes.

Flow-TCP Session  

Disable sequence-number checking

Disables the checking of sequence numbers in TCP segments during stateful inspection. By default, the router monitors the sequence numbers in TCP segments

Select the checkbox to disable sequence number checking.

Strict SYN-flag check

Enables the strict three-way handshake check for the TCP session. It enhances security by dropping data packets before the three-way handshake is done. By default this check is disabled.

Select this checkbox to enable strict SYN checking.

Disable SYN-flag check

Disables the checking of the TCP SYN bit before creating a session. By default, the router checks that the SYN bit is set in the first packet of a session. If it is not set, the router drops it.

Select the checkbox to disable creation time SYN-flag check.

Disable SYN-flag check (tunnel packets)

Disables first packet check for SYN flag when forming a TCP flow session is not performed

Select the check box to disable SYN flag check for the first TCP packet.

RST invalidate session

Marks a session for immediate termination when it receives a TCP reset (RST) segment. By default, this statement is unset. When unset, the router applies the normal session timeout interval—for TCP, session timeout is 30 minutes; for HTTP, it is 5 minutes; and for UDP, it is 1 minute.

Select this checkbox to immediately end session on receipt of reset (RST) segment.

RST sequence check

Checks that the TCP sequence number in a TCP segment with the RST bit enabled matches the previous sequence number for a packet in that session or is the next higher number incrementally. By default, this check is disabled.

Select this checkbox to enable checking of sequence numbers in a RST statement.

TCP Initial Timeout

Defines the length of time (in seconds) that the router keeps an initial TCP session in the session table before dropping it, or until the router receives a FIN or RST packet.

Specify a value between 20 and 300 seconds. The default value is 20 seconds.

Table 162: Policy Configuration Options

Field

Description

Policy Name

Specify a name for the security policy.

From Zone

Specify the source zone for the policy. (You must create the zones that you want to include in the policy before creating the policy.)

To Zone

Specify the destination zone for the policy. (You must create the zones that you want to include in the policy before creating the policy.)

Source Address

Specify the name of the source address or address set for the policy (as entered in the source zone’s address book) and move it to the Matched list using the arrows.

If you want to add a new address to the list, select Add New Source Address. In the fields that appear, specify the new address and click Add.

Note: Address names cannot begin with the following reserved prefixes. These prefixes are used only for address NAT configuration:

  • static_nat_
  • incoming_nat_
  • junos_

Destination Address

Specify the name of the destination address or address set for the policy (as entered in the source zone’s address book) and move it to the Matched list using the arrows.

If you want to add a new address to the list, select Add New Destination Address. In the fields that appear, specify the new address and click Add.

Note: Address names cannot begin with the following reserved prefixes. These prefixes are used only for address NAT configuration:

  • static_nat_
  • incoming_nat_
  • junos_

Applications

Specify the name of an application or application set to which the policy applies and move it to the Matched list using the arrows. If you do not want to specify an application, select any as the default application.

Policy Action

Specify the actions that need to take place on the traffic as it passes through the firewall:

  • Permit—Allows the packet to pass through the firewall.
  • Reject—Blocks the packet from traversing the firewall. The firewall drops the packet and sends a TCP reset (RST) segment to the source host for TCP traffic and an ICMP destination unreachable, port unreachable message (type 3, code 3) for UDP traffic.

    For TCP and UDP traffic, the firewall drops the packet and notifies the source host as action Deny.

  • Deny—Blocks and drops the packet from traversing the firewall, but does not send notification back to the source.

Table 163: Logging/Count Configuration Options

Field

Description

Enable Count

Enable Count

Select this option to enable counting.

If counting is enabled, counters are collected for the number of packets, bytes, and sessions that enter the firewall for a given policy. For counts (only for packets and bytes), you can specify that alarms be generated whenever the traffic exceeds specified thresholds.

Note: The alarm threshold fields are disabled if Enable Count is not selected.

Per Minute Alarm Threshold

Specify threshold bytes for the per-minute alarm threshold.

Enter any value from 0 through 4294967295 kilobytes.

Per Second Alarm Threshold

Specify threshold bytes for the per-second alarm threshold.

Enter any value from 0 through 4294967295 kilobytes.

Log Options

Log at Session Close Time

Select this option if you want to log the events when the session closed.

Log at Session Init Time

Select this option if you want to log the events when the session is created.

Table 164: Permit Action Configuration Options

Field Description
Tunnel — IPSec VPN

VPN

Specify the name of the IPsec-VPN tunnel.

Pair Policy

Pair Policy Name

Specify the name of the policy with the same IPsec-VPN in the reverse direction to create a pair policy.

NAT Translation

Options

Select one of the following options:

  • None
  • Drop packets with translated address
  • Drop packets without translated address
Firewall Authentication

Use these options to authenticate the client before forwarding the traffic. The two types of firewall authentication are:

  • Pass-through authentication
  • Web authentication
Pass-through

Use pass-through authentication verifies traffic as it attempts to pass through the firewall.

Access Profile

Select the access profile for the pass-through from the drop-down list.

Client name

Specify the client name for the pass-through.

Web Redirect

Select the Web Redirect option if you want to redirect the pass-through traffic for Web authentication.

Web authentication

Use Web authentication to verify client authentication.

Client name

Specify the client name for the Web authentication.

Table 165: Application Services Configuration Options

Field

Description

IDP

Enable IDP

Select this option to enable IDP for the policy.

UTM Policy

UTM Policy

Select the required UTM policy from the drop-down list.

Redirect

Options

Select one of the following options:

  • None.
  • Redirect-wx
  • Reverse Redirect-wx

[Prev][Next][Report an Error]