Configuring Policies—Quick Configuration

To configure the security policies using the J-Web interface:

  1. Select Configure>Security>Policy>FW Policies. To control the volume of data displayed at one time, policies are grouped by zone context (by the from and to zones of the policy). By default, the Security Policy page displays all policies from the first From Zone and To Zone in the filter lists. Table 32 explains the content of this page.
  2. To change the context and the policies displayed, select from the From Zone and To Zone filter lists, and click Filter.
  3. Select one of the following policy configuration options:
    • Global Options—Configures options to be applied to all policies. Table 33 explains the content of this page.
    • Add—Creates a new security policy. The Add Policy page is displayed. Note that the tabs available on this page depend on the configuration options that you select for the new policy. Table 34 explains the content of this page.
    • Edit—Modifies a selected policy’s configuration. The Edit Policy page is displayed. Note that the tabs available on this page are based on the configuration options for this policy. Table 34 explains the content of this page.
    • Delete—Removes a selected policy from the configuration.
    • Clone—Creates a copy of a selected policy under a different name. The Clone Policy page is displayed. Note that the tabs available on this page are based on the configuration options for this policy. Table 34 explains the content of this page.
    • Deactivate—Deactivates a selected policy. Deactivating a policy does not delete it from your configuration.
    • Move—Moves a selected policy up or down in the list.
  4. Click one:
    • OK–Saves the configuration and returns to the main configuration page.
    • Commit Options > Commit–Commits the configuration and returns to the main configuration page.
    • Cancel–Cancels your entries and returns to the main configuration page.

Table 32: Security Policy Output Details

Field

Function

From Zone and To Zone Filter

Groups policies by common zone context (the from and to zones of each policy) to control the volume of data displayed at one time. By default, the Security Policy page displays all policies in the first From Zone and To Zone in the filter lists. To change the policies listed, select the desired From Zone and To Zone, and click Filter.

From Zone

Displays the source zone to be used as match criteria for the policy.

To Zone

Displays the destination zone to be used as match criteria for the policy.

Name

Specifies the name of the policy.

Source Address

Displays the source addresses to be used as match criteria for the policy.

Destination Address

Displays the destination addresses to be used as match criteria for the policy.

Application

Specifies the name of predefined or custom application signature to be used as match criteria for the policy.

Dynamic App

Specifies the dynamic application signatures to be used as match criteria if an application firewall rule set is configured for the policy.

The rule set is displayed in two lines. The first line displays the dynamic applications configured in the rule set. The second line displays the default dynamic application.

If more than two dynamic applications are specified for the rule set, hover over the output field to display the full list in a tooltip.

Action

Specifies the action portion of the rule set if an application firewall rule set is configured for the policy.

The rule set is displayed in two lines. The first line identifies the action to be taken when traffic matches the dynamic application. The second line displays the default action when traffic does not match the dynamic application.

  • permit—Permit access to the network services controlled by the policy. A green background signifies permission.
  • deny—Deny access to the network services controlled by the policy. A red background signifies denial.

NW Services

Specifies the network services permitted or denied by the rule set if an application firewall rule set is configured. Network services include:

  • application-firewall—Specify application firewall services.
  • gprs-gtp-profile—Specify a GPRS Tunneling Protocol profile name.
  • idp—Perform intrusion detection and prevention.
  • redirect-wx—Set WX redirection.
  • reverse-redirect-wx—Set WX reverse redirection.
  • uac-policy—Enable unified access control enforcement of the policy.

Count

Enables counters for computing session, packet, and byte statistics for the policy. By default, counters are disabled.

Table 33: Global Options Configuration Details

Field

Function

Action

Policy Options Tab

 

Default policy action

Specifies that any action that is intrinsic to the protocol is overridden. This action is also nonterminating. The available options are:

  • permit-all
  • deny-all

Select permit-all or deny-all.

Policy rematch

Enables the device to add a policy that has just been modified to a deferred action list for reevaluation. For every session associated with the policy, the device reevaluates the policy lookup. If the policy is different from the one associated with the session, the device drops the session. If the policy matches, the session continues.

Click the Policy rematch box to enable the policy rematch option.

Flow – Main Tab

Aging

Early Ageout

Defines the amount of time before the device aggressively ages out a session from its session table.

Specify a value between 1 and 65,535 seconds. The default value is 20 seconds.

High Watermark

Sets the percentage of session table capacity at which the aggressive aging-out process begins.

Specify a value between 0 and 100 percent. The default value is 100 percent.

Low Watermark

Sets the percentage of session table capacity at which the aggressive aging-out process ends.

Specify a value between 0 and 100 percent. The default value is 100 percent.

Allow DNS reply

Allows an incoming DNS reply packet without a matched request. By default, if the query request does not match, the device drops the packet, does not create a session, and increments the illegal packet flow counter for the interface. The Allow DNS reply option directs the device to skip the check.

Click the Allow DNS reply box to enable DNS replies.

Route change to nonexistent route timeout

Applies the session timeout value on a route change to a nonexistent route. By default, this feature is disabled. If the timeout is not defined, sessions discovered to have no route are aged out using their current session timeout values.

Specify a value between 6 and 1800 seconds.

Enable SYN cookie protection

Enables SYN cookie defenses against SYN attacks.

The SYN cookie is enabled globally on the device and is activated when the configured syn-flood attack-threshold is exceeded.

Click Enable SYN cookie protection to enable SYN cookie protection option.

Enable SYN proxy protection

Enables SYN proxy defenses against SYN attacks.

Click Enable SYN proxy protection to enable the SYN proxy protection option.

Flow – TCP MSS Tab

Enable MSS override for all packets

MSS Value

Enables MSS override for all TCP packets for network traffic.

Click Enable MSS override for all packets to enable all TCP packets.

Specify an MSS value between 64 and 65,535.

Enable MSS override for all GRE packets coming out of an IPsec tunnel

MSS Value

Enables MSS override for all GRE packets exiting an IPsec tunnel.

Enables and specifies the TCP-MSS for GRE packets that are about to go into an IPsec VPN tunnel. By default, a TCP-MSS for GRE packets is not set.

Click Enable MSS override for all GRE packets coming out of an IPsec tunnel to enable TCP-MSS for GRE.

Specify an MSS value between 64 and 65,535 bytes. The default value is 1320 bytes.

Enable MSS override for all GRE packets entering an IPsec tunnel

MSS Value

Enables MSS override for all GRE packets entering an IPsec tunnel.

Enables and specifies the TCP-MSS for GRE packets that are leaving an IPsec VPN tunnel. By default, a TCP-MSS for GRE packets is not set.

Click Enable MSS override for all GRE packets entering an IPsec tunnel to enable.

Specify an MSS value between 64 and 65,535 bytes. The default value is 1320 bytes.

Enable MSS override for all packets entering an IPsec tunnel

MSS Value

Enables MSS override for all packets entering an IPsec tunnel.

Enables and specifies the TCP-MSS for all packets that are entering an IPsec VPN tunnel.

Click Enable MSS override for all packets entering an IPsec tunnel to enable MSS override for all packets that enter an IPsec tunnel.

Specify an MSS value between 64 and 65,535 bytes. The default value is 1320 bytes.

Flow – TCP Session Tab

 

Disable sequence-number checking

Disables the checking of sequence numbers in TCP segments during stateful inspection. By default, the device monitors the sequence numbers in TCP segments.

Click Disable sequence-number checking disable sequence number checking.

Strict SYN-flag check

Enables the strict three-way handshake check for the TCP session. It enhances security by dropping data packets before the three-way handshake is done. By default, this check is disabled.

Click Strict SYN-flag check to enable strict SYN checking.

Disable SYN-flag check

Disables the checking of the TCP SYN bit before creating a session. By default, the device checks that the SYN bit is set in the first packet of a session. If it is not set, the device drops the packet.

Click Disable SYN-flag check to disable creation time SYN-flag check.

Disable SYN-flag check (tunnel packets)

Disables first packet check for SYN flag when forming a TCP flow session.

Click Disable SYN-flag check (tunnel packets) to disable SYN flag check for the first TCP packet.

RST invalidate session

Marks a session for immediate termination when it receives a TCP RST segment. By default, this statement is unset. When unset, the device applies the normal session timeout interval—for TCP, session timeout is 30 minutes; for HTTP, it is 5 minutes; and for UDP, it is 1 minute.

Click RST invalidate session to immediately end session on receipt of RST segment.

RST sequence check

Checks that the TCP sequence number in a TCP segment with the RST bit enabled matches the previous sequence number for a packet in that session or is the next higher number incrementally. By default, this check is disabled.

Click RST sequence check to enable checking of sequence numbers in a RST statement.

TCP Initial Timeout

Defines the length of time (in seconds) that the device keeps an initial TCP session in the session table before dropping it, or until the device receives a FIN or RST packet.

Specify a value between 20 and 300 seconds. The default value is 20 seconds.

Table 34: Add/Edit/Clone Configuration Details

Field

Function

Action

Policy Tab

Policy Name

Specifies the name of the security policy.

On the Add Policy page, enter a name for the new policy.

On the Clone Policy page, modify the generated policy name as needed.

On the Edit Policy page, the name of the existing policy cannot be changed.

Policy Action

Specifies the action taken when traffic matches the criteria. Policy actions are:

  • Permit
  • Deny
  • Reject

Select Permit to allow packet to pass through the firewall. (Adds Permit Action and Application Services tabs to the page.)

Select Deny to block and drop the packet, but not send notification back to the source.

Select Reject to block and drop the packet and to send a notice to the source host.

  • For TCP traffic—Sends TCP RST.
  • For UDP traffic—Sends ICMP destination unreachable, port unreachable message (type 3, code 3).
  • For TCP and UDP traffic—Specifies action denied.

From Zone

Specifies the source zone to be used as match criteria for the policy.

Enter the From Zone to be used for match criteria.

You must create the zones for a policy before creating the policy.

To Zone

Specifies the destination zone to be used as match criteria for the policy.

Enter the To Zone to be used for match criteria.

You must create the zones for a policy before creating the policy.

Source Address

Specifies source addresses to be used as match criteria for the policy.

Add or remove source addresses to be used for match criteria:

  • Select addresses or address sets in one list. (Use the CTRL key to select more than one item.)
  • Click the right or left arrow key to move the selections to the opposite list.

To add a new address, click Add New Source Address, enter the new name and address, and click Add.

Do not use the following reserved prefixes:

  • static_nat_
  • incoming_nat_
  • junos_

Destination Address

Specifies destination addresses to be used as match criteria for the policy.

Add or remove destination addresses to be used for match criteria:

  • Select addresses or address sets in one list. (Use the CTRL key to select more than one item.)
  • Click the right or left arrow key to move the selections to the opposite list.

To add a new address, click Add New Destination Address, enter the new name and address, and click Add.

Do not use the following reserved prefixes:

  • static_nat_
  • incoming_nat_
  • junos_

Applications

Specifies the predefined or custom application signatures to be used as match criteria for the policy.

Select the appropriate application signatures.

Logging/Count Tab

Enable Count

Enable Count

Enables statistical counts and triggers alarms whenever traffic exceeds specified packet and byte thresholds.

When enabled, statistics are collected for the number of packets, bytes, and sessions that pass through the firewall with this policy.

Select enable to collect statistics and trigger alarms when traffic exceeds threshold values.

Note: Alarm threshold fields are disabled if Enable Count is not enabled.

Per Minute Alarm Threshold

If count is enabled, defines the byte threshold for the per-minute alarm.

Enter a value from 0 through KB.

Per Second Alarm Threshold

If count is enabled, defines the byte threshold for the per-second alarm.

Enter a value from 0 through 4294967295 KB.

Log Options

Log at Session Close Time

Logs an event when the session closes. By default, this option is not enabled.

Enable or disable session close logging.

Log at Session Init Time

Logs an event when the session is created. By default, this option is not enabled.

Enable or disable session create logging.

Scheduling tab

Scheduler Name

Specifies the scheduler that defines the time the policy will be activated.

Select the appropriate scheduler from the list.

Permit Action Tab

Tunnel

IPSec VPN

VPN

Specifies the IPsec-VPN tunnel.

Enter the IPsec-VPN tunnel.

Pair Policy

Pair Policy Name

Specifies the name of the policy with the same IPsec-VPN in the opposite direction to create a pair policy.

Enter the name of the policy that specifies the criteria for the opposite tunnel direction.

NAT Translation

Options

Specifies the appropriate NAT translation feature.

Select one of the following options:

  • None
  • Drop packets with translated address
  • Drop packets without translated address

Firewall Authentication

Pass-through

Access Profile

Specifies the profile used to verify traffic as it attempts to pass through the firewall.

Select from the profile list.

Client name

Specifies the client name for the pass-through.

Enter the client name.

Web Redirect

Specifies that pass-through traffic is redirected for Web authentication.

Enable or disable redirection for Web authentication.

Web authentication

Client Name

Specifies the client name for the Web authentication.

Enter the Web authentication client.

Application Services Tab

IDP

Enable IDP

Enables IDP for this policy.

Enable or disable IDP.

UTM Policy

UTM Policy

Specifies the UTM policy to be associated with this policy.

Enter the UTM policy name.

Redirect

Options

Specifies the type of redirection.

Select one of the following options:

  • None
  • Redirect-wx
  • Reverse Redirect-wx

Application Firewall

Rule-Set

Specifies the configured application firewall rule set for this policy.

Enter the name of the application firewall rule set.