Security

Configuring Security Zones

To configure security zones using the J-Web interface:

  1. Select Configure>Security>Zones/Screens. The Zones/Screens Configuration page appears.
  2. Click one:
    • Add— Adds a new zones/screen. Table 30 describe the available options for zones/screens.
    • Edit— Edits selected zones/screens.
    • Delete— Deletes selected zones/screens.
  3. Click one:
    • Ok— Saves the configuration and returns to the main configuration page.
    • Cancel— Cancels your entries and returns to the main configuration page.

Table 30: Security Zones Options

Field

Function

Action

Main

Zone name

Name of the zone for which you are enabling policies

Specify a unique name for the zone you are adding.

Zone type

Type of zone you are adding.

Select either security or functional as the zone type. Only one Functional zone can be configured.

Traffic Control Options

Send RST for non matching session

When the RST (reset) feature is enabled, the system sends a TCP segment with the RESET flag set when traffic arrives that does not match an existing session and does not have the SYNchronize flag set.

Select this check box to enable the tcp-rst feature, which sends a TCP segment with the RESET flag set to 1 in response to a TCP segment with any flag set other than SYN and that does not belong to an existing session.

Binding screen

Assign screens to a zone. If you have already configureed screens, the drop-down list shows the screen names and allows you to select or delete a screen.

Assign a screen to the zone.

Interfaces in this zone

Available interfaces for the security zone.

Use the left or right arrows to select or clear the interfaces that you want included in the security zone.

Host inbound traffic - Zone

Selected Interfaces

Displays the selected interfaces.

Select any interface to enable Protocols and Services option

Protocols

Protocols that permit inbound traffic of the selected type to be transmitted to hosts with the zone.

Highlight the protocols in the Available column and then use the right arrow to move them to the Selected column. Select all to permit all protocols.

Services

Interface services that permit inbound traffic of the selected type to be transmitted to hosts within the zone, provided there is a policy that permits it.

Highlight the services in the Available column and then use the right arrow to move them to the Selected column. Select all to permit all services.

Host inbound traffic - Interface

Interface services

Services that permit inbound traffic from the selected interface to be transmitted to hosts within the zone.

Highlight the interface services in the Available column and then use the right arrow to move them to the Selected column. Select all to permit all interface services.

Note: If you select multiple interfaces, the existing Interface services and Interface protocols selections clear and new Interface services and Interface protocols selections are applied to the selected interfaces.

Interface protocols

Interface protocols that permit inbound traffic from the selected interface to be transmitted to hosts within the zone.

Highlight the interface protocols in the Available column and then use the right arrow to move them to the Selected column. Select all to permit all interface protocols.

Table 31: Security Screen Options

FieldFunctionAction
Main

Screen Name

Name of the screen object.

Specify a unique name for the screen object you are defining.

Generate alarms without dropping packet

Generates alarms without dropping packets.

Select this check box to enable alarm generation but do not drop any packets.

Scan/Spoof/Sweep Defence

IP spoofing

Enables IP address spoofing. IP spoofing is when a bogus source address is inserted in the packet header to make the packet appear to come from a trusted source.

Select this check box to enable IP address spoofing.

IP sweep

Number of ICMP address sweeps. An IP address sweep can occur with the intent of triggering responses from active hosts.

Select this check box to enable IP address sweep.

Configure a time interval (in microseconds). If a remote host sends ICMP traffic to 10 addresses within this interval, an address sweep attack is flagged and further ICMP packets from the remote host are rejected. Valid values are between 1000 and 1000000 microseconds. The default value is 5000 microseconds.

Port scan

Number of TCP port scans. The purpose of this attack is to scan the available services in the hopes that at least one port will respond, thus identifying a service to target.

Select this check box to enable port scanning.

Configure a time interval (in microseconds). If a remote host scans 10 ports within this interval, a port scan attack is flagged and further packets from the remote host are rejected. Valid values are between 1000 and 1000000 microseconds. The default value is 5000 microseconds.

Ms Windows Defense

WinNuke attack protection

Number of Transport Control Protocol (TCP) WinNuke attacks. WinNuke is a DoS attack targeting any computer on the Internet running Windows.

Select this check box to enable WinNuke attack protection option.

Denial of Service

Land attack protection

Number of land attacks. Land attacks occur when an attacker sends spoofed SYN packets containing the IP address of the victim as both the destination and source IP address.

Select this check box to enable land attack protection option.

Teardrop attack protection

Number of teardrop attacks. Teardrop attacks exploit the reassembly of fragmented IP packets.

Select this check box to enable teardrop protection option.

ICMP fragment protection

Number of ICMP fragments. Because ICMP packets contain very short messages, there is no legitimate reason for ICMP packets to be fragmented. If an ICMP packet is so large that it must be fragmented, something is amiss.

Select this check box to enable ICMP fragment protection option.

Ping of death attack protection

ICMP ping of death counter. Ping of death occurs when IP packets are sent that exceed the maximum legal length (65,535 bytes).

Select this check box to enable ping of death attack protection option.

Large size ICMP packet protection

Number of large ICMP packets.

Select this check box to enable large (size >1024) ICMP packet protection option.

Block fragment traffic

Number of IP block fragments.

Select this check box to enable IP fragment blocking.

SYN-ACK-ACK proxy protection

Number of TCP flags enabled with SYN-ACK-ACK. This is designed to prevent flooding with SYN-ACK-ACK sessions. After the number of connections from the same IP address reaches the SYN-ACK-ACK proxy threshold, JUNOS software rejects further connection requests from that IP address.

Select this check box to enable SYN-ACK-ACK proxy protection.

Configure the threshold between 1 and 250000 sessions. The default value is 512 sessions.

Anomalies - IP

Bad option

Number of bad options counter.

Select this check box to enable IP with bad option IDs screen option.

Security

Provides a way for hosts to send security.

Select this check box to enable IP with security option.

Unknown protocol

Select this check box to enable IP with security option.

Select this check box to enable Unknown Protocol Protection option.

Strict source route

Specifies the complete route list for a packet to take on its journey from source to destination.

Select this check box to enable IP with strict source route option.

Source route

Number of IP addresses of the devices set at the source that an IP transmission is allowed to take along the path on its way to its destination.

Select this check box to enable IP with source route option.

Timestamp

Records the time (in Universal Time) when each network device receives the packet during its trip from the point of origin to its destination.

Select this check box to enable IP with timestamp option.

Stream

Provides a way for the 16-bit SATNET stream identifier to be carried through networks that did not support the stream concept.

Select this check box to enable IP with stream option.

Loose source route

Specifies a partial route list for a packet to take on its journey from source to destination.

Select this check box to enable IP with loose source route option.

Record route

Records the IP addresses of the network devices along the path that the IP packet travels.

Select this check box to enable IP with record route option.

TCP

SYN Fragment Protection

Number of TCP SYN fragments.

Select this check box to enable SYN Fragment option.

SYN and FIN Flags Set Protection

Number of TCP SYN and FIN flags. When you enable this option, JUNOS Software checks if the SYN and FIN flags are set in TCP headers. If it discovers such a header, it drops the packet.

Select this check box to enable SYN and FIN flags Set option.

FIN Flag Without ACK Flag Set Protection

Number of TCP SYN and FIN flags. When you enable this option, JUNOS Software checks if the SYN and FIN flags are set in TCP headers. If it discovers such a header, it drops the packet.

Select this check box to enable FIN flag without ACK option and FIN Flag Set option.

TCP Packet Without Flag Set Protection

Number of TCP headers without flags set. A normal TCP segment header has at least one flag control set.

Select this check box to enable TCP Packet without Flag Set option.

Flood Defence
Limit Sessions

TCP Packet Without Flag Set Protection

Number of TCP headers without flags set. A normal TCP segment header has at least one flag control set.

Select this check box to enable TCP Packet without Flag Set option.

Limit sessions from the same destination

Limits sessions from the same destination IP.

Select this check box to enable destination IP based session limit.

Configure the threshold between 1 and 50000 sessions. The default value is 128 sessions.

Note: For SRX Series devices, the applicable range is 1 through 8000000 sessions per second.

ICM/UDP protection

ICMP flood protection

Internet Control Message Protocol (ICMP) flood counter. An ICMP flood typically occurs when ICMP echo requests use all resources in responding, such that valid network traffic can no longer be processed.

Select this check box to enable ICMP Flood Protection option. The default value is 1000 pps.

Configure threshold value for ICMP flood between 1 and 100000 ICMP packets per second (pps).

Note: For SRX Series devices, the applicable range is 1 through 4000000 ICMP Packets per second.

UDP flood protection

User Datagram Protocol (UDP) flood counter. UDP flooding occurs when an attacker sends IP packets containing UDP datagrams with the purpose of slowing down the resources, such that valid connections can no longer be handled.

Select this check box to enable UDP flood protection.

Configure the threshold between 1 and 100000 sessions. The default value is 1000 sessions.

SYN Flood Protection

SYN flood protection

SYN flood occurs when a host becomes so overwhelmed by SYN segments initiating incomplete connection requests that it can no longer process legitimate connection requests.

Select this check box to enable all the threshold and ager timeout options.

Attack threshold

Defines the number of SYN packets per second required to trigger the SYN proxy mechanism.

Attack threshold is 25% higher than the average peak number of new connection requests per second per server, which is unusual for this network environment. When the number of SYN packets per second for any one of the four Web servers exceeds this number, the device begins proxying new connection requests to that server. (In other words, beginning with the 626th SYN packet to the same destination address and port number in one second, the device begins proxying connection requests to that address and port number.)

Configure a value between 1 and 100000 proxied requests per second. The default value is 200.

Note: For SRX Series devices, the applicable range is 1 through 1000000 proxied requests per second.

Default threshold is 625 packets per second (pps).

Alarm threshold

Define the number of half-complete proxy connections per second at which the device makes entries in the event alarm log.

When the device proxies 251 new connection requests in one second, it makes an alarm entry in the event log. By setting the alarm threshold somewhat higher than the attack threshold, you can avoid alarm entries for traffic spikes that only slightly exceed the attack threshold.

Configure a value between 1 and 100000 segments received per second for SYN flood alarm. The default value is 512.

Note: For SRX Series devices, the applicable range is 1 through 1000000 segments per second.

The default value is packets per second 250 (pps).

Source threshold

Defines the number of SYN segments received per second from a single source IP address (regardless of the destination IP address and port number) before the device begins dropping connection requests from that source.

When you set a source threshold, the device tracks the source IP address of SYN packets, regardless of the destination address and port number. (Note that this source-based tracking is separate from the tracking of SYN packets based on destination address and destination port number that constitutes the basic SYN flood protection mechanism.) Therefore, connection requests exceeding this threshold are unusual and provide sufficient cause for the device to execute its proxying mechanism. (25 pps is 1/25 of the attack threshold, which is 625 pps.)

In the one week of monitoring activity, you observed that no more than 1/25 of new connection requests for all servers came from any one source within a one-second interval.

If the device tracks 25 SYN packets from the same source IP address, beginning with the 26th packet, it rejects all further SYN packets from that source for the remainder of that second and the next second as well.

Configure a value for SYN flood from the same source between 4 and 100000 segments received per second. The default value is 4000.

Note: For SRX Series devices, the applicable range is 4 through 1000000 segments per second.

The default value is packets per second 25 (pps).

Destination threshold

Defines the Number of SYN segments received per second for a single destination IP address before the device begins dropping connection requests to that destination. If a protected host runs multiple services, you might want to set a threshold based only on destination IP address, regardless of the destination port number.

When you set a destination threshold, the device runs a separate tracking of only the destination IP address, regardless of the destination port number. Because the four Web servers only receive HTTP traffic (destination port 80)—no traffic to any other destination port number reaches them—setting a separate destination threshold offers no additional advantage.

Configure a value for SYN flood to the same destination between 4 and 100000. The default value is 4000.

Note: For SRX Series devices, the applicable range is 4 through 1000000 segments per second.

The default value is packets per second 0 (pps).

Ager timeout

Defines the maximum length of time before a half-completed connection is dropped from the queue. You can decrease the timeout value until you see any connections dropped during normal traffic conditions.

The default value of 20 seconds is a reasonable length of time to hold incomplete connection requests.

Configure a value for SYN attack protection between 1 and 50 seconds. The default value is 20 seconds.

Apply to Zones

Available

Displays the configured zones.

 

Selected

Displays selected zones.

 

Policy

Configuring Policies—Quick Configuration

To configure the security policies using the J-Web interface:

  1. Select Configure>Security>Policy>FW Policies. To control the volume of data displayed at one time, policies are grouped by zone context (the from and to zones of the policy). By default, the Security Policy page displays all policies from the first From Zone and To Zone in the filter lists. Table 32 explains the content of this page.
  2. To change the context and the policies displayed, select from the From Zone and To Zone filter lists, and click Filter.
  3. Select one of the following policy configuration options:
    • Global Options—Configures options to be applied to all policies. Table 33 explains the content of this page.
    • Add—Creates a new security policy. The Add Policy page is displayed. Note that the tabs available on this page depend on the configuration options that you select for the new policy. Table 34 explains the content of this page.
    • Edit—Modifies a selected policy’s configuration. The Edit Policy page is displayed. Note that the tabs available on this page are based on the configuration options for this policy. Table 34 explains the content of this page.
    • Delete—Removes a selected policy from the configuration.
    • Clone—Creates a copy of a selected policy under a different name. The Clone Policy page is displayed. Note that the tabs available on this page are based on the configuration options for this policy. Table 34 explains the content of this page.
    • Deactivate—Deactivates a selected policy. Deactivating a policy does not delete it from your configuration.
    • Move—Moves a selected policy up or down in the list.
  4. Click one:
    • OK–Saves the configuration and returns to the main configuration page.
    • Commit Options > Commit–Commits the configuration and returns to the main configuration page.
    • Cancel–Cancels your entries and returns to the main configuration page.

Table 32: Security Policy Output Details

Field

Function

From Zone and To Zone Filter

Groups policies by common zone context (the from and to zones of each policy) to control the volume of data displayed at one time. By default, the Security Policy page displays all policies in the first From Zone and To Zone in the filter lists. Select the From Zone and To Zone and click Filter to change the policies listed.

From Zone

Provides the source zone to be used as match criteria for the policy.

To Zone

Provides the destination zone to be used as match criteria for the policy.

Name

Specifies the name of the policy.

Source Address

Provides the source addresses to be used as match criteria for the policy.

Destination Address

Provides the destination addresses to be used as match criteria for the policy.

Application

Specifies the name of predefined or custom application signature to be used as match criteria for the policy.

Dynamic App

Specifies the dynamic application signatures to be used as match criteria if an application firewall rule set is configured for the policy.

The rule set is displayed in two lines. The first line displays the dynamic applications configured in the rule set. The second line displays the default dynamic application.

If more than two dynamic applications are specified for the rule set, hover over the output field to display the full list in a tooltip.

Action

Specifies the action portion of the rule set if an application firewall rule set is configured for the policy.

The rule set is displayed in two lines. The first line identifies the action to be taken when traffic matches the dynamic application. The second line displays the default action when traffic does not match the dynamic application.

  • permit—Permits access to the network services controlled by the policy. A green background signifies permission.
  • deny—Denies access to the network services controlled by the policy. A red background signifies denial.

NW Services

Specifies the network services permitted or denied by the rule set if an application firewall rule set is configured. Network services include:

  • application-acceleration—Specify service parameters.
  • application-firewall—Specify application firewall services.
  • gprs-gtp-profile—Specify a GPRS Tunneling Protocol profile name.
  • idp—Perform intrusion detection and prevention.
  • redirect-wx—Set WX redirection.
  • reverse-redirect-wx—Set WX reverse redirection.
  • uac-policy—Enable unified access control enforcement of the policy.

Count

Enables counters for computing session, packet, and byte statistics for the policy. By default, counters are disabled.

Table 33: Global Options Configuration Details

Field

Function

Action

Policy Options Tab

 

Default policy action

Specifies that any action that is intrinsic to the protocol is overridden. This action is also nonterminating. The available options are:

  • permit-all
  • deny-all

Select a value from the list.

Policy rematch

Enables the device to add a policy that has just been modified to a deferred action list for reevaluation. For every session associated with the policy, the device reevaluates the policy lookup. If the policy is different from the one associated with the session, the device drops the session. If the policy matches, the session continues.

Select this check box to enable the policy rematch option.

Flow – Main Tab

Aging

Early Ageout

Defines the amount of time before the device aggressively ages out a session from its session table.

Specify a value between 1 and 65,535 seconds. The default value is 20 seconds.

High Watermark

Sets the percentage of session table capacity at which the aggressive aging-out process begins.

Specify a value between 0 and 100 percent. The default value is 100 percent.

Low Watermark

Sets the percentage of session table capacity at which the aggressive aging-out process ends.

Specify a value between 0 and 100 percent. The default value is 100 percent.

Allow DNS reply

Allows an incoming DNS reply packet without a matched request. By default, if the query request does not match, the device drops the packet, does not create a session, and increments the illegal packet flow counter for the interface. The Allow DNS reply option directs the device to skip the check.

Select this check box to enable DNS replies.

Route change to nonexistent route timeout

Applies the session timeout value on a route change to a nonexistent route. By default, this feature is disabled. If the timeout is not defined, sessions discovered to have no route are aged out using their current session timeout values.

Specify a value between 6 and 1800 seconds.

Enable SYN cookie protection

Enables SYN cookie defenses against SYN attacks

The SYN cookie is enabled globally on the device and is activated when the configured syn-flood attack-threshold is exceeded.

Select the option button to enable SYN cookie protection option.

Enable SYN proxy protection

Enables SYN proxy defenses against SYN attacks.

Select the option button to enable the SYN proxy protection option.

Flow – TCP MSS Tab

Enable MSS override for all packets

MSS Value

Enables MSS override for all TCP packets for network traffic.

Select the check box to enable all TCP packets.

Specify a value between 64 and 65,535.

Enable MSS override for all GRE packets coming out of an IPsec tunnel

MSS Value

Enables MSS override for all GRE packets exiting an IPsec tunnel.

Enables and specifies the TCP-MSS for GRE packets that are about to go into an IPsec VPN tunnel. By default, a TCP-MSS for GRE packets is not set.

Select the GRE in check box to enable TCP-MSS for GRE.

Specify a value between 64 and 65,535 bytes. The default value is 1320 bytes.

Enable MSS override for all GRE packets entering an IPsec tunnel

MSS Value

Enables MSS override for all GRE packets entering an IPsec tunnel.

Enables and specifies the TCP-MSS for GRE packets that are leaving an IPsec VPN tunnel. By default, a TCP-MSS for GRE packets is not set.

Select the GRE out check box to enable.

Specify a value between 64 and 65,535 bytes. The default value is 1320 bytes.

Enable MSS override for all packets entering an IPsec tunnel

MSS Value

Enables MSS override for all packets entering an IPsec tunnel.

Enables and specifies the TCP-MSS for all packets that are entering an IPsec VPN tunnel.

Select the IPSec VPN check box to enable MSS override for all packets that enter an IPsec tunnel.

Specify a value between 64 and 65,535 bytes. The default value is 1320 bytes.

Flow – TCP Session Tab

 

Disable sequence-number checking

Disables the checking of sequence numbers in TCP segments during stateful inspection. By default, the device monitors the sequence numbers in TCP segments.

Select the check box to disable sequence number checking.

Strict SYN-flag check

Enables the strict three-way handshake check for the TCP session. It enhances security by dropping data packets before the three-way handshake is done. By default, this check is disabled.

Select this check box to enable strict SYN checking.

Disable SYN-flag check

Disables the checking of the TCP SYN bit before creating a session. By default, the device checks that the SYN bit is set in the first packet of a session. If it is not set, the device drops the packet.

Select the check box to disable creation time SYN-flag check.

Disable SYN-flag check (tunnel packets)

Disables first packet check for SYN flag when forming a TCP flow session.

Select the check box to disable SYN flag check for the first TCP packet.

RST invalidate session

Marks a session for immediate termination when it receives a TCP RST segment. By default, this statement is unset. When unset, the device applies the normal session timeout interval—for TCP, session timeout is 30 minutes; for HTTP, it is 5 minutes; and for UDP, it is 1 minute.

Select this check box to immediately end session on receipt of RST segment.

RST sequence check

Checks that the TCP sequence number in a TCP segment with the RST bit enabled matches the previous sequence number for a packet in that session or is the next higher number incrementally. By default, this check is disabled.

Select this check box to enable checking of sequence numbers in a RST statement.

TCP Initial Timeout

Defines the length of time (in seconds) that the device keeps an initial TCP session in the session table before dropping it, or until the device receives a FIN or RST packet.

Specify a value between 20 and 300 seconds. The default value is 20 seconds.

Table 34: Add/Edit/Clone Configuration Details

Field FunctionAction

Policy Tab

Policy Name

Specifies the name of the security policy.

On the Add Policy page, enter a name for the new policy.

On the Clone Policy page, modify the generated policy name as needed.

On the Edit Policy page, the name of the existing policy cannot be changed.

Policy Action

Specifies the action taken when traffic matches the criteria. Policy actions are:

  • Permit
  • Deny
  • Reject

Select Permit to allow packet to pass through the firewall. (Adds Permit Action and Application Services tabs to the page.)

Select Deny to block and drop the packet, but not send notification back to the source.

Select Reject to block and drop the packet and to send a notice to the source host.

  • For TCP traffic—Sends TCP RST.
  • For UDP traffic—Sends ICMP destination unreachable, port unreachable message (type 3, code 3).
  • For TCP and UDP traffic—Specifies action denied.

From Zone

Specifies the source zone to be used as match criteria for the policy.

Enter the source zone to be used for match criteria.

You must create the zones for a policy before creating the policy.

To Zone

Specifies the destination zone to be used as match criteria for the policy.

Enter the destination zone to be used for match criteria.

You must create the zones for a policy before creating the policy.

Source Address

Specifies source addresses to be used as match criteria for the policy.

Add or remove source addresses to be used for match criteria:

  • Select addresses or address sets in one list. (Use the CTRL key to select more than one item.)
  • Click the right or left arrow key to move the selections to the opposite list.

To add a new address, click Add New Source Address, enter the new name and address, and click Add.

Do not use the following reserved prefixes:

  • static_nat_
  • incoming_nat_
  • junos_

Destination Address

Specifies destination addresses to be used as match criteria for the policy.

Add or remove destination addresses to be used for match criteria:

  • Select addresses or address sets in one list. (Use the CTRL key to select more than one item.)
  • Click the right or left arrow key to move the selections to the opposite list.

To add a new address, click Add New Destination Address, enter the new name and address, and click Add.

Do not use the following reserved prefixes:

  • static_nat_
  • incoming_nat_
  • junos_

Applications

Specifies the predefined or custom application signatures to be used as match criteria for the policy.

Select the appropriate application signatures.

Logging/Count Tab

Enable Count

Enable Count

Enables statistical counts and triggers alarms whenever traffic exceeds specified packet and byte thresholds.

When enabled, statistics are collected for the number of packets, bytes, and sessions that pass through the firewall with this policy.

Select enable to collect statistics and trigger alarms when traffic exceeds threshold values.

Note: Alarm threshold fields are disabled if Enable Count is not enabled.

Per Minute Alarm Threshold

If count is enabled, defines the byte threshold for the per-minute alarm.

Enter a value from 0 through 4294967295 KB.

Per Second Alarm Threshold

If count is enabled, defines the byte threshold for the per-second alarm.

Enter a value from 0 through 4294967295 KB.

Log Options

Log at Session Close Time

Logs an event when the session closes. By default, this option is not enabled.

Enable or disable session close logging.

Log at Session Init Time

Logs an event when the session is created. By default, this option is not enabled.

Enable or disable session create logging.

Scheduling tab

Scheduler Name

Specifies the scheduler that defines the time the policy will be activated.

Select the appropriate scheduler from the list.

Permit Action Tab

Tunnel

IPSec VPN

VPN

Specifies the IPsec-VPN tunnel.

Enter the IPsec-VPN tunnel.

Pair Policy

Pair Policy Name

Specifies the name of the policy with the same IPsec-VPN in the opposite direction to create a pair policy.

Enter the name of the policy that specifies the criteria for the opposite tunnel direction.

NAT Translation

Options

Specifies the appropriate NAT translation feature.

Select one of the following options:

  • None
  • Drop packets with translated address
  • Drop packets without translated address

Firewall Authentication

Pass-through

Access Profile

Specifies the profile used to verify traffic as it attempts to pass through the firewall.

Select from the profile list.

Client name

Specifies the client name for the pass-through.

Enter the client name.

Web Redirect

Specifies that pass-through traffic is redirected for Web authentication.

Enable or disable redirection for Web authentication.

Web authentication

Client Name

Specifies the client name for the Web authentication.

Enter the Web authentication client.

Application Services Tab

IDP

Enable IDP

Enables IDP for this policy.

Enable or disable IDP.

UTM Policy

UTM Policy

Specifies the UTM policy to be associated with this policy.

Enter the UTM policy name.

Application Acceleration

Service Policy

Specifies the configured application acceleration profile for this policy.

Enter the application authentication profile name.

Options

Specifies the flow characteristic.

Specify the flow characteristic:

  • Optimize—Accelerate or compress flow. Flows from the trust zone toward the WAN segment are usually optimized.
  • Refactor—Decompress flow. Flows from the WAN segment toward the trust zone are usually refactored

Redirect

Options

Specifies the type of redirection.

Select one of the following options:

  • None.
  • Redirect-wx
  • Reverse Redirect-wx

Application Firewall

Rule-Set

Specifies the configured application firewall rule set for this policy.

Enter the name of the application firewall rule set.

IDP Policies

Configuring IDP Policies

To configure an IDP policy:

  1. Select Configure>Security>Policy>IDP Policies.
  2. Fill in the information as described in Table 35.
  3. Click one of the following buttons:
    • To apply the configuration and return to the main configuration page, click OK.
    • To cancel your entries and return to the main page, click Cancel.

Table 35: IDP Policy Configuration Page

Field

Function

Action

Template

Loads a predefined IDP template.

  1. Click Template and select Download Template to download template from the server.
  2. Click Template and select Install Template to install the template to the router.
  3. Click Template and select Load Template to load the pre defined policies to the policy list.

Check Status

Checks download or install status.

Select Download Status or Install Status from the Check Status list.

Add

Adds a new IDP policy.

Click Add.

Edit

Edits the selected user-defined policy from the policy list.

Select an IDP policy and click Edit.

Delete

Deletes the selected policy from the policy list.

Select an IDP policy and click Delete.

Clone

Duplicates an existing IDP policy with a different name.

Select an IDP policy and click Clone .

In the New Policy Name box type the name of the new policy.

Activate

Activates the selected IDP policy.

Note: You can configure many IDP policies, but only one can be in active state.

Select the Activate check box.

Adding a New IDP Policy

To configure a new IDP policy :

  1. Select Configure>Security>Policy>IDP Policies.
  2. Click Add on the policy task bar.
  3. Fill in the information as described in Table 36.
  4. Click one of the following buttons:
    • To apply the configuration and return to the main configuration page, click OK.
    • To cancel your entries and return to the main page, click Cancel.

Table 36: Add IDP Policy Page Details

Field

Function

Actions

Policy Name

Specifies the name of the IDP policy.

Type a policy name.

Activate

Specifies if the configured IDP policy is set as the active policy.

Note: You can configure many IDP policies, but only one can be in active state.

Select the Activate check box.

Rulebase:IPS

Defines the IPS rulebase to protect the network from attacks by using attack objects to detect known and unknown attacks.

Select Rulebase:IPS and click Add.

Rulebase:Exempt

Defines the exempt rulebase to exclude known false positives or to exclude a specific source, destination, or source/destination pair from matching an IPS rule.

Select Rulebase:Exempt and click Add.

Configuring an IPS Rulebase

To configure an IPS rulebase:

  1. Select Configure>Security>Policy>IDP Policies.
  2. Use the buttons on the rulebase task bar as described in Table 37 to configure the IPS rulebase.
  3. Click one of the following buttons:
    • To apply the configuration and return to the main configuration page, click OK.
    • To cancel your entries and return to the main page, click Cancel.

Table 37: IPS Rulebase Configuration Page

Field

Function

Actions

Add

Adds an IPS rulebase.

Select an IDP policy and click Add.

Edit

Edits the selected IPS rulebase

Select an IPS rulebase and click Edit.

Delete

Deletes the selected IPS rulebase.

Select an IPS rulebase and click Delete.

Move

Prioritizes the configured rules. Execution occurs in sequence .

Select an IPS rulebase and click the required move option in the list.

Adding an IPS Rulebase

To add an IPS rulebase:

  1. Select Configure>Security>Policy>IDP Policies.
  2. To add an IPS rulebase for an existing IDP policy, select Rulebase:IPS and click Add.
  3. To add an IPS rulebase for a new policy:
    • Click Add on the policy task bar.
    • Type a new policy name and select the Activate check box.
    • Select Rulebase:IPS and Click Add.
  4. Fill in the information as described in Table 38.
  5. Click one of the following buttons:
    • To apply the configuration and return to the main configuration page, click OK.
    • To cancel your entries and return to the main page, click Cancel.

Table 38: Add an IPS Rulebase Page Details

Field

Function

Action

Basic

Policy Name

Specifies the name of the IDP policy.

Displays the name of the IDP policy.

Rule Name

Specifies the name of the IPS rulebase rule.

Type a rule name.

Rule Description

Specifies the description for the rule.

Type the description for the rule.

Action

Lists all the rule actions for IDP to take when the monitored traffic matches the attack objects specified in the rules.

Select a rule action from the list.

Application

Lists one or multiple configured applications.

Select the applications to be matched.

Attack Type

Specifies the attack type that you do not want the device to match in the monitored network traffic.

The attack types available are :

  • Predefined Attacks : Specifies predefined attack objects that you can use to match the traffic against known attacks.
  • Predefined Attack Groups: Specifies predefined attack groups that you can use to match the traffic against known attack objects.

Select the attack object or attack group from the list and click the right arrow to match an attack object or attack group to the rule.

Category

Specifies the category used for scrutinizing rules to sets.

Select a category from the list.

Severity

Specifies the rule severity levels in logging to support better organization and presentation of log records on the log server.

Select a severity level from the list.

Direction

Specifies the direction of network traffic you want the device to monitor for attacks.

Select a direction level from the list.

Matched

Specifies the type of network traffic you want the device to monitor for attacks.

Select the traffic types and click the right arrow to move them to the matched list.

Advanced

IP Action

Specifies the action IDP takes against future connections that use the same IP address.

Select an IP action from the list.

IP Target

Specifies the destination IP address.

Select an IP target from the list.

Timeout

Specifies the number of seconds the IP action should remain effective before new sessions are initiated within that specified timeout value.

Type the timeout value, in seconds. Maximum acceptable value is 65,535 seconds.

Log IP Action

Specifies if the log attacks are enabled to create a log record that appears in the log viewer.

Select the check box.

Enable Attack Logging

Specifies if the configuring attack logging alert is enabled.

Select the check box.

Set Alert Flag

Specifies if an alert flag is set.

Select the check box.

Terminal

Specifies if the terminal rule flag is set or unset.

Select the check box.

Match

From Zone

Specifies the match criteria for the source zone for each rule.

Select the match criteria from the list.

To Zone

Specifies the match criteria for the destination zone for each rule.

Select the match criteria from the list.

Source Address

Specifies the zone exceptions for the from-zone and source address for each rule.

Select the from-zone and source addresses/address sets from the list and do one of the following:

  • Click the Match button to match the from-zone and source address/address sets to the rule and click the right arrow.
  • Click the Except button to enable the exception criteria.

Destination Address

Specifies the zone exceptions for the to-zone and destination address for each rule.

Select the to-zone and destination addresses/address sets from the list and do one of the following:

  • Click the Match button to match the from-zone and source address/address sets to the rule and click the right arrow.
  • Click the Except button to enable the exception criteria.

Configuring an Exempt Rulebase

To configure an exempt rulebase:

  1. Select Configure>Security>Policy>IDP Policies.
  2. Use the buttons on the rulebase task bar as described in Table 39 to configure an exempt rulebase.
  3. Click one of the following buttons:
    • To apply the configuration and return to the main configuration page, click OK.
    • To cancel your entries and return to the main page, click Cancel.

Table 39: Configuring an Exempt Rulebase Page Summary

Field

Function

Action

Add

Adds an exempt rulebase.

Select an IDP policy and click Add.

Edit

Edits the selected exempt rulebase.

Select an exempt rulebase and click Edit.

Delete

Deletes the selected exempt rulebase.

Select an exempt rulebase and click Delete.

Move

Prioritizes the configured rules. Execution occurs in sequence.

Select an exempt rulebase and click the required move option in the list.

Adding an Exempt Rulebase

To add an exempt rulebase :

  1. Select Configure>Security>Policy>IDP Policies.
  2. To add exempt rulebase for an existing IDP policy, select Rulebase:Exempt and click Add.
  3. To add an exempt rulebase for a new policy:
    • Click Add on the policy task bar.
    • Type a new policy name and select the Activate check box.
    • Select Rulebase:Exempt and Click Add.
  4. Fill in the information as described in Table 40.
  5. Click one of the following buttons:
    • To apply the configuration and return to the main Configuration page, click OK.
    • To cancel your entries and return to the main page, click Cancel.

Table 40: Add an Exempt Rulebase Configuration Details

Field

Function

Actions

Basic

Policy Name

Specifies the name of the IDP Policy.

 

Rule Name

Specifies the name of the exempt rulebase rule.

Type a rule name

Rule Description

Specifies the description for the rule.

Type the description for the rule.

Attack Type

Specifies predefined attack objects or attack groups that are used to match the traffic against known attacks.

Select the attack object or attack group from the list and click the right arrow to match an attack object or attack group to the rule.

Category

Specifies the category used for scrutinizing rules to sets.

Select a category from the list.

Severity

Specifies the rule severity levels in logging to support better organization and presentation of log records on the log server.

Select a severity level from the list.

Direction

Specifies the direction of network traffic you want the device to monitor for attacks.

Select a direction level from the list.

Matched

Specifies the type of network traffic you want the device to monitor for attacks.

Select the traffic types and click the right arrow to move them to the matched list.

Match

From Zone

Specifies the match criteria for the source zone for each rule.

Select the match criteria from the list.

To Zone

Specifies the match criteria for the destination zone for each rule.

Select the match criteria from the list.

Source Address

Specifies the zone exceptions for the from-zone and source address for each rule.

Select the from-zone and source addresses/address sets from the list and do one of the following:

  • Click the Match button to match the from-zone and source address/address sets to the rule and click the right arrow.
  • Click the Except button to enable the exception criteria.

Destination Address

Specifies the zone exceptions for the to-zone and destination address for each rule.

Select the to-zone and destination addresses/address sets from the list and do one of the following:

  • Click the Match button to match the from-zone and source address/address sets to the rule and click the right arrow.
  • Click the Except button to enable the exception criteria.

Policy Elements

Configuring Addresses and Address Sets—Quick Configuration

You can use J-Web Quick Configuration to quickly configure address books and address sets.

This topic contains the following instructions:

Configuring Addresses

To configure an address in the J-Web user interface:

  1. Select Configure>Security>Policy Elements>Address Book.
  2. Select the Addresses tab.
  3. Select one of the following options:
    • Add–To create a new address, click Add. The Add Address dialog box appears.
    • Edit–To edit an existing configuration, select the address that you want to change and click Edit. The Edit Address dialog box appears.
    • Delete–To delete an existing address, select it and click Delete. (If you select this option, you can skip the remaining steps in this section.)
  4. In the Zone field, specify the zone to which the address should apply.
  5. In the Address Name field, specify a name for the address.
  6. Select the IP/Prefix or Domain Name option. Then, enter the IP address or domain name of the address in the field that appears. The IP address must be an IPv4 address with the number of prefix bits. You can use domain names only if the system is configured to use DNS services.
  7. (Optional) Specify an address set to which the address should be added. To create a new address set:
    • In the Add Address Set text box, enter an address set.
    • Click Add. (To remove the address after creating it, click Undo.)
  8. Select one of the following options:
    • OK–To apply the configuration and return to the main Configuration page, click OK.
    • Cancel–To cancel your entries and return to the main page, click Cancel.

Configuring Address Sets

To configure an address set in the J-Web user interface:

  1. Select Configure>Security>Policy Elements>Address Book.
  2. Select the Address Sets tab.
  3. Select one of the following options:
    • Add–To create a new address set, click Add. The Add Address Set dialog box appears.
    • Edit–To edit an existing configuration, select the address set that you want to change and click Edit. The Edit Address Set dialog box appears.
    • Delete–To delete an existing address set, select it and click Delete. (If you select this option, you can skip the remaining steps in this section.)
  4. In the Zone field, specify the zone to which the address set should apply.
  5. In the Address Set Name field, specify a name for the address set.
  6. Specify which of the preexisting addresses should be included or excluded from the address set by selecting the addresses and using the arrows to move them to the Out of This Set and In This Set lists.
  7. Select one of the following options:
    • OK–To apply the configuration and return to the main Configuration page, click OK.
    • Cancel–To cancel your entries and return to the main page, click Cancel.

Configuring Applications and Application Sets—Quick Configuration

You can use J-Web Quick Configuration to quickly configure application and application sets for a security policy. When configuring custom applications, you can configure global settings or individual terms.

This topic includes the following instructions:

Configuring Global Custom Application Settings

To configure global application settings in the J-Web user interface:

  1. Click Configure>Security>Policy Elements>Applications.
  2. Select the Custom-Applications tab.
  3. Select one of the following options:
    • Add–To create a new application, click Add. The Add an Application dialog box appears.
    • Edit–To edit an existing configuration, select the application that you want to change and click Edit. The Edit an Application dialog box appears.
    • Delete–To delete an existing configuration, select it and click Delete. (If you select this option, you can skip the remaining steps in this section.)
  4. Select the Global tab.
  5. In the Application name field, specify a name for the custom application.
  6. In the Application-protocol field, specify the application protocol. For a complete list of options, see Table 41.
  7. In the Match IP protocol field, specify the network protocol. For a complete list of options, see Table 42.
  8. In the Destination Port field, specify the destination port identifier. You can use a numeric value or one of the text synonyms listed in Table 43.
  9. In the Source Port field, specify the source port identifier. You can use a numeric value or one of the text synonyms listed in Table 43.
  10. In the Inactivity-timeout field, specify the length of time (in seconds) that the application is inactive before it times out.
  11. In the RPC-program-number field, specify the remote procedure call (RPC) value. Valid values range from 0 to 65535.
  12. In the Match ICMP message code field, specify the Internet Control Message Protocol (ICMP) code value, such as host-unreachable or host-unreachable-for-tos.
  13. In the Match ICMP message type field, specify the ICMP packet type value, such as echo or echo-reply.
  14. In the UUID field, specify a universal unique identifier (UUID). A UUID is a 128-bit unique number generated from a hardware address, a timestamp, and seed values.
  15. In the Application-Set field, select the application set to which this application should belong.
  16. Select one of the following options:
    • OK–To apply the configuration and return to the main Configuration page, click OK.
    • Cancel–To cancel your entries and return to the main page, click Cancel.

Table 41: Custom Application Protocols

Protocol

Description

dns

Domain Name Service

ftp

File Transfer Protocol

ignore

Ignore application type

mgcp-ca

Media Gateway Control Protocol with Call Agent

mgcp-ua

MGCP with User Agent

ms-rpc

Microsoft RPC

pptp

Point-to-Point Tunneling Protocol

q931

ISDN connection control protocol (Q.931)

ras

Remote Access Service

realaudio

RealAudio

rsh

UNIX remote shell services

rtsp

Real-Time Streaming Protocol

sccp

Skinny Client Control Protocol

sip

Session Initiation Protocol

sqlnet-v2

Oracle SQLNET v2

sun-rpc

Sun Microsystems RPC

talk

TALK program

tftp

Trivial File Transfer Protocol

Table 42: Match IP Protocols

Protocol

Description

ah

IP Security Authentication Header

egp

Exterior gateway protocol

esp

IPsec Encapsulating Security Payload

gre

Generic routing encapsulation

icmp

Internet Control Message Protocol

igmp

Internet Group Management Protocol

ipip

IP over IP

ospf

Open Shortest Path First

pim

Protocol Independent Multicast

rsvp

Resource Reservation Protocol

sctp

Stream Control Transmission Protocol

tcp

Transmission Control Protocol

udp

User Datagram Protocol

Table 43: Port Names

Port Name

Port Number

afs

1483

bgp

179

biff

512

bootpc

68

bootps

67

cmd

514

cvspserver

2401

dhcp

67

domain

53

eklogin

2105

ekshell

2106

exec

512

finger

79

ftp

21

ftp-data

20

http

80

https

443

ident

113

imap

143

kerberos-sec

88

klogin

543

kpasswd

761

krb-prop

754

krbupdate

760

kshell

544

ldap

389

ldp

646

login

513

mobileip-agent

434

mobilip-mn

435

msdp

639

netbios-dgm

138

netbios-ns

137

netbios-ssn

139

nfsd

2049

nntp

119

ntalk

518

ntp

123

pop3

110

pptp

1723

printer

515

radacct

1813

radius

1812

rip

520

rkinit

2108

smtp

25

snmp

161

snmp-trap

162

snpp

444

socks

1080

ssh

22

sunrpc

111

syslog

514

tacacs

49

tacacs-ds

65

talk

517

telnet

23

tftp

69

timed

525

who

513

xdmcp

177

Configuring Custom Application Terms

To configure individual application terms in the J-Web user interface:

  1. Click Configure>Security>Policy Elements>Applications.
  2. Select the Custom-Applications tab.
  3. Select one of the following options:
    • Add–To create a new application, click Add. The Add an Application dialog box appears.
    • Edit–To edit an existing configuration, select the application that you want to change and click Edit. The Edit an Application dialog box appears.
    • Delete–To delete an existing configuration, select it and click Delete. (If you select this option, you can skip the remaining steps in this section.)
  4. Select the Terms tab.
  5. Select one of the following options:
    • Add–To create a new application term, click Add. The Add new term dialog box appears.
    • Edit–To edit an existing configuration term, select the application that you want to change and click Edit. The Edit term dialog box appears.
  6. In the Term Name field, enter a name for the application term.
  7. In the ALG field, specify the application protocol. For a complete list of options, see Table 41.
  8. In the Match IP protocol field, specify the network protocol. For a complete list of options, see Table 42.
  9. In the Destination Port field, specify the destination port identifier. You can use a numeric value or one of the text synonyms listed in Table 43.
  10. In the Source Port field, specify the source port identifier. You can use a numeric value or one of the text synonyms.
  11. In the Inactivity-timeout field, specify the length of time (in seconds) that the application is inactive before it times out.
  12. In the RPC-program-number field, specify the remote procedure call (RPC) value. Valid values range from 0 to 65535.
  13. In the Match ICMP message code field, specify the Internet Control Message Protocol (ICMP) code value, such as host-unreachable or host-unreachable-for-tos.
  14. In the Match ICMP message type field, specify the ICMP packet type value, such as echo or echo-reply.
  15. In the UUID field, specify a universal unique identifier (UUID). A UUID is a 128-bit unique number generated from a hardware address, a timestamp, and seed values.
  16. Select one of the following options:
    • OK–To apply the configuration and return to the Add Application or Edit Application dialog box, click OK.
    • Cancel–To cancel your entries and return to the Add Application or Edit Application dialog box, click Cancel.
  17. Select one of the following options:
    • OK–To apply the configuration and return to the main Configuration page, click OK.
    • Cancel–To cancel your entries and return to the main page, click Cancel.

Configuring a Scheduler—Quick Configuration

You can use J-Web Quick Configuration to quickly configure a schedule for the security policies.

To configure a scheduler in the J-Web user interface:

  1. Select Configure>Security>Policy Elements>Scheduler.
  2. Select one of the following options:
    • Add–To create a new scheduler, click Add. The Add new scheduler dialog box appears.
    • Edit–To edit an existing configuration, select the scheduler that you want to change and click Edit. The Edit scheduler dialog box appears.
    • Delete–To delete an existing scheduler, select it and click Delete. (If you select this option, you can skip the remaining steps in this section.)
  3. In the Scheduler Name field, enter a name for the scheduler.
  4. In the Date of start and Date of stop fields, use the calendar pick tool to specify the date range for the scheduler. Then, specify the exact start and stop times using the HH.MM fields.
  5. If you want the scheduler to run at regular, recurring intervals, select the Daily tab or any of the day-of-the-week tabs.

    Within the specified tab, you can fine-tune when the scheduler runs by choosing one of the following options from the Daily Options drop-down list:

    • all-day—Select this option to run the scheduler throughout the specified day of the week. (This option is not available for the Daily tab.)
    • exclude—Select this option to configure the scheduler not to run on the specified day of the week. (This option is not available for the Daily tab.)
    • period—Select this option to configure the scheduler to run only between the specified start and stop time periods. Specify the start and stop times in hh, mm, ss (hour, minute, second) format.
    • none—Select this option to keep the scheduler “as is” with no further configuration options.
  6. Select one of the following options:
    • OK–To apply the configuration and return to the main Configuration page, click OK.
    • Cancel–To cancel your entries and return to the main page, click Cancel.

Configuring Full Antivirus (J-Web Procedure)

This section contains the following topics:

Configuring Full Antivirus Custom Objects (J-Web Procedure)

To configure antivirus protection using the J-Web configuration editor, you must first create your custom objects (MIME Pattern List, Filename Extension List, URL Pattern List, and Custom URL Category List).

Configure a MIME Pattern List Custom Object:

  1. Select Configure>Security>UTM>Custom Objects.
  2. From the MIME Pattern List tab, click the Add button to create MIME pattern lists.
  3. In the Add MIME Pattern pop-up window, next to MIME Pattern Name, enter a unique name for the list you are creating.

    Keep in mind that you are creating a MIME whitelist and a MIME exception list (if necessary). Both MIME lists appear in the MIME Whitelist and Exception MIME Whitelist fields when you configure antivirus. Therefore, the MIME list names you create should be as descriptive as possible.

  4. Next to MIME Pattern Value, enter the MIME pattern.
  5. Click Add to add your MIME pattern to the Values list box.

    Within this box, you can also select an entry and use the Delete button to delete it from the list. Continue to add MIME patterns in this manner.

  6. Optionally, create a new MIME list to act as an exception list.

    The exception list is generally a subset of the main MIME list.

  7. Click OK to save the selected values as part of the MIME list you have created.
  8. If the configuration item is saved successfully, you receive a confirmation and you must click OK again. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.

Configure a Filename Extension List Custom Object:

  1. Select Configure>Security>UTM>Custom Objects.
  2. From the Filename Extension List tab, click the Add button to create filename extension lists.
  3. Next to File Extension Name, enter a unique name for the list you are creating.

    This name appears in the Scan Option By Extension list when you configure an antivirus profile.

  4. In the Available Values box, select one or more default values (press Shift to select multiple concurrent items or press Ctrl to select multiple separate items) and click the right arrow button to move the value or values to the Selected Values box.
  5. Click OK to save the selected values as part of the extension list you have created.
  6. If the configuration item is saved successfully, you receive a confirmation and you must click OK again. If the profile is not saved successfully, you can click Details in the pop-up window that appears to discover why.

Configure a URL Pattern List Custom Object:

Note: Because you use URL Pattern Lists to create Custom URL Category Lists, you must configure URL Pattern List Custom Objects before you configure a Custom URL Category List.

  1. Select Configure>Security>UTM>Custom Objects.
  2. From the URL Pattern List tab, click the Add button to create URL pattern lists.
  3. Next to URL Pattern Name, enter a unique name for the list you are creating. This name appears in the Custom URL Category List Custom Object page for selection.
  4. Next to URL Pattern Value, enter the URL or IP address you want added to the list for bypassing scanning.

    Note: URL pattern wildcard support—The wildcard rule is as follows: \*\.[]\?* and you must precede all wildcard URLs with http://. You can only use “*” if it is at the beginning of the URL and is followed by a “.”. You can only use “?” at the end of the URL.

    The following wildcard syntax IS supported: http://*.juniper.net, http://www.juniper.ne?, http://www.juniper.n??. The following wildcard syntax is NOT supported: *.juniper.net , www.juniper.ne?, http://*juniper.net, http://*.

  5. Click Add to add your URL pattern to the Values list box.

    The list can contain up to 8192 items. You can also select an entry and use the Delete button to delete it from the list. Continue to add URLs or IP addresses in this manner.

  6. Click OK to save the selected values as part of the URL pattern list you have created.
  7. If the configuration item is saved successfully, you receive a confirmation and you must click OK again. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.

Configure a Custom URL Category List Custom Object:

Note: Because you use URL Pattern Lists to create Custom URL Category Lists, you must configure URL Pattern List Custom Objects before you configure a Custom URL Category List. URL Pattern List Custom Objects are described in the previous section.

  1. Select Configure>Security>UTM>Custom Objects.
  2. From the URL Category List tab, click Add to create URL category lists.
  3. Next to URL Category Name, enter a unique name for the list you are creating. This name appears in the URL Whitelist list when you configure antivirus global options.
  4. In the Available Values box, select a URL Pattern List name from the list for bypassing scanning and click the right arrow button to move it to the Selected Values box.
  5. Click OK to save the selected values as part of the custom URL list you have created.
  6. If the configuration item is saved successfully, you receive a confirmation and you must click OK again. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.

Configuring Full Antivirus Feature Profiles (J-Web Procedure)

Now that your custom objects have been created, you can configure the antivirus feature profile.

  1. Select Configure>Security>UTM>Global options.
  2. In the Anti-Virus tab, next to MIME whitelist, select the custom object you created from the list.
  3. Next to Exception MIME whitelist, select the custom object you created from the list.
  4. Next to URL Whitelist, select the custom object you created from the list.
  5. In the Engine Type section, select the type of engine you are using.

    For full antivirus protection, you should select Kaspersky Lab.

  6. In the Kaspersky Lab Engine Option section, enter the URL for the pattern database in the Pattern update URL box.

    Note that the URL is http://update.juniper-updates.net/AV/<device version> and you should not change it.

  7. Next to Pattern update interval, enter the time interval, in seconds, for automatically updating the pattern database in the box.

    The default interval is 60.

  8. Select whether you want the pattern file to update automatically (Auto update) or not (No Auto update).
  9. Click OK to save the selected values.
  10. If the configuration item is saved successfully, you receive a confirmation and you must click OK again. If it is not saved successfully, you can click Details in a pop-up window that appears to discover why.
  11. Select Anti-Virus, under Security, in the left pane.
  12. Click Add in the right window to create a profile for the antivirus Kaspersky Lab Engine. (To edit an existing item, select it and click the Edit button.)
  13. Next to Profile name, enter a unique name for this antivirus profile.
  14. Select the Profile Type.

    In this case, select Kaspersky.

  15. Next to Trickling timeout, enter timeout parameters. Note that trickling applies only to HTTP. HTTP trickling is a mechanism used to prevent the HTTP client or server from timing out during a file transfer or during antivirus scanning.
  16. Next to Intelligent prescreening, select Yes or No.

    Note: Intelligent prescreening is only intended for use with non-encoded traffic. It is not applicable for mail protocols (SMTP, POP3, IMAP, and HTTP POST).

  17. In the Scan Options section, next to Intelligent prescreening, select Yes if you are using it. .

    Note: Intelligent prescreening is only intended for use with non-encoded traffic. It is not applicable for mail protocols (SMTP, POP3, IMAP, and HTTP POST).

  18. Next to Content Size Limit, enter content size parameters. The content size check occurs before the scan request is sent. The content size refers to accumulated TCP payload size.
  19. Next to Scan engine timeout, enter scanning timeout parameters.

  20. Next to Decompress Layer Limit, enter decompression layer limit parameters.
  21. In the Scan mode section, select either Scan all files, if you are scanning all content, or Scan files with specified extension, if you are scanning by file extensions.

    If you select Scan files with specified extension, you must select a filename extension list custom object from the Scan engine filename extention list that appears .

  22. Select the Fallback settings tab.
  23. Next to Default (fallback option), select Log and permit or Block from the list.

    Note that in most cases, Block is the default fallback option.

  24. Next to Corrupt File (fallback option), select Log and permit or Block from the list.
  25. Next to Password File (fallback option), select Log and permit or Block from the list.
  26. Next to Decompress Layer (fallback option), select Log and permit or Block from the list.
  27. Next to Content Size (fallback option), select Log and permit or Block from the list.
  28. Next to Engine Not Ready (fallback option), select Log and permit or Block from the list.
  29. Next to Timeout (fallback option), select Log and permit or Block from the list.
  30. Next to Out Of Resources (fallback option), select Log and permit or Block from the list.
  31. Next to Too Many Request (fallback option), select Log and permit or Block from the list.
  32. Select the Notification options tab.
  33. In the Fallback block section, next to Notification type, select Protocol Only or Message to select the type of notification that is sent when a fallback option of block is triggered.
  34. Next to Notify mail sender, select Yes or No.
  35. If you selected Yes, next to Custom Message, enter text for the message body of your custom message for this notification (if you are using a custom message).
  36. Next to Custom message subject, enter text to appear in the subject line of your custom message for this notification (if you are using a custom message).
  37. In the Fallback non block section, next to Notify mail recipient, select Yes or No.
  38. If you selected Yes, next to Custom Message, enter text for the message body of your custom message for this notification (if you are using a custom message).
  39. Next to Custom message subject, enter text to appear in the subject line of your custom message for this notification (if you are using a custom message).
  40. Select the Notification options cont tab.
  41. In the Virus detection section, next to Notification type, select Protocol Only or Message to select the type of notification that is sent when a fallback option of block is triggered.
  42. Next to Notify mail sender, select Yes or No.
  43. If you selected Yes, next to Custom Message, enter text for the message body of your custom message for this notification (if you are using a custom message).
  44. Next to Custom message subject, enter text to appear in the subject line of your custom message for this notification (if you are using a custom message).

    The limit is 255 characters.

  45. Click OK .
  46. If the configuration item is saved successfully, you receive a confirmation and you must click OK again. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.

    Note: You create a separate antivirus profile for each antivirus protocol. These profiles may basically contain the same configuration information, but when you are creating your UTM policy for an antivirus profile, the UTM policy configuration page provides separate antivirus profile selection fields for each supported protocol.

Configuring Full Antivirus UTM Policies (J-Web Procedure)

Next, you configure a UTM policy for antivirus to which you attach the antivirus profile you have configured.

  1. Select Configure>Security>Policy>UTM Policies.
  2. From the UTM policy configuration window, click Add to configure a UTM policy.

    This takes you to the policy configuration pop-up window.

  3. Select the Main tab in pop-up window.
  4. In the Policy name box, enter a unique name for the UTM policy you are creating.
  5. In the Session per client limit box, enter a session per client limit from 0 to 20000 for this UTM policy.
  6. For Session per client over limit, select one of the following: Log and permit, Block.

    This is the action the device takes when the session per client limit for this UTM policy is exceeded.

  7. Select the Anti-Virus profiles tab in the pop-up window.
  8. Select the appropriate profile you have configured from the list for the corresponding protocol listed.
  9. Click OK.
  10. If the policy is saved successfully, you receive a confirmation and you must click OK again. If the profile is not saved successfully, you can click Details in the pop-up window that appears to discover why.

Attaching Full Antivirus UTM Policies to Security Policies (J-Web Procedure)

Next, you attach the UTM policy to a security policy that you create.

  1. Select Configure>Security>Policy>FW Policies.
  2. From the Security Policy window , click Add to configure a security policy with UTM.

    This takes you to the policy configuration pop-up window.

  3. In the Policy tab, enter a name in the Policy Name box.
  4. Next to From Zone, select a zone from the list.
  5. Next to To Zone, select a zone from the list.
  6. Choose a Source Address.
  7. Choose a Destination Address.
  8. Choose an Application.

    Do this by selecting junos-<protocol> (for all protocols that support antivirus scanning) in the Application Sets box and clicking the right arrow —> button to move them to the Matched box.

  9. Next to Policy Action, select Permit.

    Note: When you select Permit for Policy Action, several additional fields become available in the Applications Services tab, including UTM Policy.

  10. Select the Application Services tab in the pop-up window.
  11. Next to UTM Policy, select the appropriate policy from the list.

    This attaches your UTM policy to the security policy.

    Note: There are several fields on this page that are not described in this section. See the Security Policies section for detailed information on configuring security policies and all the available fields.

  12. Click OK to save your policy.
  13. If the policy is saved successfully, you receive a confirmation and you must click OK again. If the profile is not saved successfully, you can click Details in the pop-up window that appears to discover why.

    You must activate your new policy to apply it.

IDP

Configuring a Security Package Update

To configure a security package update:

  1. Select Configure>IDP>Signature Update.
  2. Fill in the information as described in Table 44.
  3. Click Apply.

Table 44: Security Package Update Page Summary

Field

Function

Action

Security Package Manual Download

Download

Downloads the existing signature database.

Click Download on the task bar.

URL

Specifies the predefined default URL used by the device to download the signature database.

 

Version

Specifies the version number of the security package from the portal.

Select the version from the list.

Full Package

Enables the device to download the latest security package with the full set of attack signature tables from the portal.

Select the check box.

Security Package Manual Installation

Install

Installs the existing signature database.

Click Install on the task bar.

Do not set to active after installed

Specifies to activate the installed security package.

Select the check box.

Check Status

Download Status

Shows the security package download status in the message box.

Select Download Status from the Check Status list.

Install Status

Shows the security package install status in the message box.

Select Install Status from the Check Status list.

Security Package Automatic Download

Download Setting

Sets the parameters of automatic download.

Click Download Setting.

URL Setting

Specifies the predefined default URL used by the device to download the signature database.

Click URL Setting and type a URL with the following format as per the previous:http://xmlexport.secteam.juniper.net

Note: The URL configured in the URL Setting window is displayed by default in the Download window.

Auto Download Setting

  

Interval

Specifies the time intervals for the automatic download.

Enter an integer.

Start Time

Specifies to install the latest policy templates from the portal.

Enter a time value in MM-DD.hh:mm format.

Download Time-Out

Specifies the time at which the automatic download expires.

Enter an integer.

Forwarding

Configuring Security Forwarding

If your device is operating in secure context, the inet6, International Organization for Standards (ISO), and MPLS protocol families are disabled on the device by default. You must enable these protocol families for a device in secure mode to forward IPv6, IS-IS, and MPLS packets. For more information on packet forwarding, see the Junos OS Interfaces and Routing Configuration Guide.

To configure packet forwarding using the J-Web configuration editor:

  1. Select Configure>Security>Forwarding. The Forwarding Configuration page appears.
  2. Fill in the options as shown in Table 45.
  3. Click one:
    • OK—Applies the configuration and returns to the main configuration page.
    • Reset—Cancels your entries and returns to the previous settings.

Table 45: Security Forwarding Configuration Options

Field

Function

Action

Forwarding Options

Enable packet-based IPv6

Supports IPv6 protocol traffic, including Routing Information Protocol for IPv6 (RIPng).

If your device is operating in secure context, IPv6 is disabled and the device drops IPv6 packets by default. You must enable IPv6 for a device in secure mode to enable forwarding of IPv6 packets.

For information about IPv6, see the JUNOS Routing Protocols Configuration Guide.

Default is flow mode. Select the check box to enable forwarding of IPv6 packets.

Enable packet-based ISO

Supports IS-IS traffic.

If your device is operating in secure context, the ISO protocol is disabled on the device by default. You must enable the ISO protocol for a device in secure mode to forward IS-IS packets.

Default is flow mode. Select the check box to enable forwarding of IS-IS packets.

Enable packet-based MPLS

Supports MPLS.

If your device is operating in secure context, MPLS is disabled on the device by default. You must enable the MPLS protocol to allow MPLS traffic to pass through.

Default is flow mode. Select the check box to enable forwarding of MPLS packets.

Caution: When you select this check box to enable packet-based MPLS, the following warning is displayed: “This will deactivate all security services. Are you sure?” If you select Yes, all security polices will be disabled. Disabling MPLS will not enable security policies. You can only enable security policies by using the CLI. For more information on security policies, see the Junos OS Security Configuration Guide.

ALG

Configuring Application Layer Gateways—Quick Configuration

To enable or disable an Application Layer Gateway (ALG) using the J-Web interface:

  1. Select Configure>Security>ALGs.

    All ALGs are enabled by default.

  2. Select the check box next to an ALG, described in Table 46,click one of the following:

Table 46: General Configuration Options

Field

Function

Action

Main

Enable DNS

Provides an ALG for the Domain Name System. The DNS ALG monitors DNS query and reply packets and closes session if the DNS flag indicates the packet is a reply message.

Select the check box to enable the ALG.

Enable FTP

Provides an ALG for the File Transfer Protocol. The FTP ALG monitors PORT, PASV and 227 commands. It performs NAT of IP/port in the message and gate opening on the device as necessary. The FTP ALG supports FTP put and FTP get command blocking. When the FTP_NO_PUT or FTP_NO_GET is set in the policy, the FTP ALG sends back a blocking command and closes the associated opened gate when FTP STOR or FTP RETR command is observed.

Select the check box to enable the ALG.

Enable TFTP

Provides an ALG for the Trivial File Transfer Protocol. The TFTP ALG processes TFTP packet that initiate the request and opens a gate to allow return packets from the reverse direction to the port that sends the request.

Select the check box to enable the ALG.

Enable PPTP

Provides an ALG for the Point-to-Point Tunneling Protocol. The PPTP is a layer 2 protocol that tunnels PPP data across TCP/IP networks. The PPTP client is freely available on Windows systems and is widely deployed for building Virtual Private Networks (VPNs).

Select the check box to enable the ALG.

Enable REAL

Provides an ALG for the RealAudio and RealVideo Protocol. The REAL ALG processes Progressive Networks Audio (PNA) packets over the TCP connection and looks for the control commands in the packet where the port number is embedded. It performs NAT and opens gates for the UDP data connection.

Select the check box to enable the ALG.

Enable MSRPC

Provides a way for a program running on one host to call procedures in a program running on another host. Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service program's Universal Unique IDentifier (UUID). The specific UUID is mapped to a transport address.

Select the check box to enable the ALG.

Enable SUNRPC

Provides a way for a program running on one host to call procedures in a program running on another host. Because of the large number of RPC services and the need to broadcast, the transport address of an RPC service is dynamically negotiated based on the service's program number and version number. Several binding protocols are defined for mapping the RPC program number and version number to a transport address.

Select the check box to enable the ALG.

Enable RSH

Provides an ALG for the Remote Shell. The RSH ALG handles TCP packets destined for port 514 and process the RSH port command. The RSH ALG performs NAT on the port in the port command and opens gates as necessary.

Select the check box to enable the ALG.

Enable RTSP

Provides an ALG for the Real-Time Streaming Protocol.

Select the check box to enable the ALG.

Enable SQL

Provides an ALG for the Structured Query Language. The SQLNET ALG processes SQL TNS response frame from the server side. It parses the packet and looks for (HOST=ipaddress), (PORT=port) pattern and performs NAT and gate opening on the client side for the TCP data channel.

Select the check box to enable the ALG.

Enable TALK

Provides an ALG for the TALK Protocol. The TALK protocol uses UDP port 517 and port 518 for control channel connections. The talk program consists of a server and a client. The server handles client notifications and helps to establish talk sessions. There are two types of talk servers: ntalk and talkd. The TALK ALG processes packets of both ntalk and talkd formats. It also performs NAT and gate opening as necessary.

Select the check box to enable the ALG.

H323

Enable H323 ALG

Enable or disable the H.323 ALG

Click the check box.

Application Screen

Message flood gatekeeper threshold

Limits the rate per second at which remote access server (RAS) requests to the gatekeeper are processed. Messages exceeding the threshold are dropped. This feature is disabled by default.

Enter a value

Action on receiving unknown messages  

Permit NAT Applied

Specifies how unidentified H.323 messages are handled by the device. The default is to drop unknown (unsupported) messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown H.323 (unsupported) messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Click the check box.

Enable permit routed

Specifies that unknown messages be allowed to pass if the session is in Route mode. (Sessions in Transparent mode are treated as Route mode.)

Click the check box.

Endpoints

Timeout for endpoint

Controls the duration of the entries in the NAT table.

Enter a value between 10 and 50,000 seconds.

Enable permit media from any source port

Allows media traffic from any port number. By default, this feature is disabled. When disabled, the device allows a temporary opening, or pinhole, in the firewall as needed for media traffic.

Enter a value between 1 and 50,000 seconds.

 

MGCP

Enable MGCP ALG

Enables or disables the MGCP ALG.

Click the check box.

Inactive media timeout

Specifies the maximum length of time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the temporary openings (pinholes) in the firewall MGCP ALG opened for media are closed. The default setting is 120 seconds, the range is from 10 to 2550 seconds. Note that upon timeout, while resources for media (sessions and pinholes) are removed, the call is not terminated.

Select a value between 10 and 2,550 seconds.

 

Maximum call duration

Sets the absolute maximum length of a call. When a call exceeds this parameter setting, the MGCP ALG tears down the call and releases the media sessions. The default setting is 720 minutes, the range is from 3 to 7200 minutes.

Select a value between 3 and 7,200 minutes.

 

Transaction timeout

Specifies a timeout value for MGCP transactions. A transaction is a signalling message, for example, a NTFY from the gateway to the call agent or a 200 OK from the call agent to the gateway. The Juniper Networks device tracks these transactions, and clears them when they time out.

Enter a value from 3 to 50 seconds.

Application Screen

Message flood threshold

Limits the rate per second at which message requests to the Media Gateway are processed. Messages exceeding the threshold are dropped by the Media Gateway Control Protocol (MGCP) Application Layer Gateway (ALG). This feature is disabled by default.

Enter a value from 2 to 50,000 seconds per media gateway.

Connection flood threshold

Limits the number of new connection requests allowed per Media Gateway (MG) per second. Messages exceeding the ALG.

Enter a value from 2 to 10,000.

Action on receiving unknow message

Enable permit NAT applied

Specifies how unidentified MGCP messages are handled by the Juniper Networks device. The default is to drop unknown (unsupported) messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown MGCP (unsupported) messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Click the check box.

Enable permit routed

Specifies that unknown messages be allowed to pass if the session is in Route mode. (Sessions in Transparent mode are treated as Route mode.)

Click the check box.

SCCP

Enable SCCP ALG

Enables or disables the SCCP ALG.

Click the check box.

Inactive Media Timeout

Indicates the maximum length of time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the Skinny Client Control Protocol (SCCP) ALG the gates opened for media are closed.

Select a value from 10 to 600 seconds.

Application Screen

Call Flood Threshold

Protect Skinny Client Control Protocol (SCCP) ALG clients from flood attacks by limiting the number of calls they attempt to process

Select a value from 2 to 1,000.

Action on receiving unknown messges  

Enable Permit NAT Applied

Specifies how unidentified SCCP messages are handled by the device. The default is to drop unknown (unsupported) messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown SCCP (unsupported) messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Click the check box.

 

Enable Permit Routed

Specifies that unknown messages be allowed to pass if the session is in Route mode. (Sessions in Transparent mode are treated as Route mode.)

Click the check box.

SIP

Enable SIP ALG

Enables or disables the SIP ALG.

Click the check box.

Enable Retain Hold Resource

Enable or disables whether the device frees media resources for a Session Initiation Protocol (SIP) Application Layer Gateway (ALG), even when a media stream is placed on hold. By default, media stream resources are released when the media stream is held.

Click the check box.

Maximum Call Duration

Sets the absolute maximum length of a call. When a call exceeds this parameter setting, the SIP ALG tears down the call and releases the media sessions. The default setting is 720 minutes, the range is from 3 to 7200 minutes.

Select a value between 3 and 7,200 minutes.

 

C Timeout

Specifies the INVITE transaction timeout at the proxy, in minutes; the default is 3. Because the SIP ALG is in the middle, instead of using the INVITE transaction timer value B (which is (64 * T1) = 32 seconds), the SIP ALG gets its timer value from the proxy.

Select a value between 3 and 10 minutes.

T4 Interval

Specifies the maximum time a message remains in the network. The default is 5 seconds, the range is 5 to 10 seconds. Because many SIP timers scale with the T4-Interval (as described in RFC 3261), when you change the value of the T4-Interval timer, those SIP timers also are adjusted.

Select a value between 5and 10 seconds..

 

Inactive Media Timeout

Specifies the maximum length of time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the temporary openings (pinholes) in the firewall SIP ALG opened for media are closed. The default setting is 120 seconds, the range is from 10 to 2550 seconds. Note that upon timeout, while resources for media (sessions and pinholes) are removed, the call is not terminated.

Select a value between 10 and 2,550 seconds.

 

T1 Interval

Specifies the roundtrip time estimate, in seconds, of a transaction between endpoints. The default is 500 milliseconds. Because many SIP timers scale with the T1-Interval (as described in RFC 3261), when you change the value of the T1-Interval timer, those SIP timers also are adjusted.

Select a value between 500 and 5,00 milliseconds.

 

Application Screen

SIP invite attack table entry timeout

Specifies the amount of time (in seconds) to make an attack table entry for each INVITE, which is listed in the application screen.

Enter a value between 1 and 3,600 seconds.

Action on receiving unknown message

Enable Permit NAT Applied

Specifies how unidentified SIP messages are handled by the device. The default is to drop unknown (unsupported) messages. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown SIP (unsupported) messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Click the check box.

Enable Permit Routed

Specifies that unknown messages be allowed to pass if the session is in Route mode. (Sessions in Transparent mode are treated as Route mode.)

Click the check box.

Protect option

Enable Attack Protection

Protects servers against INVITE attacks. Configure the SIP application screen to protect the server at some or all destination IP addresses against INVITE attacks.

Select All Servers or Selected Servers as the options.

Filters

Configuring a Stateless Firewall Filter with Quick Configuration

The Firewall Filters Quick Configuration pages allow you to configure stateless firewall filters that examine packets traveling to or from a device. You can create new filters or edit existing filters by adding terms to them. Each filter term is defined by a set of match conditions and an associated action. After you define the terms for a filter, you must associate the filter with one or more interfaces on the router.

This section contains the following topics:

Configuring IPv4 and IPv6 Stateless Firewall Filters

Using the Firewall Filters Quick Configuration pages, you can create filters and terms and define match conditions and actions for each filter term.

To configure a stateless firewall filter with Quick Configuration:

  1. In the J-Web interface, select Configuration>Quick Configuration>Firewall Filters.
  2. Select one of the following options on the Firewall Filters Quick Configuration page:
    • To edit IPv4 firewall filters and terms, select Edit IPv4 Firewall Filters.

      Note: If you have existing IPv4 firewall configurations in both edit firewall filter and edit firewall family inet filter hierarchies, merge the two to one location. The J-Web firewall filter Quick Configuration feature supports configuration in one location only.

    • To edit IPv6 firewall filters and terms, select Edit IPv6 Firewall Filters.
  3. Enter information into the Firewall Filters Quick Configuration pages, as described in Table 47.
  4. Click one of the following buttons on the Firewall Filters Quick Configuration main page:
    • To apply the configuration and stay in the current Firewall Filters Quick Configuration page, click Apply.
    • To apply the configuration and return to the previous Quick Configuration page, click OK.
    • To cancel your entries and return to the previous Quick Configuration page, click Cancel.

Table 47: Firewall Filters Quick Configuration Pages Summary

Field

Function

Your Action

IPv4 Filter Summary

Action column

Displays up and down arrows and a X, allowing you to delete or change the order of a filter or term. The order of an item is important because it determines the order in which corresponding actions are carried out.

To move an item upward, locate the item and click the up arrow from the same row.

To move an item downward, locate the item and click the down arrow from the same row.

To delete an item, locate the item and click the X from the same row.

Filter Name

Displays the name of the filter and when expanded, lists the terms attached to the filter.

Displays the match conditions and actions that are set for each term.

Allows you to add more terms to a filter or modify filter terms.

To display the terms added to a filter, click the plus sign next to the filter name. This also displays the match conditions and actions set for the term.

To edit a filter, click the filter name. To edit a term, click the name of the term.

Search

Filter Name

Searches for existing filters by filter name.

To find a specific filter, type the name of the filter in the Filter Name box.

To list all filters with a common prefix or suffix, use the wildcard character (*) when typing the name of the filter. For example, te* lists all filters with a name starting with the characters te.

Term Name

Searches for existing terms by term name.

To find a specific term, type the name of the term in the Term Name box.

To list all terms with a common prefix or suffix, use the wildcard character (*) when typing the name of the term. For example, ra* lists all terms with a name starting with the characters ra.

Number of Items to Display

Specifies the number of filters or terms to display on one page.

To select the number of items to be displayed on one page, select a number from the list.

Add New IPv4 (or IPv6) Filter

Name

Specifies the name for a new filter.

To name a filter, type a string of meaningful characters or integers that allow you to uniquely identify the filter.

Location

Positions the new filter in one of the following locations:

  • After Final IPv4 Filter—At the end of all filters.
  • After IPv4 Filter—After a specified filter.
  • Before IPv4 Filter—Before a specified filter.

To position the new filter:

  • At the end of all filters, select After Final IPv4 Filter.
  • After a specific filter, select After IPv4 Filter then select a name from the filter name list.
  • Before a specific filter, select Before IPv4 Filter then select a name from the filter name list.

Add

Adds a new filter name.

Opens the term summary page for this filter allowing you to add new terms to this filter.

To create a new filter and open the term summary page for this filter, click Add.

Add New IPv4 (or IPv6) Term

Name

Defines a term for a specific filter.

To name a term, type a string of meaningful characters or integers that allow you to uniquely identify the term.

Location

Positions the new term in one of the following locations:

  • After Final IPv4 Term—At the end of all terms.
  • After IPv4 Term—After a specified term.
  • Before IPv4 Term—Before a specified term.

To position the new term:

  • At the end of all terms, select After Final IPv4 Term.
  • After a specific term, select After IPv4 Term then select a name from the term name list.
  • Before a specific term, select Before IPv4 Term then select a name from the term name list.

Add

Adds a term name for the specific filter.

Opens the Filter Term page allowing you to define the match conditions and the action for this term.

To add a term name and open the Filter Term page, click Add.

Match Source

Source Address

Specifies IP source addresses to be included in, or excluded from, the match condition.

Allows you to remove source IP addresses from the match condition.

If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses, and also search for them.

To specify an IP source address, type an IP address and prefix length.

  • To include the address in the match condition, click Add.
  • To exclude the address from the match condition, select Except then click Add.

To remove an IP source address from the match condition, select it and click Delete.

Source Prefix List

Specifies source prefix lists that you have already defined, to be included in the match condition.

Allows you to remove a prefix list from the match condition.

For information about defining prefix lists, see the Junos OS Policy Framework Configuration Guide.

To include a predefined source prefix list in the match condition, type the prefix list name and click Add.

To remove a prefix list from the match condition, select it and click Delete.

Source Port

Specifies the source port type to be included in, or excluded from, the match condition.

Allows you to remove a source port type from the match condition.

Note: This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term.

To specify a known source port type, select the port from the port name list. To specify source port types that do not exist in the port name list, type the port name, number, or range.

  • To include the port in the match condition, click Add.
  • To exclude the port from the match condition, select Except then click Add.

To remove a port type from the match condition, select it and click Delete.

Match Destination

Destination Address

Specifies destination addresses to be included in, or excluded from, the match condition.

Allows you to remove a destination IP address from the match condition.

If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses, and also search for them.

To specify a destination IP address, type an IP address and prefix length.

  • To include the address in the match condition, click Add.
  • To exclude the address from the match condition, select Except then click Add.

To remove an IP address from the match condition, select it and click Delete.

Destination Prefix List

Specifies destination prefix lists that you have already defined, to be included in the match condition.

Allows you to remove a prefix list from the match condition.

For information about defining prefix lists, see the JUNOS Policy Framework Configuration Guide.

To include a predefined destination prefix list, type the prefix list name and click Add.

To remove a prefix list from the match condition, select it and click Delete.

Destination Port

Specifies destination port types to be included in, or excluded from, the match condition.

Allows you to remove a destination port type from the match condition.

Note: This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term.

To specify a known destination port type, select the port from the port name list. To specify source port types that do not exist in the port name list, type the port name, number, or range.

  • To include the port in the match condition, click Add.
  • To exclude the port from the match condition, select Except then click Add.

To remove a destination port type from the match condition, select it and click Delete.

Match Source or Destination

Address

Specifies IP addresses to be included in, or excluded from, the match condition for a source or destination.

Allows you to remove an IP address from the match condition.

If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses and also search for them.

Note: This address match condition cannot be specified in conjunction with the source address or destination address match conditions in the same term.

To specify a source or destination IP address, type the IP address and prefix length.

  • To include the address in the match condition, click Add.
  • To exclude the address from the match condition, select Except then click Add.

To remove an IP address from the match condition, select it and click Delete.

Prefix List

Specifies prefix lists that you have already defined, to be included in the match condition for a source or destination.

Allows you to remove a prefix list from the match condition.

For information about defining prefix lists, see the JUNOS Policy Framework Configuration Guide.

Note: This prefix list match condition cannot be specified in conjunction with the source prefix list or destination prefix list match conditions in the same term.

To include a predefined prefix list in the match condition, type the prefix list name and click Add.

To remove a prefix list from the match condition, select it and click Delete.

Port

Specifies a port type to be included in, or excluded from, a match condition for a source or destination.

Allows you to remove a port from the match condition.

Note: This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term.

Also, this port match condition cannot be specified in conjunction with the source port or destination port match conditions in the same term.

To specify a known port type in the match condition, select the port from the port name list. To specify port types not included in the port name list, type the port name, number, or range.

  • To include the port in the match condition, click Add.
  • To exclude the port from the match condition, select Except then click Add.

To remove a port from the match condition, select it and click Delete.

Match Interface

Interface

Specifies interfaces to be included in a match condition.

Allows you to remove an interface from the match condition.

To include an interface in a match condition, either select a name from the interface name list or type the interface name and click Add.

To remove an interface from the match condition, select it and click Delete.

Interface Set

Specifies interface sets that you have already defined, to be included in a match condition.

Allows you to remove an interface set from the match condition.

For information about defining interface sets, see the JUNOS Policy Framework Configuration Guide.

To include a predefined interface set in a match condition, type the interface set name and click Add.

To remove an interface set from the match condition, select it and click Delete.

Interface Group

Specifies interface groups, that you have already defined, to be included in, or excluded from, a match condition.

Allows you to remove an interface group from the match condition.

For information about defining interface groups, see the JUNOS Policy Framework Configuration Guide.

To specify a predefined interface group, type the name of the group.

  • To include the group in the match condition, click Add.
  • To exclude the group from the match condition, select Except then click Add.

To remove an interface group from the match condition, select it and click Delete.

Match Packet and Network

First Fragment (IPv4 only)

Matches the first fragment of a fragmented packet.

To match the first fragment, select the check box.

Is Fragment (IPv4 only)

Matches trailing fragments (all but the first fragment) of a fragmented packet.

To match trailing fragments, select the check box.

Fragment Flags (IPv4 only)

Specifies fragmentation flags to be included in the match condition.

To specify fragmentation flags, type a text or numeric string defining the flag—for example, more-fragments or 0x2000.

TCP Established

Matches all TCP packets other than the first packet of a connection.

Note: This match condition does not verify that the TCP protocol is used on the port. Make sure to specify the TCP protocol as a match condition in the same term.

To match all TCP packets except the first of a connection, select the check box.

TCP Initial

Matches the first TCP packet of a connection.

Note: This match condition does not verify that the TCP protocol is used on the port. Make sure to specify the TCP protocol as a match condition in the same term.

To match the first TCP packet of a connection, select the check box.

TCP Flags

Specifies TCP flags to be included in the match condition.

Note: This match condition does not verify that the TCP protocol is used on the port. Make sure to specify the TCP protocol as a match condition in the same term.

To specify a TCP flag, type a text or numeric string defining the flag—for example, syn or 0x02.

Protocol (IPv4 only)

Specifies IPv4 protocol types to be included in, or excluded from, the match condition.

Allows you to remove an IPv4 protocol type from the match condition.

To specify an IPv4 protocol type, select a protocol name from the list or type a protocol name or number—for example, ospf or 89.

  • To include the protocol in the match condition, click Add.
  • To exclude the protocol from the match condition, select Except then click Add.

To remove an IPv4 protocol type from the match condition, select it and click Delete.

Next Header (IPv6 only)

Specifies IPv6 protocol types to be included in, or excluded from, the match condition.

Allows you to remove an IPv6 protocol type from the match condition.

To specify an IPv6 protocol type, select a protocol name from the list or type the protocol name or number—for example, igmp or 2.

  • To include the protocol in the match condition, click Add.
  • To exclude the protocol from the match condition, select Except then click Add.

To remove an IPv6 protocol type from the match condition, select it and click Delete.

ICMP Type

Specifies ICMP packet types to be included in, or excluded from, the match condition.

Allows you to remove an ICMP packet type from the match condition.

Note: This protocol does not verify that ICMP is used on the port. Make sure to specify an ICMP type match condition in the same term.

To specify an ICMP packet type, select a packet type from the list or type a packet type name or number—for example, time-exceeded or 11.

  • To include the packet type in the match condition, click Add.
  • To exclude the packet type from the match condition, select Except then click Add.

To remove an ICMP packet type from the match condtition, select it and click Delete.

ICMP Code

Specifies the ICMP code to be included in, or excluded from, the match condition.

Allows you to remove an ICMP code from the match condition.

Note: The ICMP code is dependent on the ICMP type. Make sure to specify an ICMP type match condition in the same term.

To specify an ICMP code, select a packet code from the list or type the packet code as text or a number—for example, ip-header-bad or 0.

  • To include the ICMP code in the match condition, click Add.
  • To exclude the ICMP code from the match condition, select Except then click Add.

To remove an ICMP code from the match condition, select it and click Delete.

Traffic Class (IPv6 only)

Specifies Differentiated Services code points (DSCPs) to be included in, or excluded from, the match condition.

Allows you to remove a DSCP value from the match condition.

To specify a DSCP, select it from the list or type the DSCP value as a keyword, decimal, or binary string—for example, af11 or 10.

  • To include the DSCP in the match condition, click Add.
  • To exclude the DSCP from the match condition, select Except then click Add.

To remove a DSCP from the match condition, select it and click Delete.

Fragment Offset (IPv4 only)

Specifies the fragment offset value to be included in, or excluded from, the match condition. The fragment offset value specifies the location of the fragment in the packet. For example, fragment offset zero specifies the first fragment.

Allows you to remove a fragment offset value from the match condition.

To specify a fragment offset value, type the fragment offset number or range.

  • To include the offset in the match condition, click Add.
  • To exclude the offset from the match condition, select Except then click Add.

To remove a fragment offset value from the match condition, select it and click Delete.

Precedence (IPv4 only)

Specifies IP precedences to be included in, or excluded from, the match condition.

Allows you to remove an IP precedence entry from the match condition.

To specify an IP precedence, select it from the list or type the precedence as a keyword, decimal integer between 0 and 7, or binary string.

  • To include the precedence in the match condition, click Add.
  • To exclude the precedence from the match condition, select Except then click Add.

To remove an IP precedence from the match condition, select it and click Delete.

DSCP (IPv4 only)

Specifies Differentiated Services code points (DSCPs) to be included in, or excluded from, the match condition

Allows you to remove a DSCP entry from the match condition.

To specify a DSCP, select it from the list or type the DSCP value as a keyword, decimal, or binary string—for example, af11 or 10.

  • To include the DSCP in the match condition, click Add.
  • To exclude the DSCP from the match condition, select Except then click Add.

To remove a DSCP, select it and click Delete.

TTL (IPv4 only)

Specifies the IPv4 time-to-live (TTL) value to be included in, or excluded from, the match condition.

Allows you to remove an IPv4 TTL value from the match condition.

To specify an IPv4 TTL value, type a number between 1 and 255.

  • To include the TTL in the match condition, click Add.
  • To exclude the TTL from the match condition, select Except then click Add.

To remove an IPv4 TTL type from the match condition, select it and click Delete.

Packet Length

Specifies the length of received packets, in bytes, to be included in, or excluded from, the match condition.

Allows you to remove a packet length value from the match condition.

To specify a packet length, type a value or range.

  • To include the packet length in the match condition, click Add.
  • To exclude the packet length from the match condition, select Except then click Add.

To remove a packet length value from the match condition, select it and click Delete.

Forwarding Class

Specifies forwarding classes to be included in, or excluded from, the match condition.

Allows you to a remove forwarding class entry from the match condition.

To specify a forwarding class, select it from the list or type it.

  • To include the forwarding class in the match condition, click Add.
  • To exclude the forwarding class from the match condition, select Except then click Add.

To remove a forwarding class from the match condition, select it and click Delete.

IP Options (IPv4 only)

Specifies IP options to be included in, or excluded from, the match condition.

Allows you to remove an IP option from the match condition.

To specify an IP option, select it from the list or type a text or numeric string identifying the option.

  • To include the IP option in the match condition, click Add.
  • To exclude the IP option from the match condition, select Except then click Add.

To remove an IP option from the match condition, select it and click Delete.

IPSec ESP SPI (IPv4 only)

Specifies IPSec Encapsulating Security Payload (ESP) security parameter index (SPI) values to be included in, or excluded from, the match condition.

Allows you to remove an ESP SPI value from the match condition.

To specify an ESP SPI value, type a binary, hexadecimal, or decimal SPI value or range.

  • To include the value in the match condition, click Add.
  • To exclude the value from the match condition, select Except then click Add.

To remove an ESP SPI value from the match condition, select it and click Delete.

Action

Nothing

No action is performed. By default, a packet is accepted if it meets the match conditions of the term, and packets that do not match any conditions in the firewall filter are dropped.

To specify no action (or the default action), select Nothing.

Accept

Accepts a packet that meets the match conditions of the term.

To accept the packet, select Accept.

Discard

Discards a packet that meets the match conditions of the term.

Names a discard collector for packets (IPv4 only).

To discard a packet, select Discard.

To name a discard collector, type a filename in the Accounting box (IPv4 only).

Reject

Rejects a packet that meets the match conditions of the term and returns a rejection message.

Allows you to specify a message type that denotes the reason the packet was rejected.

Note: To log and sample rejected packets, specify Log and Sample action modifiers in conjunction with this action.

To reject a packet, select Reject.

To specify a message type, select the message from the Reason list.

Next Term

Evaluates a packet with the next term in the filter if the packet meets the match conditions in this term.

This action makes sure that the next term is used for evaluation even when the packet matches the conditions of a term.

When this action is not specified, the filter stops evaluating the packet after it matches the conditions of a term, and takes the associated action.

To continue to the next term, select Next Term.

Routing Instance

Accepts a packet that meets the match conditions, and forwards it to the specified routing instance.

To specify a routing instance, select Routing Instance and type the routing instance name in the box next to Routing Instance.

Load Balance

Specifies a load-balance group that you have already defined, to be used by packets that meet the match conditions.

A load-balance group contains interfaces that use the same next-hop group to balance the traffic load.

For information about configuring a load-balance group, see the JUNOS Policy Framework Configuration Guide

To specify a load-balance group, select Load Balance and type the group name in the box next to it.

Action Modifiers

Forwarding Class

Classifies the packet as a specific forwarding class.

To specify a forwarding class, select it from the list.

Count

Counts the packets passing this term.

Allows you to name a counter, which is specific to this filter. This means that every time a packet transits any interface that uses this filter, it increments the specified counter.

To count packets passing this term, select Count.

To specify a counter name, type a 24–character string containing letters, numbers, or hyphens.

Virtual Channel (IPv4 only)

Specifies the virtual channel to be set on a particular logical interface.

To specify the virtual channel, type a string identifying the virtual channel.

Log

Logs the packet header information in the Routing Engine.

To log packet header information, select Log.

Syslog

Records packet information in the system log.

To record information in the system log, select Syslog.

Sample (IPv4 only)

Samples traffic on the interface.

Note: You must enable traffic sampling for this action to work. For more information about traffic sampling and forwarding, see the JUNOS Policy Framework Configuration Guide.

To sample traffic on an interface, select Sample.

Loss Priority

Sets the loss priority of the packet. This is the priority of dropping a packet before it is sent, and it affects the scheduling priority of the packet.

For more information, see the Junos OS Class of Service Configuration Guide.

To set the loss priority of the packet, select a loss priority from the list.

Assigning IPv4 and IPv6 Firewall Filters to Interfaces

For a firewall filter to work, you must assign it to an interface. Use the Firewall Filters Quick Configuration pages to assign IPv4 and IPv6 filters to interfaces. Using these pages you can select a firewall filter to evaluate packets that are received or transmitted on a specific interface.

When assigning firewall filters to interfaces, remember that you can assign only one input and one output firewall filter to each interface. However, you can assign the same filter to multiple interfaces.

To assign IPv4 and IPv6 firewall filters to interfaces with Quick Configuration:

  1. In the J-Web interface, select Configuration>Firewall Filters>Assign Firewall Filters to Interfaces.
  2. Enter information into the Firewall Filters Quick Configuration pages, as described in Table 48.
  3. Click one of the following buttons on the Firewall Filters Quick Configuration main page:
    • To apply the configuration and stay in current the Firewall Filters Quick Configuration page, click Apply.
    • To apply the configuration and return to the previous Quick Configuration page, click OK.
    • To cancel your entries and return to the previous Quick Configuration page, click Cancel.

Table 48: Assigning Firewall Filters Quick Configuration Pages Summary

Field

Function

Your Action

Firewall Filters

Logical Interface Name

Displays the logical interfaces on a router.

Allows you to apply IPv4 and IPv6 firewall filters to packets received on the interface and packets transmitted from the interface.

To apply firewall filters to an interface, click the interface name

  • To apply an input firewall filter, follow instructions in the input firewall filters section.
  • To apply an output firewall filter, follow instructions in the ouput firewall filters section.

Link State

Displays the status of the logical interface.

None.

Input Firewall Filters

Displays the input firewall filter applied on an interface. This filter evaluates all packets received on the interface.

None.

Output Firewall Filters

Displays the output firewall filter applied on an interface. This filter evaluates all packets transmitted from the interface.

None.

Input Firewall Filters

IPv4 Input Filter

IPv6 Input Filter

Allows you to apply an input firewall filter to an interface. This filter evaluates all packets received on the interface.

To apply an input firewall filter to an interface, select the name of the firewall filter from the list.

Output Firewall Filters

IPv4 Output Filter

IPv6 Output Filter

Allows you to apply an output firewall filter to an interface. This filter evaluates all packets transmitted on the interface.

To apply an output firewall filter to an interface, select the name of the firewall filter from the list.

802.1x

Configuring 802.1X Features

IEEE 802.1X and MAC RADIUS authentication both provide network edge security, protecting Ethernet LANs from unauthorized user access by blocking all traffic to and from devices at the interface until the supplicant's credential or MAC address is presented and matched on the authentication server (a RADIUS server). When the supplicant is authenticated, the switch stops blocking access and opens the interface to the supplicant.

See the Junos OS Documentation for EX Series Switches for detailed examples of configuring 802.1X features.

Configuring Authentication Features (J-Web)

To configure 802.1X settings using the J-Web interface:

  1. From the Configure menu, select Security > 802.1X.

    The 802.1X screen displays a list of interfaces, whether 802.1X security has been enabled, and the assigned port role.

    When you select a particular interface, the Details section displays 802.1X details for the selected interface.

    Note: After you make changes to the configuration, click OK to check your configuration and save it as a candidate configuration, then click Commit Options>Commit.

  2. Click one:
    • RADIUS Servers—specifies the RADIUS server to be used for authentication. Select the check box to select the server. Click Add or Edit to add or modify the RADIUS server settings. Enter information as specified in Table 49.
    • Exclusion List—implements the authentication bypass option by listing the MAC address of each host to be excluded from 802.1X authentication. Click Add or Edit in the Exclusion list screen to include or modify the MAC address list. Enter information as specified in Table 50.
    • Edit—specifies 802.1X settings for the selected interface.
      • Apply 802.1X Profile—applies a predefined 802.1X profile based on the port role. If a message appears asking if you want to configure a RADIUS server, click Yes and enter information as specified in Table 49.
      • 802.1X Configuration—configures custom 802.1X settings for the selected interface. If a message appears asking if you want to configure a RADIUS server, click Yes and enter information as specified in Table 49. To configure 802.1X settings, enter information as specified in Table 51.
    • Delete—deletes the existing 802.1X authentication configuration on the selected interface.

Table 49: RADIUS Server Settings

Field

Function

Your Action

IP Address

Specifies the IP address of the server.

Enter the IP address in dotted decimal notation.

Password

Specifies the login password.

Enter the password.

Confirm Password

Verifies the login password for the server.

Reenter the password.

Server Port Number

Specifies the port with which the server is associated.

Type the port number.

Source Address

Specifies the source address of the SRX Series device for communicating with the server.

Type the IP address in dotted decimal notation.

Retry Attempts

Specifies the number of login retries allowed after a login failure.

Type the number.

Timeout

Specifies the time interval to wait before the connection to the server is closed.

Type the interval in seconds.

Table 50: 802.1X Exclusion List

Field

Function

Your Action

MAC Address

Specifies the MAC address to be excluded from 802.1X authentication.

Enter the MAC address.

Exclude if connected through the port

Specifies that a supplicant can bypass authentication if it is connected through a particular interface.

Select to enable the option. Select the port through which the supplicant is connected.

Move the host to the VLAN

Moves the host to a specific VLAN once the host is authenticated.

Select to enable the option. Select the VLAN from the list.

Table 51: 802.1X Port Settings

Field

Function

Your Action

Supplicant Mode

Supplicant Mode

Specifies the mode to be adopted for supplicants:

  • Single—allows only one host for authentication.
  • Multiple—allows multiple hosts for authentication. Each host is checked before being admitted to the network.
  • Single authentication for multiple hosts—allows multiple hosts but only the first is authenticated.

Select the required mode.

Authentication

Enable re-authentication

Specifies enabling reauthentication on the selected interface.

Select to enable reauthentication. Enter the timeout for reauthentication in seconds.

Action for nonresponsive hosts

Specifies the action to be taken in case a supplicant is non-responsive:

  • Move to the Guest VLAN—moves the supplicant to the specified Guest VLAN.
  • Deny—does not permit access to the supplicant.

Select the desired action.

Timeouts

Specifies timeout values for:

  • Port waiting time after an authentication failure
  • EAPOL re-transmitting interval
  • Maximum EAPOL requests
  • Maximum number of retries
  • Port timeout value for a response from the supplicant
  • Port timeout value for a response from the RADIUS server

Enter timeout values in seconds for the appropriate options.

Specifying RADIUS Server Connections on an SRX Series or J Series Device (CLI)

To use 802.1X or MAC RADIUS authentication, you must specify the connections on the SRX Series or J Series device for each RADIUS server to which you will connect.

To configure a RADIUS server:

  1. Navigate to the access hierarchy and define the RADIUS server by its IP address and secret password. The secret password on the SRX Series or J Series device must match the secret password on the server.

    Note: For 802.1X authentication, the RADIUS server must be configured at the access hierarchy level.


    [edit]user@host# edit access[edit access]user@host# set radius-server 10.0.0.100 port 1812 secret abc

    To define more than one RADIUS server, you need to enter separate radius-server commands.

  2. (Optional) Specify the IP address that the RADIUS server uses to identify the SRX Series or J Series device.

    By default, the RADIUS server uses the address of the interface sending the RADIUS request to determine the source of a request. If the request has been diverted on an alternate route to the RADIUS server, however, the interface relaying the request might not be an interface on the SRX Series or J Series device. To ensure that the source is identified correctly, specify its IP address explicitly.


    [edit access]user@host# set radius-server 10.0.0.100 source-address 10.93.14.100
  3. Create a profile and configure the authentication order, making radius the first method of authentication.

    [edit access]user@host# set profile profile1 authentication-order radius

  4. Specify one or more RADIUS servers to be associated with profile1.

    [edit access]user@host# set profile profile1 radius authentication-server 10.0.0.100

  5. Navigate to the top of the hierarchy and define profile1 as the authentication profile for 802.1X or MAC RADIUS authenticator.

    [edit access]user@host# top [edit]user@host# set protocols dot1x authenticator authentication-profile-name profile1

  6. Configure the IP address of the SRX Series or J Series device in the list of clients on the RADIUS server. For specifics on configuring the RADIUS server, consult the documentation for your server.

Configuring 802.1X Interface Settings (CLI)

To configure 802.1X authentication on an interface:

  1. Navigate to the [edit protocols dot1x] hierarchy and configure the supplicant mode as single (authenticates the first supplicant), single-secure (authenticates only one supplicant), or multiple (authenticates multiple supplicants).

    [edit]user@host# edit protocols dot1x [edit protocols dot1x]user@host# set authenticator interface ge-0/0/5 supplicant multiple
  2. Enable reauthentication and specify the reauthentication interval.

    [edit protocols dot1x]user@host# set authenticator interface ge-0/0/5/0 reauthentication 120
  3. Configure the interface timeout value for the response from the supplicant.

    [edit protocols dot1x]user@host# set authenticator interface ge-0/0/5 supplicant-timeout 5
  4. Configure the timeout for the interface before it resends an authentication request to the RADIUS server.

    [edit protocols dot1x]user@host# set authenticator interface ge-0/0/5 server-timeout 5
  5. Configure how long, in seconds, the interface waits before retransmitting the initial EAPOL PDUs to the supplicant.

    [edit protocols dot1x]user@host# set authenticator interface ge-0/0/5 transmit-period 60
  6. Configure the maximum number of times an EAPOL request packet is retransmitted to the supplicant before the authentication session times out.

    [edit protocols dot1x]user@host# set authenticator interface ge-0/0/5 maximum-requests 5

Example: Configuring a Guest VLAN (CLI)

802.1X provides LAN access to nonresponsive hosts (hosts where 802.1X is not enabled). These hosts, referred to as guests, typically are provided access only to the Internet.

To create a guest VLAN and to verify the configuration:

  1. Configure a VLAN named visitor-vlan.

    [edit]

    user@host# set vlans visitor-vlan vlan-id 300
  2. Navigate to the top of the hierarchy to configure visitor-vlan as the guest VLAN.

    top [edit] user@host# set protocols dot1x authenticator interface all guest-vlan visitor-vlan
  3. Check the configuration.

    [edit] user@host> show configuration
    protocols {dot1x {authenticator {interface {all {guest-vlan {visitor-vlan;}}}}}}vlans {visitor-vlan {vlan-id 300;}}
  4. If you are finished configuring the VLAN, commit the configuration.