Firewall Policies Configuration Page Options

  1. Select Configure>Security>Policy>Apply Policy.

    The Security Policy configuration page appears. Table 47 explains the contents of this page.

  2. Click one of the following:
    • Global Options—Configures global options for the firewall policy. Enter information as specified in Table 48.
    • Add—Adds a new firewall policy configuration. Enter information as specified in Table 49.
    • Edit—Edits the selected firewall policy configuration. Enter information as specified in Table 49.
    • Delete—Deletes the selected firewall policy configuration.
    • Clone—Clones or copies the selected firewall policy configuration. Enter information as specified in Table 49.
    • Deactivate—Deactivates the selected security policy.
    • Move—Organizes records. Select a policy and choose Move up, Move down, Move to top, or Move to bottom to reposition the policy.
  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.
    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.
    • Cancel—Cancels your entries and returns to the main configuration page.

Table 47: Firewall Policy Configuration Page

Field

Function

Filter

Displays the grouped policies by common zone context (the from and to zones of each policy) to control the volume of data displayed at one time. By default, the Security Policy page displays all policies in the first From Zone and To Zone in the filter lists. To change the policies listed, select the desired From Zone and To Zone, and click Filter.

From Zone

Displays the source zone for the policy.

To Zone

Displays the destination zone for the policy.

Name

Displays the name of the security policy.

Source Address

Displays the name of the source address or address set for the policy.

Destination Address

Displays the name of the destination address or address set for the policy.

Application

Displays the name of an application or application set to which the policy applies.

Action

Displays the actions that need to take place on the traffic as it passes through the firewall.

App Services

Displays the IDP, UTM, and WX settings for the policy.

Log/Count

Displays the logging requirements for the policy.

Table 48: Global Options Firewall Policy Configuration Details

Field FunctionAction
Policy Options

Default policy action

Specifies that specific protocol actions are overridden. This action is also nonterminating. The options available are:

  • permit-all
  • deny-all

Select a value from the list.

Policy rematch

Specifies that a policy is added that has just been modified to a deferred action list for reevaluation. For every session associated with the policy, the device reevaluates the policy lookup. If the policy is different from the one associated with the session, the device drops the session. If the policy matches, the session continues.

Select the check box.

Flow - Main

Early ageout

Specifies the amount of time before the device aggressively ages out a session from its session table.

Enter a value from 1 through 65,535 seconds. The default value is 20 seconds.

High watermark

Specifies the percentage of session table capacity at which the aggressive aging-out process begins.

Enter a value from 0 through 100 percent. The default value is 100 percent.

Low watermark

Specifies the percentage of session table capacity at which the aggressive aging-out process ends.

Enter a value from 0 through 100 percent. The default value is 100 percent.

Allow DNS reply

Specifies that an incoming DNS reply packet without a matched request is allowed.

Select the check box.

Route change to nonexistent route timeout

Specifies the session timeout value on a route change to a nonexistent route.

Enter a value from 6 through 1800 seconds.

Enable SYN cookie protection

Enables SYN cookie defenses against SYN attacks.

Select the check box.

Enable SYN proxy protection

Enables SYN proxy defenses against SYN attacks.

Select the check box.

Flow - TCP MSS

Enable MSS override for all packets

Enables maximum segment size override for all TCP packets for network traffic.

Select the check box.

Enter an maximum segment size value from 64 through 65,535.

Enable MSS override for all GRE packets coming out of an IPSec tunnel

Enables maximum segment size override for all generic routing encapsulation packets exiting an IPsec tunnel.

Select the check box.

Enter an maximum segment size value from 64 through 65,535 bytes. The default value is 1320 bytes.

Enable MSS override for all GRE packets entering an IPsec tunnel

Enables maximum segment size override for all generic routing encapsulation packets entering an IPsec tunnel.

Select the check box.

Enter an maximum segment size value from 64 through 65,535 bytes. The default value is 1320 bytes.

Enable MSS override for all packets entering IPSec tunnel

Enables maximum segment size override for all packets entering an IPsec tunnel.

Select the check box.

Enter an maximum segment size value from 64 through 65,535 bytes. The default value is 1320 bytes.

Flow - TCP Session

Disable sequence-number checking

Disables checking of sequence numbers in TCP segments during stateful inspections. By default, the device monitors the sequence numbers in TCP segments.

Select the check box.

Strict SYN-flag check

Enables the strict three-way handshake check for the TCP session. This check enhances security by dropping data packets before the three-way handshake is done. By default, this check is disabled.

Select the check box.

Disable SYN-flag check

Disables the checking of the TCP SYN bit before creating a session. By default, the device checks that the SYN bit is set in the first packet of a session. If it is not set, the device drops the packet.

Select the check box.

Disable SYN-flag check (tunnel packets)

Disables first packet check for SYN flag when forming a TCP flow session.

Select the check box.

RST invalidate session

Specifies that a session is marked for immediate termination when it receives a TCP RST segment. By default, this statement is unset. When unset, the device applies the normal session timeout interval—for TCP, session timeout is 30 minutes; for HTTP, it is 5 minutes; and for UDP, it is 1 minute.

Select the check box.

RST sequence check

Specifies that the TCP sequence number in a TCP segment can be checked, with the RST bit enabled. This matches the previous sequence number for a packet in that session or is the next higher number incrementally.

Select the check box.

TCP Initial Timeout

Specifies the length of time (in seconds) that the device keeps an initial TCP session in the session table before dropping it, or until the device receives a FIN or RST packet.

Select the check box.

Table 49: Add Firewall Policy Configuration Details

Field FunctionAction
Policy

Policy Name

Specifies the name of the security policy.

Enter a name for the new policy

Policy Action

Specifies the action taken when traffic matches the criteria. Available options are:

  • Permit
  • Deny
  • Reject

Select an option.

From Zone

Specifies the source zone to be used as match criteria for the policy.

Select a value from the list.

To Zone

Specifies the destination zone to be used as match criteria for the policy.

Select a value from the list.

Source Address

Specifies source addresses to be used as match criteria for the policy.

Add or remove source addresses to be used for match criteria:

  • Select addresses or address sets in one list. (Use the CTRL key to select more than one item.)
  • Click the right or left arrow key to move the selections to the opposite list.

To add a new address, click Add new Source Address, enter the new name and address, and click Add.

Do not use the following reserved prefixes:

  • static_nat_
  • incoming_nat_
  • junos_

Destination Address

Specifies destination addresses to be used as match criteria for the policy.

Add or remove destination addresses to be used for match criteria:

  • Select addresses or address sets in one list. (Use the CTRL key to select more than one item.)
  • Click the right or left arrow key to move the selections to the opposite list.

To add a new address, click Add new Destination Address, enter the new name and address, and click Add.

Do not use the following reserved prefixes:

  • static_nat_
  • incoming_nat_
  • junos_

Application

Specifies the predefined or custom application signatures to be used as match criteria for the policy.

Select the appropriate application signatures.

Search

Specifies the search criteria for the policy.

Enter the search criteria of the policy.

Logging/Count

Enable Count

Specifies statistical counts and triggers alarms whenever traffic exceeds specified packet and byte thresholds. When this count is enabled, statistics are collected for the number of packets, bytes, and sessions that pass through the firewall with this policy.

Select the check box.

Note: Alarm threshold fields are disabled if Enable Count is not enabled.

Per Minute Alarm Threshold

Specifies the byte threshold for the per-minute alarm.

Enter a value from 0 through 4294967295 KB.

Per Second Alarm Threshold

Specifies the byte threshold for the per-second alarm.

Enter a value from 0 through 4294967295 KB.

Log at Session Close Time

Specifies that an event is logged when the session closes.

Select the check box.

Log at Session Init Time

Specifies that an event is logged when the session is created.

Select the check box.

Scheduling

Scheduler Name

Specifies the scheduler that defines the time the policy will be activated.

Select the scheduler from the list.

Table 50: Clone Firewall Policy Configuration Details

Field FunctionAction
Policy

Policy Name

Specifies the name of the security policy.

Enter or modify the policy name.

Policy Action

Specifies the action taken when traffic matches the criteria. The available policy actions are:

  • Permit
  • Deny
  • Reject

Select an action from the list.

  • For TCP traffic—Sends TCP RST.
  • For UDP traffic—Sends ICMP destination unreachable, port unreachable message (type 3, code 3).
  • For TCP and UDP traffic—Specifies action denied.

From Zone

Specifies the source zone to be used as match criteria for the policy.

Modify or enter the From Zone to be used for match criteria.

You must create the zones for a policy before creating the policy.

To Zone

Specifies the destination zone to be used as match criteria for the policy.

Modify or enter the To Zone to be used for match criteria.

You must create the zones for a policy before creating the policy.

Source Address

Specifies source addresses to be used as match criteria for the policy.

Add or remove source addresses to be used for match criteria:

  • Select addresses or address sets in one list. (Use the CTRL key to select more than one item.)
  • Click the right or left arrow key to move the selections to the opposite list.

To add a new address, click Add new Source Address, enter the new name and address, and click Add.

Do not use the following reserved prefixes:

  • static_nat_
  • incoming_nat_
  • junos_

Destination Address

Specifies destination addresses to be used as match criteria for the policy.

Add or remove destination addresses to be used for match criteria:

  • Select addresses or address sets in one list. (Use the CTRL key to select more than one item.)
  • Click the right or left arrow key to move the selections to the opposite list.

To add a new address, click Add new Destination Address, enter the new name and address, and click Add.

Do not use the following reserved prefixes:

  • static_nat_
  • incoming_nat_
  • junos_

Application

Specifies the predefined or custom application signatures to be used as match criteria for the policy.

Select the appropriate application signatures.

Search

Specifies the search criteria for the policy.

Enter the search criteria of the policy.

Logging/Count

Enable Count

Specifies statistical counts and triggers alarms whenever traffic exceeds specified packet and byte thresholds. When this count is enabled, statistics are collected for the number of packets, bytes, and sessions that pass through the firewall with this policy.

Select the check box.

Note: Alarm threshold fields are disabled if Enable Count is not enabled.

Per Minute Alarm Threshold

Specifies the byte threshold for the per-minute alarm.

Modify or enter a value from 0 through 4294967295 KB.

Per Second Alarm Threshold

Specifies the byte threshold for the per-second alarm.

Modify or enter a value from 0 through 4294967295 KB.

Log at Session Close Time

Specifies that an event is logged when the session closes.

Select the check box.

Log at Session Init Time

Specifies that an event is logged when the session is created.

Select the check box.

Scheduling

Scheduler Name

Specifies the scheduler that defines the time the policy will be activated.

Modify or select the scheduler from the list.

Permit Action

VPN

Specifies the IPsec-VPN tunnel.

Enter the IPsec-VPN tunnel.

Pair Policy Name

Specifies the name of the policy with the same IPsec-VPN in the opposite direction to create a pair policy.

Enter the name of the policy that specifies the criteria for the opposite tunnel direction.

Options

Specifies the appropriate NAT translation feature. The options available are:

  • None
  • Drop packets with translated address
  • Drop packets without translated address

Select an option.

Access Profile

Specifies the profile used to verify traffic as it attempts to pass through the firewall.

Select an access profile from the list.

Client name

Specifies the client name for the passthrough.

Enter the client name.

Web Redirect

Specifies that passthrough traffic is redirected for Web authentication.

Enable or disable redirection for Web authentication.

Client name

Specifies the client name for Web authentication.

Enter the Web authentication client.

Application Services

Enable IDP

Enables IDP for this policy.

Select the check box.

Redirect

Specifies the type of redirection. The options available are:

  • Redirect-wx
  • Reverse Redirect-wx

Select an option.

UTM Policy

Specifies the UTM policy to be associated with this policy.

Select an option from the list.

Related Documentation