Security Policy Configuration Page Options

  1. Select Configure>Security>Security Policy in the J-Web user interface.

    The Security Policy configuration page appears. Table 55 explains the contents of this page.

  2. Click one:
    • Global Options—Configures global options for the firewall policy. Enter information as specified in Table 56.
    • Add—Adds a new firewall or global policy configuration. Enter information as specified in Table 57.
    • Add Before—Adds a new firewall or global policy configuration before the selected policy. Enter information as specified in Table 57.

      The new policy has the same zone or global settings as the selected policy. The settings cannot be changed.

    • Add After—Adds a new firewall or global policy configuration after the selected policy. Enter information as specified in Table 57.

      The new policy has the same zone or global settings as the selected policy. The settings cannot be changed.

    • Edit—Edits the selected firewall policy configuration. Enter information as specified in Table 57.
    • Delete—Deletes the selected firewall policy configuration.
    • Clone—Clones or copies the selected firewall policy configuration. Enter information as specified in Table 57.
    • Deactivate—Deactivates the selected security policy.
    • Move—Organizes records. Select a policy and choose Move up, Move down, Move to top, Move to bottom, or Move to, to reposition the policy.

      With the Move to option, you can drag and drop a policy to a different location on the same page. You can also move a policy to another page.

    • Launch Wizard— Launches the Security Firewall Policy wizard.

      The Launch Wizard option is not supported on high-end SRX Series devices.

  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.
    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.
    • Cancel—Cancels your entries and returns to the main configuration page.

Table 55: Firewall Policy Configuration Page

Field

Function

Filter

Displays the grouped policies by common zone context (the from and to zones of each policy) to control the volume of data displayed at one time. By default, the Security Policy page displays all policies in the first From Zone and To Zone in the filter lists. To change the policies listed, select the desired from zone and to zone, and click Filter.

Show Global Policy

Displays the defined global policies. Unlike other security policies, global policies do not reference specific source and destination zones. If you select Show Global Policy to display policies, only global policies are displayed and the columns From Zone and To Zone are left blank (-). If you select All for From Zone and To Zone, global policies are shown after all normal policies.

From Zone

Displays the source zone for the policy.

To Zone

Displays the destination zone for the policy.

Name

Displays the name of the security policy.

Source Address

Displays the name of the source address or address set for the policy.

Destination Address

Displays the name of the destination address or address set for the policy.

Source Identity

Displays the name of the source identities set for the policy.

Application

Displays the name of an application or application set to which the policy applies.

Dynamic Application

Action

Displays the actions that need to take place on the traffic as it passes through the firewall.

NW Services

Displays the network services settings (IDP, UTM, and WX) for the policy.

Log/Count

Displays the logging requirements for the policy.

Description

Displays a description of the policy.

Table 56: Global Options Firewall Policy Configuration Details

Field Function Action
Policy Options

Default policy action

Specifies that specific protocol actions are overridden. This action is also nonterminating. The options available are:

  • permit-all
  • deny-all

Note: Configuring policy options without specifying the policy term names is not supported.

Select a value from the list.

Policy rematch

Specifies that a policy is added that has just been modified to a deferred action list for reevaluation. For every session associated with the policy, the device reevaluates the policy lookup. If the policy is different from the one associated with the session, the device drops the session. If the policy matches, the session continues.

Select the check box.

Flow - Main

Early ageout

Specifies the amount of time before the device aggressively ages out a session from its session table.

Enter a value from 1 through 65,535 seconds. The default value is 20 seconds.

High watermark

Specifies the percentage of session table capacity at which the aggressive aging-out process begins.

Enter a value from 0 through 100 percent. The default value is 100 percent.

Low watermark

Specifies the percentage of session table capacity at which the aggressive aging-out process ends.

Enter a value from 0 through 100 percent. The default value is 100 percent.

Allow DNS reply

Specifies that an incoming DNS reply packet without a matched request is allowed.

Select the check box.

Enhanced routing mode

Enables the CLI command for enhanced routing mode in devices.

Note: If you attempt to configure enhanced route scaling when Advanced Services is enabled, the following error message appears: Enhanced routing mode cannot be configured with Advanced Services (UTM and IDP) licenses present. Please remove the licenses before configuring enhanced routing mode.

Select the check box.

Route change to nonexistent route timeout

Specifies the session timeout value on a route change to a nonexistent route.

Enter a value from 6 through 1800 seconds.

Enable SYN cookie protection

Enables SYN cookie defenses against SYN attacks.

Select the check box.

Enable SYN proxy protection

Enables SYN proxy defenses against SYN attacks.

Select the check box.

Flow - TCP MSS

Enable MSS override for all packets

Enables maximum segment size override for all TCP packets for network traffic.

Select the check box.

Enter an maximum segment size value from 64 through 65,535.

Enable MSS override for all GRE packets coming out of an IPSec tunnel

Enables maximum segment size override for all generic routing encapsulation packets exiting an IPsec tunnel.

Select the check box.

Enter a maximum segment size value from 64 through 65,535 bytes. The default value is 1320 bytes.

Enable MSS override for all GRE packets entering an IPsec tunnel

Enables maximum segment size override for all generic routing encapsulation packets entering an IPsec tunnel.

Select the check box.

Enter a maximum segment size value from 64 through 65,535 bytes. The default value is 1320 bytes.

Enable MSS override for all packets entering IPSec tunnel

Enables maximum segment size override for all packets entering an IPsec tunnel.

Select the check box.

Enter a maximum segment size value from 64 through 65,535 bytes. The default value is 1320 bytes.

Flow - TCP Session

Disable sequence-number checking

Disables checking of sequence numbers in TCP segments during stateful inspections. By default, the device monitors the sequence numbers in TCP segments.

Select the check box.

Strict SYN-flag check

Enables the strict three-way handshake check for the TCP session. This check enhances security by dropping data packets before the three-way handshake is done. By default, this check is disabled.

Select the check box.

Disable SYN-flag check

Disables the checking of the TCP SYN bit before creating a session. By default, the device checks that the SYN bit is set in the first packet of a session. If it is not set, the device drops the packet.

Select the check box.

Disable SYN-flag check (tunnel packets)

Disables the first packet check for the SYN flag when forming a TCP flow session.

Select the check box.

RST invalidate session

Specifies that a session is marked for immediate termination when it receives a TCP RST segment. By default, this statement is unset. When unset, the device applies the normal session timeout interval—for TCP, session timeout is 30 minutes; for HTTP, it is 5 minutes; and for UDP, it is 1 minute.

Select the check box.

RST sequence check

Specifies that the TCP sequence number in a TCP segment can be checked, with the RST bit enabled. This matches the previous sequence number for a packet in that session or is the next higher number incrementally.

Select the check box.

TCP Initial Timeout

Specifies the length of time (in seconds) that the device keeps an initial TCP session in the session table before dropping it, or until the device receives a FIN or RST packet.

Select the check box.

Table 57: Add Firewall Policy Configuration Details

Field Function Action
Policy

Policy Name

Specifies the name of the security policy.

Enter a name for the new policy.

Policy Action

Specifies the action taken when traffic matches the criteria. Available options are:

  • Permit
  • Deny
  • Reject

Select an option.

Permit —Allow packet to pass through the firewall. (Adds Permit Action, Application Services, and Application QoS tabs to the page.)

Deny—Block and drop the packet, but do not send notification back to the source.

Reject—Block and drop the packet and send a notice to the source host.

  • For TCP traffic—Sends TCP RST.
  • For UDP traffic—Sends ICMP destination unreachable, port unreachable message (type 3, code 3).
  • For TCP and UDP traffic—Specifies action denied.

Policy Description

Specifies a description for the security policy.

Enter a description for the security policy.

From Zone

Specifies the source zone to be used as match criteria for the policy.

Select a value from the list.

To Zone

Specifies the destination zone to be used as match criteria for the policy.

Select a value from the list.

Global Policy

Specifies that the policy defined is a global policy and zones are not required.

Source Address

Specifies source addresses to be used as match criteria for the policy.

Add or remove source addresses to be used for match criteria:

  • Select addresses or address sets in one list. (Use the Ctrl key to select more than one item.)
  • Click the Right Arrow or Left Arrow key to move the selections to the opposite list.

To add a new address, click Add new Source Address, enter the new name and address, and click Add.

Do not use the following reserved prefixes:

  • static_nat_
  • incoming_nat_
  • junos_

To exclude source addresses from the policy, select the exclude Matched addresses check box.

The following addresses cannot be excluded from the policy:

  • Wildcard
  • IPv6
  • any
  • any-ipv4
  • any-ipv6
  • 0.0.0.0

Destination Address

Specifies destination addresses to be used as match criteria for the policy.

Add or remove destination addresses to be used for match criteria:

  • Select addresses or address sets in one list. (Use the Ctrl key to select more than one item.)
  • Click the Right Arrow or Left Arrow key to move the selections to the opposite list.

To add a new address, click Add new Destination Address, enter the new name and address, and click Add.

Do not use the following reserved prefixes:

  • static_nat_
  • incoming_nat_
  • junos_

To exclude destination addresses from the policy, select the exclude Matched addresses check box.

The following addresses cannot be excluded from the policy:

  • Wildcard
  • IPv6
  • any
  • any-ipv4
  • any-ipv6
  • 0.0.0.0

Source Identity

Specifies the predefined or custom source identities to be used as match criteria for the policy.

Add or remove source identity types to be used for the match criteria:

  • Select user type in one list. (Use the Ctrl key to select more than one item.)
  • Click the Right Arrow to move the selections to the opposite list.

    To load more source identity types, click Load More.

    To add a new user type, enter the new name in the box provided next to the Add button and click Add.

    To delete a selected user type, select the user type and click Delete.

    Enter the filter criteria for the source identities to be listed.

Application

Specifies the predefined or custom application signatures to be used as match criteria for the policy.

  • Application/Groups
  • Selected

Add or remove applications to be used for match criteria:

  • Select applications/groups in one list. (Use the Ctrl key to select more than one item.)
  • Click the Right Arrow or Left Arrow key to move the selections to the opposite list.

Search

Specifies the search criteria for the policy.

Enter the search criteria of the policy.

Logging/Count

Enable Count

Specifies statistical counts and triggers alarms whenever traffic exceeds specified packet and byte thresholds. When this count is enabled, statistics are collected for the number of packets, bytes, and sessions that pass through the firewall with this policy.

Select the check box.

Note: Alarm threshold fields are disabled if Enable Count is not enabled.

Per Minute Alarm Threshold

Specifies the byte threshold for the per-minute alarm.

Enter a value from 0 through 4,294,967,295 KB.

Per Second Alarm Threshold

Specifies the byte threshold for the per-second alarm.

Enter a value from 0 through 4,294,967,295 KB.

Log at Session Close Time

Specifies that an event is logged when the session closes.

Select the check box.

Log at Session Init Time

Specifies that an event is logged when the session is created.

Select the check box.

Scheduling

Scheduler Name

Specifies the scheduler that defines the time the policy will be activated.

Select the scheduler from the list.

Permit Action

IPsec VPN

Specifies the IPsec VPN tunnel.

Enter the IPsec VPN tunnel.

Pair Policy Name

Specifies the name of the policy with the same IPsec VPN in the opposite direction to create a pair policy.

Enter the name of the policy that specifies the criteria for the opposite tunnel direction.

NAT Translation

Enables NAT translation.

Options

Specifies the appropriate NAT translation feature. The options available are:

  • None
  • Drop packets with translated address
  • Drop packets without translated address

Select an option.

Firewall Authentication: Type

Specifies the type of authentication used for the firewall. The options available are:

  • None
  • Pass-through
  • User-firewall
  • Web-authentication

Select a firewall authentication type from the list.

Firewall Authentication: Access Profile

Specifies the profile used to verify traffic as it attempts to pass through the firewall.

Select an access profile from the list.

Firewall Authentication: SSL-T Profile

Specifies the SSL termination profile used for the pass-through authentication.

Select the SSL termination profile from the list.

Note: The SSL termination profile is supported only on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

Firewall Authentication: Client name

Specifies the client name for the pass-through authentication.

Enter the client name.

Firewall Authentication: Web Redirect

Specifies that pass-through traffic is redirected for Web authentication.

Enable or disable redirection for Web authentication.

Services offload: Services offload

Enables services offloading.

Select or clear the check box to enable or disable services offloading.

Note: If the services-offload license is not installed on the device, a warning message is displayed during commit.

Application Services

IDP: Enable IDP

Enables IDP for this policy.

Select the check box.

UAC Policy

Enables UAC enforcement for this policy.

Select the check box.

UAC Policy: Captive portal policy

Specifies a captive portal policy to redirect the traffic to IC for authentication.

Select an option.

Redirect: Options

Specifies the type of redirection. The options available are:

  • Redirect-wx
  • Reverse Redirect-wx

Select an option.

UTM Policy

Specifies the UTM policy to be associated with this policy.

Select an option from the list.

Application Firewall: Rule Set

Specifies the rule set for the application firewall

Select a rule set name.

Application QoS

Select existing rule set

Use an existing rule set.

Click Select existing rule set to activate the list of existing rule sets for selection.

Rule set

Lists all existing AppQoS rule sets.

Select the desired rule set for the policy. The rules in the rule set are displayed in the Application in rule-set pane.

Delete selected rule set

Delete the AppQoS rule set displayed in the Rule set list.

To remove an AppQoS rule set from the list, select the rule set and click Delete selected rule-set.

Note: To remove the rule set for an existing policy, select the blank entry in the rule set list and click Select existing rule set.

Create new rule set

Create an AppQoS rule set for the policy.

To create an AppQoS rule set for this policy, click Create new rule set.

Rule set name

The name of the new AppQoS rule set.

Enter a name for the policy’s AppQoS rule set.

Application in rule-set

The existing rules for the specified AppQoS rule set. This display includes each new rule as it is created for the rule set.

To modify a rule in the Application in rule-set pane, do one of the following:

  • Add—Add a new rule to a new or existing AppQoS rule set
  • Edit—Edit the selected rule in the displayed AppQoS rule set.
  • Delete—Delete the selected rule in the displayed AppQoS rule set.

Enter information as specified in Table 58.

Match app-signature

The application signatures defined as match criteria for each rule.

Forwarding class

A keyword that groups matching packets with similar transmission priorities and that identifies any re-marking done by the AppQoS rewriter. A rewriter honors an existing DSCP value and does not overwrite it based on a packet’s forwarding class. IDP forwarding classes have priority over AppQoS forwarding classes which have priority over firewall forwarding classes.

Loss priority

Value that determines the likelihood that a packet would be dropped when congestion is encountered. Possible values are high, medium-high, medium-low, and low. A high loss priority means that there is an 80% chance of packet loss due to congestion. A low loss priority means that there is a 20% chance of packet loss due to congestion.

DSCP

The DSCP alias or bit map that establishes the matching packet’s output priority.

S2C rate limiter (bandwidth, burst)

The maximum limits for bandwidth and burst to be applied to matching server-to-client traffic.

C2S rate limiter (bandwidth, burst)

The maximum limits for bandwidth and burst to be applied to matching client-to-server traffic.

Log

Identifies whether AppQoS matching details are being logged.

Table 58: Add Rule Configuration Details

Field Function Action
Application Signature

Available application signatures

Displays the applications available on your device.

To include an application in the match criteria for the rule:

  • Select one or more applications in the Available application signatures list. (Use the Ctrl key to select more than one item.)
  • Click the right arrow to move the selections to the Matched list.

Matched

Displays the applications selected as match criteria for the rule.

To delete applications from the match criteria for the rule:

  • Select one or more applications in the Matched list. (Use the Ctrl key to select more than one item.)
  • Click the left arrow to return the selections to the Available application signature list.

Search

Redisplays the Available application signature list with the specified application at the top.

Enter an application name to position it at the top of the Available application signature list.

Available group app-signatures

Displays the application groups available on your device.

To add application groups to the match criteria for the rule:

  • Select one or more application groups in the Available group app-signatures list. (Use the Ctrl key to select more than one item.)
  • Click the right arrow to move the selections to the Matched list.

Matched

Displays the application groups selected as match criteria for the rule.

To delete application groups from the match criteria for the rule:

  • Select one or more application groups in the Matched list. (Use the Ctrl key to select more than one item.)
  • Click the left arrow to return the selections to the Available group app-signatures list.

Search

Redisplays the Available group app-signatures list with the specified application group at the top.

Enter an application group name to position it at the top of the Available group app-signatures list.

Traffic Control

Code point

The rule’s DSCP alias or bit map. The rewriter re-marks the DSCP field of a matching packet with this value if AppQoS has priority over a prior rewriter’s entry.

Enter one of the following aliases or bit mappings for this rule:

  • Expedited Forwarding—ef or 01110
  • Assured Forwarding—af11 or 001010
  • Assured Forwarding—af12 or 001100
  • Assured Forwarding—af13 or 001110
  • Assured Forwarding—af21 or 010010
  • Assured Forwarding—af22 or 010100
  • Assured Forwarding—af23 or 010110
  • Assured Forwarding—af31 or 011010
  • Assured Forwarding—af32 or 011100
  • Assured Forwarding—af33 or 011110
  • Assured Forwarding—af41 or 100010
  • Assured Forwarding—af42 or 100100
  • Assured Forwarding—af43 or 100110
  • Best Effort—be or 000001
  • cs1 or 001000
  • cs2 or 010000
  • cs3 or 011000
  • cs4 or 100000
  • cs5 or 101000
  • Network Control—nc1, cs6, or 110000
  • Network Control—nc2, cs7, or 111000

Loss priority

Value that determines the likelihood that a matching packet will be dropped when congestion is encountered. A high loss priority means that there is an 80% chance of packet loss in congestion.

Enter one of the following values:

  • High
  • Medium-high
  • Medium-low
  • Low

Forwarding class

Keyword associated with AppQoS that identifies the output queue for a matching packet.

Because you define unique forwarding classes for AppQoS, the keyword identifies both the queue assignment and the rewriter that marked the DSCP value. In this way, other rewriters can honor DSCP values set by a higher priority rewriter and will not overwrite them. IDP forwarding classes have priority over AppQoS forwarding classes which have priority over firewall forwarding classes.

Enter the appropriate AppQoS forwarding class for the rule. To define an AppQoS forwarding class, enter Configuring>Class of Service>Forwarding Class.

Enable log

Determines that logging is enabled.

Click to log AppQoS rule matches and associated actions.

Rate limiter

Maximum transfer rates for traffic from the client to the server or from the server to the client.

Click to display or set rate limiting specifications for the Client to server or Server to client directions..

Select existing rate limiter

Displays rate limiters already defined for this rule set. A rate limiter can be used for more than one rule within the same rule set.

Choose from the existing rate limiter list.

Delete selected rate limiter

Deletes the selected rate limiter.

Choose the rate limiter to delete, and click Delete selected rate limiter.

Note: Deleting a rate limiter from this list also deletes it from any other rule where it is specified.

Create new rate limiter

Expands to provide bandwidth and burst size limits for this rule.

Click to enter the rate limiting specifications.

Note: This rate limiter will be named automatically. The name is a combination of rule set and rule names, and it will be included in the rate limiter list.

Bandwidth limit

Determines the maximum transmission rate in Mbps.

Enter the maximum bandwidth in Mbps.

Burst size limit

Determines the maximum MB that can be transmitted in a single burst or transmission.

Enter the maximum burst size in MB.

Related Documentation