Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding a Security Flow Policy on a Device Running Junos OS

Security Flow Policy on a Device Running Junos OS Overview

You can define a security flow policy on a device running Junos OS to inspect and process network packets. The device can permit, deny, and log operations to be associated with each policy. Each of these policies are associated to zones on which distinct network interfaces are bound.

The following modes can be defined for a security flow policy to determine how a device directs traffic:

  • Bypass—The Permit option directs the traffic traversing the device through the stateful firewall inspection, but not through the IPsec VPN tunnel.

  • Discard—The Deny option inspects and drops all packets that do not match any Permit policies.

  • Protect—The traffic is routed through an IPsec tunnel based on the combination of route lookup and Permit policy inspection.

  • Log—This option logs traffic and session information for all the modes mentioned above.

The following sections describe how to configure a security policy for each of these modes:

Configuring a Security Flow Policy in Firewall Bypass Mode

To configure a security flow policy for firewall bypass mode:

  • Configure the security policies.

    Note:

    Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses. junos-ssh is an example of a Junos OS default predefined application that can be configured in a security policy instead of the any option in the above example to enforce SSH traffic.

Configuring a Security Policy in Firewall Discard Mode

To configure a security flow policy for firewall discard mode:

  • Configure the security policies.

    Note:

    Here, trustZone and untrustZone are the preconfigured security zones and trustLan and untrustLan are preconfigured network addresses. junos-telnet is an example of a Junos OS default predefined application that can be configured in a security policy to enforce Telnet traffic.

Configuring a Security Flow Policy in IPsec Protect Mode

To configure a security flow policy for IPsec protect mode:

  1. Configure the VPN.

    Note:

    Here, gw1 and ipsec-policy1 are preconfigured IKE and IPsec policies.

  2. Configure the security policies.

    Note:

    Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.

For more information on stateful session behavior, see Traffic Processing on SRX Series Devices Overview

For more information on how to configure known good and bad lists, see Configuring Security Policies

For more information on scheduling security policies, see Scheduling Security Policies and Policer Implementation Overview