Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add and Deploy Firewall Policies

Note:

For SD-WAN deployments, because Juniper’s SD-WAN devices are tightly integrated with security, you must configure a firewall policy to allow traffic that traverses zones. By default, traffic between one site and another, and traffic from a site to the Internet is not allowed and must be explicitly allowed by using a firewall policy. CSO supports intent-based policies, which makes it simple to configure firewall policies.

To add a firewall policy and then deploy the policy:

  1. Add a firewall policy:
    1. Select Configuration > Firewall > Firewall Policy.

      The Firewall Policy page appears.

    2. Click the Add (+) icon.

      The Add Firewall Policy page appears.

    3. Complete the configuration according to the guidelines provided in Table 1.
      Note:

      Fields marked with an asterisk (*) are mandatory.

    4. Click OK.

      You are returned to the Firewall Policy page. A confirmation message appears when the firewall policy is added.

  2. Add one or more firewall policy intents to the policy:
    1. Click the Firewall-Policy-Name link.

      The Firewall-Policy-Name page appears.

    2. Click the add (+) icon.

      The fields to add an intent are displayed inline.

    3. Complete the configuration according to the guidelines provided in Table 2.
    4. Click Save.

      The intent is saved and a confirmation message is displayed. The CSO classifies intents as zone-based and enterprise-based intents. For more information, seeFirewall Policy Overview in the CSO Customer Portal User Guide (available on the CSO Documentation page).

    5. (Optional) Add more intents by following the same procedure.

    After intents are added, you must deploy the policy to ensure that the changes take effect on the applicable sites, departments, or applications. When each firewall policy intent is added, the Undeployed field is incremented by one indicating that intents are pending deployment.

  3. Deploy the firewall policy:
    1. Click the Deploy button.

      The Deploy page appears.

    2. From the Choose Deployment Time field, select:
      • Run now to trigger the deployment of the policy immediately.

      • Schedule at a later time to schedule the deployment for later.

        If you schedule the deployment for later, enter the date (in MM/DD/YYYY format) and time (in HH:MM:SS 24-hour or AM/PM format) that you want the deployment to occur. You specify the time in the local time zone of the client from which you access the CSO GUI.

    You are returned to the Firewall Policy page and a job to deploy the policy is triggered. You can check the status of the deployment on the Jobs page (Monitor > Jobs). When the job completes successfully, it means that the firewall policy was deployed.

Table 1: Add Firewall Policy Settings

Field

Guideline

Name

Enter a unique name for the firewall policy. The name con contain alphanumeric characters, hyphens, and underscores, and cannot exceed 255 characters.

Description

Enter a description for the firewall policy.

All Sites

Click the toggle button to enable the firewall policy to be applied to all sites. By default, a firewall policy is not applied to all sites.

Select Sites

To apply the firewall policy only to specific sites, select the sites from the left column and click the > icon. The sites that you selected are displayed in the right column.

Table 2: Add Firewall Policy Intent Settings

Field

Guideline

[Name]

Enter a name for the policy intent or use the one generated by CSO. The name must start with an alphanumeric characters, can contain alphanumeric characters, hyphens, and underscores, and cannot exceed 63 characters.

[Description]

Enter a description for the policy intent.

[Select Schedule]

Policy schedules enable you to define when a policy is active, and thus are an implicit match criterion. Click inside the text box to select a pre-existing schedule or click Add schedule to add a new schedule. For more information on adding schedules, seeCreating Schedules in the CSO Customer Portal User Guide (available at the CSO Documentation page).

Logging

Click the toggle button to enable logging. By default, logging is disabled. You can see the logged firewall events in the Firewall Events page (Monitor > Security Events > Firewall).

For more information, see About the Firewall Events Page in the CSO Customer Portal User Guide.

Source

Select one or more of the following source endpoints:

  • IP address or IP address group

  • User

  • Site

  • Site group

  • Department

  • Zone

If you don’t select a source, the default source used is All Sites.

Action

Click the add icon (+) and select the action to take on the traffic between the specified source and destination endpoints:

  • Allow—Permit traffic between the source and the destination.

  • Deny—Silently drop all packets for the session and do not send any active control messages, such as TCP Reset or ICMP unreachable.

  • Reject—Drop the packets and send a TCP reset (for TCP protocol) or an ICMP reset (for UDP, ICMP, or any other IP protocol) message.

    This option is useful when you’re dealing with trusted resources, so that applications don’t have to wait for a timeout but receive an active message.

Destination

Select one or more of the following destination endpoints:

  • IP address or IP address group

  • Site

  • Site group

  • Department

  • Service

  • Application signature or application signature group

  • Zone

If you don’t select a destination, the default destination used is Internet.

Note:

The address endpoint Any refers to any address on the Internet and not to any IP address. So, if you want to enable site-to-site traffic, you must explicitly add intents to allow the traffic. For example, if you want traffic from Site A to Site B to be allowed in both directions (A to B and B to A), you must add 2 intents, one allowing traffic from Site A to Site B and another allowing traffic from Site B to Site A.

Advanced Security

Note:

This field is enabled only if you select Allow for the action, or if you select a zone as a source and destination.

  • When you set the action to Allow:

    • You can specify a UTM profile by selecting a profile from the list (under UTM Profiles [UTM]).

      You specify a UTM profile for protection against multiple threat types including spam and malware, and control access to unapproved websites and content.

      You can add a new UTM profile by clicking + in the End Points pane and selecting UTM Profiles. See Add UTM Profiles.

    • You can specify an IPS profile by selecting a profile from the list (under IPS Profiles [IPS]).

      You specify an IPS profile to monitor and prevent intrusions.

  • When you configure a zone as part of the source and the destination, you can specify an SSL proxy profile by selecting a profile from the list (under SSL Profiles [SSLP]).

    You add an SSL proxy profile to ensure the secure transmission of data between a client and a server through a combination of privacy, authentication, confidentiality, and data integrity.

    You can also add a new SSL proxy profile by clicking + in the End Points pane and selecting SSL Proxy Profile. See Add SSL Forward Proxy Profiles.