Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

then (Security Application Firewall)

Syntax

Hierarchy Level

Description

Specify the action to be performed when traffic matches the associated match criteria.

Note that an application firewall is applied after a session has already been created by the security firewall. When traffic is rejected or denied by an application firewall, therefore, logs contain a session open message, a session reject or deny message, and a session close message.

Starting in Junos OS Release 18.2R1, the application firewall (AppFW) functionality is deprecated. As a part of this change, the [edit security application-firewall] hierarchy and all the configuration options under this hierarchy are deprecated— rather than immediately removed—to provide backward compatibility and an opportunity to bring your configuration into compliance with the new configuration.

Options

  • deny—Block the traffic at the firewall. The device drops the packet. By default, no message is returned to the sender.

    • block-message—(Optional) In application firewall rules, provide information to the user regarding blocked traffic. Depending on the content of the profile option for this rule set, including the block-message option displays a default message or customized message, or redirects the user for denied HTTP or HTTPS traffic. All other traffic is dropped silently.

  • permit—Permit traffic at the firewall.

  • reject—Block the traffic at the firewall. For TCP traffic, by default the device drops the packet and returns a TCP reset (RST) message to the source host. For UDP and other protocol traffic, by default the device drops the packet and returns an ICMP “destination unreachable, port unreachable” message to both the client and the server.

    • block-message—(Optional) In application firewall rules, provide information to the user regarding blocked traffic. Depending on the content of the profile option for this rule set, including the block-message option displays a default message or customized message, or redirects the user for rejected HTTP or HTTPS traffic. All other traffic is dropped as specified in the default action for the reject option.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 11.1. Statement updated in Junos OS Release 12.1X44-D10 with the reject option. The block-message option added in Junos OS Release 12.1X45-D10.

Related Documentation