Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Unified Policies for SSL Proxy

Overview

On Juniper SRX devices, SSL proxy works with Unified Policies by enabling SSL decryption and inspection as an application service within security policies that use the unified policy framework. This integration allows for deep inspection of encrypted traffic while maintaining dynamic application awareness. Here’s how it functions and key points to understand:

  • Default SSL Proxy Profile: When using unified policies, the SRX Series Firewall applies a default SSL proxy profile during the initial policy lookup phase—before the final application is identified. This helps avoid conflicts when multiple matching policies specify different SSL proxy profiles. If no default profile is configured in such cases, the session is dropped. Therefore, it’s recommended to configure a default SSL proxy profile to ensure smooth SSL proxy handling during early policy evaluation
  • Policy Matching and SSL Proxy Application:

  1. Initial Policy Lookup Phase

    Before a dynamic application is identified, the firewall performs an initial policy lookup. If multiple policies match and specify different SSL proxy profiles, the firewall applies the default SSL proxy profile temporarily.

    This ensures SSL inspection begins immediately, even before the final application is known.

  2. Role of Default SSL Proxy Profile

    The default SSL proxy profile acts as a fallback during policy conflicts.

    If no default profile is configured and conflicting policies exist, the session is dropped, and a system log message is generated.

    It is strongly recommended to configure a default SSL proxy profile to avoid session termination.

  3. Final Application Identification: After the final application is identified by the unified policy engine, the security policy matching that application is applied. Once the dynamic application is identified, the firewall re-evaluates the policy. If the matching policy has:

    • Same SSL proxy profile as the default → the default profile remains applied.

    • No SSL proxy profile → the default profile remains applied.

    • Different SSL proxy profile → the default continues to be applied; it is not replaced.

  4. Proxy Type Handling

    A security policy can include either an SSL forward proxy profile or an SSL reverse proxy profile—not both.

    If different policies use different types, the firewall applies the default profile (forward or reverse) during initial evaluation.

Note:

Once a default SSL proxy profile is enabled, it cannot be disabled even if the final policy does not specify SSL proxy. Switching from the default SSL proxy profile to another SSL proxy profile in the final policy is not supported. If there is a conflict and no default SSL proxy profile is configured, sessions may be dropped.

This mechanism allows SRX to decrypt, inspect, and enforce security on SSL/TLS traffic dynamically as applications are identified, providing granular control and protection in encrypted traffic flows.

Note:

A security policy can include either an SSL forward proxy profile or an SSL reverse proxy profile—not both. If different policies use different types, the firewall applies the default SSL proxy profile (forward or reverse) during initial evaluation.
CAUTION:

We recommend configuring a default SSL proxy profile to prevent session drops during policy conflicts. If no default profile is available, the session is terminated and a system log message is generated

Example of the system log message:

Application of Default SSL Proxy Profiles in Different Scenarios

Thie following tables show simplified examples of how different policies are configured with SSL proxy profiles and dynamic applications.

Table 1: Example- Policies, Applications, and Profile
Policy Dynamic Application SSL Proxy Profile
P1 Facebook SSL-1
P2 Google SSL-1
P3 YouTube None
P4 Dropbox SSL-2 (Default Profile)
Table 2: Example- Application of Default SSL Proxy Profiles in Different Scenarios
Scenario Policy Setup SSL Proxy Behavior Example
No Conflict – All Policies Have Same SSL Proxy Profile All matching policies have the same SSL proxy profile. That profile is applied. Default profile is ignored. Policies P1 and P2 both use SSL-1. SSL-1 is applied. Default SSL-2 is ignored.
No Conflict – Final Policy Has No SSL Proxy Profile Initial matching policies have same SSL proxy profile. Final matched policy has none. Initially applied profile remains active. P1 and P2 use SSL-1. Final match P3 has no profile. SSL-1 remains applied.
Conflict – Final Policy Has No SSL Proxy Profile Initial policies have different SSL proxy profiles. Final matched policy has none. Default profile is applied during conflict. It remains applied. P1 uses SSL-1, P4 uses SSL-2. Default is SSL-2. Final match P3 has no profile. SSL-2 remains applied.
Conflict – Final Policy Has Different SSL Proxy Profile Initial policies have different profiles. Final matched policy has a different profile. Default profile is applied and remains. Switching of profiles is not supported. P1 uses SSL-1, P4 uses SSL-2. Default is SSL-2. Final match P3 uses SSL-3. SSL-2 remains applied.
Conflict – No Default SSL Proxy Profile Configured Initial policies have different profiles. No default profile is configured. Session is dropped. P1 uses SSL-1, P4 uses SSL-2. No default profile. Session is terminated.

Limitations of SSL Proxy with Unified Policies

  • When a default SSL proxy profile is enabled, it cannot be disabled even if the final security policy does not have SSL proxy configured.

  • When a default SSL proxy profile is enabled and applied on the traffic and the final security policy has a different SSL proxy profile configured other than default profile, switching from the default SSL proxy profile to the SSL proxy profile in the security policy is not supported.

Configuration Steps

Steps for configuring SSL proxy in a unified security policy:

  1. Create security policies and define match criteria for the traffic that requires SSL inspection.
  2. Specify the SSL proxy profile to be applied to that traffic.
  3. When using unified policies, follow these steps:
    • Define SSL proxy profiles (forward or reverse proxy) in [edit services ssl proxy] hierarchy level.
    • Configure a default SSL proxy profile under global options in unified policies ( [edit security ngfw] hierarchy level). This configuration does not impact the existing SSL service configuration.
    • Reference the profile in the relevant security policy.
  4. Apply the SSL proxy profile as an application service in the security policy.

This setup ensures SSL decryption and inspection are applied consistently, especially during the initial policy evaluation phase before dynamic applications are fully identified.

Configure Default Profile for SSL Forward Proxy

In the steps below, you will define an SSL forward proxy profile named profile-1 and specify it as the default SSL proxy profile.

  1. Create an SSL profile and attach the CA profile group to the SSL proxy profile.
  2. Apply the signing certificate as root-ca in the SSL proxy profile.
  3. Define the SSL proxy profile as the default profile.

Configure Default Profile for SSL Reverse Proxy

In the steps below, you will define an SSL reverse proxy profile named profile-1 and specify it as the default SSL proxy profile.

  1. Create an SSL profile and attach the CA profile group to the SSL proxy profile.
  2. Define the SSL reverse proxy profile as the default profile.

Configure Default Profile for Logical Systems

In the steps below, you assign either an SSL forward proxy profile or an SSL reverse proxy profile as the default within a logical system configuration. Only one profile type—forward or reverse—can be set as the default at a time.

  1. Define the SSL forward proxy profile as the default profile.

  2. Define the SSL reverse proxy profile as the default profile.

Sample Configuration

In this example, you configure an SSL forward proxy profile by specifying the root CA certificate. Next, configure the profile as default SSL proxy profile. Now, you create a unified policy and invoke the SSL proxy as application services on the permitted traffic.

  1. Create an SSL profile and attach the CA profile group to the SSL proxy profile.

  2. Apply the signing certificate as root-ca in the SSL proxy profile.

  3. Define the SSL proxy profile as the default profile.

  4. Create a unified policy and specify the dynamic application as the match criteria.

  5. Apply the SSL proxy profile to the permitted traffic in the security policy.

  6. Confirm that the configuration is working after commit by displaying the SSL proxy statistics using the show services ssl proxy statistics command.

    Details about the sessions matched for the SSL proxy, sessions where the default profile is applied, and the sessions that are dropped due to the absence of the default profile.

SNI-Based Dynamic Application Information for SSL Proxy Profile

We’ve enhanced SSL proxy profile selection mechanism by utilizing Server name Indication(SNI) TLS extensions to identify dynamic applications.

SSL proxy module defers SSL profile selection until the dynamic application is detected in a client hello message based on the SNI. After detecting dynamic application, SSL proxy module does a firewall rule lookup based on the identified application and selects an appropriate SSL proxy profile.

Utilizing the SNI-based dynamic application information for SSL proxy profile results in more accurate SSL proxy profile selection for the session. By default, the SNI-based dynamic application information for SSL proxy profile is enabled on the SRX Series Firewall. See show services ssl proxy counters to check counters for SSL proxy.

Related Documentation

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
20.4R1
Starting in Junos OS Release 20.4R1, we’ve enhanced SSL proxy profile selection mechanism by utilizing Server name Indication(SNI) TLS extensions to identify dynamic applications.
18.2R1
Starting from Junos OS Release 18.2R1, unified policies are supported on SRX Series Firewalls, allowing granular control and enforcement of dynamic Layer 7 applications, within the traditional security policy.