match (Security Policies Global)
Syntax
match {
application {
[application];
any;
}
destination-address {
[address];
any;
any-ipv4;
any-ipv6;
}
destination-address-excluded;
destination-identity-context {
[user-or-role-name;
any;
identity-context-authenticated;
identity-context-unauthenticated;
identity-context-unavailable;
}
destination-identity-context-profile < identity-context-profile-name>
destination-identity-feed [ destination-identity-feed ... ];
destination-l3vpn-vrf-group [ destination-l3vpn-vrf-group ... ];
dynamic-application application-name;
from-zone {
[zone-name];
any;
}
gbp-dst-tag [ gbp-dst-tag ... ];
gbp-src-tag [ gbp-src-tag ... ];
source-address {
[address];
any;
any-ipv4;
any-ipv6;
}
source-address-excluded;
source-end-use-profile < source-end-user-profile-name>;
source-identity {
[role-name];
any;
authenticated-user;
unauthenticated-user;
unknown-user;
}
source-identity-feed [ source-identity-feed ... ];
source-l3vpn-vrf-group [ source-l3vpn-vrf-group ... ];
to-zone {
[zone-name];
any;
}
url-category;
}Hierarchy Level
[edit security policies global policy policy-name]
Description
Configure security global policy match criteria.
We recommend that, for security reasons and to avoid spoofing traffic, when you create a multizone policy you use identical matching criteria (source address, destination address, application) and an identical action. For more information see Global Policy Overview.
Options
| application— |
Match traffic based on port-based application signatures. |
| destination-address — |
Match traffic destined to specified IP address or address book entry. |
| destination-address-excluded— |
Exclude specified destination addresses from the match. |
| destination-identity-context— |
Match based on destination identity context (e.g., user or device identity). |
| destination-identity-context-profile — |
Match using a predefined profile for destination identity context. |
| destination-identity-feed — |
Match destination identity from external identity feeds. |
| destination-l3vpn-vrf-group — |
Match traffic based on destination VRF group name. |
| dynamic-application — |
Match traffic using App-ID based dynamic application signatures. |
| from-zone — |
Source zone or multiple source zones to be used as a match criteria for a policy. |
| gbp-dst-tag — |
Match traffic based on group-based policy destination tag. |
| gbp-src-tag — |
Match traffic based on group-based policy source tag. |
| source-address — |
Match traffic originating from specified IP address or address book entry. |
| source-address-excluded— |
Exclude specified source addresses from the match |
| source-end-user-profile — |
Match traffic based on source end-user profile. |
| source-identity — |
Match based on source identity (e.g., user or device identity). |
| source-identity-feed— |
Match source identity from external identity feeds. |
| source-l3vpn-vrf-group— |
Match traffic based on source VRF group name. |
| to-zone — |
Destination zone or multiple destination zones to be used as a match criteria for a policy. |
| url-category — |
Match traffic based on URL category (e.g., social media, finance). |
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement modified in Junos OS Release 8.5. Statement
updated with source-identity option in Junos OS Release 12.1.
Statement updated with to-zone and from-zone
options in Junos OS Release 12.1X47-D10.
source-identity-feed and destination-identity-feed
options in Junos OS Release 21.1R1.