Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


profile (Services SSL Proxy)


Hierarchy Level


Specify the SSL server profile. An SSL proxy profile defines SSL behavior for the SRX Series Firewall.

The SSL proxy profile will be applied to the security policy as application services.



Profile identifier.


Logging and traffic related actions.


Custom cipher list.

  • Values:

    • ecdhe-rsa-with-3des-ede-cbc-sha—ECDHE/RSA, 3DES EDE/CBC, SHA hash

    • ecdhe-rsa-with-aes-128-cbc-sha—ECDHE/RSA, 128-bit AES/CBC, SHA hash

    • ecdhe-rsa-with-aes-128-cbc-sha256—ECDHE/RSA, 128-bit AES/CBC, SHA256 hash

    • ecdhe-rsa-with-aes-128-gcm-sha256—ECDHE/RSA, 128-bit AES/GCM, SHA256 hash

    • ecdhe-rsa-with-aes-256-cbc-sha—ECDHE/RSA, 256-bit AES/CBC, SHA hash

    • ecdhe-rsa-with-aes-256-cbc-sha384—ECDHE/RSA, 256-bit AES/CBC, SHA384 hash

    • ecdhe-rsa-with-aes-256-gcm-sha384—ECDHE/RSA, 256-bit AES/gcm, SHA384 hash

    • rsa-export-with-des40-cbc-sha—RSA-export, 40-bit DES/CBC, SHA hash

    • rsa-export-with-rc4-40-md5—RSA-export, 40-bit RC4, MD5 hash

    • rsa-export1024-with-des-cbc-sha—RSA 1024-bit export, DES/CBC, SHA hash

    • rsa-export1024-with-rc4-56-md5—RSA 1024-bit export, 56 bit RC4, MD5 hash

    • rsa-export1024-with-rc4-56-sha—RSA 1024-bit export, 56 bit RC4, SHA hash

    • rsa-with-3des-ede-cbc-sha—RSA, 3DES EDE/CBC, SHA hash

    • rsa-with-aes-128-cbc-sha—RSA, 128-bit AES/CBC, SHA hash

    • rsa-with-aes-128-cbc-sha256—RSA, 128-bit AES/CBC, SHA256 hash

    • rsa-with-aes-128-gcm-sha256—RSA, 128-bit AES/gcm, SHA256 hash

    • rsa-with-aes-256-cbc-sha—RSA, 256-bit AES/CBC, SHA hash

    • rsa-with-aes-256-cbc-sha256—RSA, 256-bit AES/CBC, SHA256 hash

    • rsa-with-aes-256-gcm-sha384—RSA, 256-bit AES/gcm, SHA384 hash

    • rsa-with-des-cbc-sha—RSA, DES CBC, SHA hash

    • rsa-with-null-md5—RSA, no symmetric cipher, MD5 hash

    • rsa-with-null-sha—RSA, no symmetric cipher, SHA hash

    • rsa-with-rc4-128-md5—RSA, 128-bit RC4, MD5 hash

    • rsa-with-rc4-128-sha—RSA, 128-bit RC4, SHA hash


Disable the deferred profile selection mechanism. In the defered profile selection mechanism, the SSL proxy module defers SSL profile selection until the dynamic application is detected in a client hello message based on the Server Name Indication (SNI). After detecting dynamic application, SSL proxy module does a firewall rule lookup based on the identified application and selects an appropriate SSL proxy profile.


Enable flow tracing for the profile.


Select preferred ciphers.

  • Values:

    • custom—Configure custom cipher suite and order of preference.

    • medium—Use ciphers with key strength of 128-bits or greater.

    • strong—Use ciphers with key strength of 168-bits or greater.

    • weak—Use ciphers with key strength of 40-bits or greater.


Root certificate for interdicting server certificates in proxy mode.


Local certificate identifier.


List of trusted certificate authority profiles.


Addresses exempted from SSL proxy.


URL categories exempted from SSL proxy.

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

services—To view this statement in the configuration.

services-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 12.1X44-D10.

The crl statement is supported from 15.1X49-D30.

The logical system option is introduced in Junos OS Release 19.1R1.