match (Security Policies)
Syntax
match {
application {
[application];
any;
}
destination-address {
[address];
any;
any-ipv4;
any-ipv6;
}
destination-address-excluded;
destination-identity-context {
[user-or-role-name;
any;
identity-context-authenticated;
identity-context-unauthenticated;
identity-context-unavailable;
}
destination-identity-context-profile < identity-context-profile-name>
destination-identity-feed [ destination-identity-feed ... ];
destination-l3vpn-vrf-group [ destination-l3vpn-vrf-group ... ];
dynamic-application application-name;
gbp-dst-tag [ gbp-dst-tag ... ];
gbp-src-tag [ gbp-src-tag ... ];
source-address {
[address];
any;
any-ipv4;
any-ipv6;
}
source-address-excluded;
source-end-use-profile < source-end-user-profile-name>;
source-identity {
[role-name];
any;
authenticated-user;
unauthenticated-user;
unknown-user;
}
source-identity-feed [ source-identity-feed ... ];
source-l3vpn-vrf-group [ source-l3vpn-vrf-group ... ];
url-category;
}Hierarchy Level
[edit security policies from-zone zone-name to-zone zone-name policy policy-name]
Description
Configure security policy match criteria.
Options
| application— |
Match traffic based on port-based application signatures. |
| destination-address — |
Match traffic destined to specified IP address or address book entry. |
| destination-address-excluded— |
Exclude specified destination addresses from the match. |
| destination-identity-context— |
Match based on destination identity context (e.g., user or device identity). |
| destination-identity-context-profile — |
Match using a predefined profile for destination identity context. |
| destination-identity-feed — |
Match destination identity from external identity feeds. |
| destination-l3vpn-vrf-group — |
Match traffic based on destination VRF group name. |
| dynamic-application — |
Match traffic using App-ID based dynamic application signatures. |
| gbp-dst-tag — |
Match traffic based on group-based policy destination tag. Destination-based tags are identifiers applied based on the intended destination of a VXLAN-encapsulated frame. |
| gbp-src-tag — |
Match traffic based on group-based policy source tag. Source-based tags are identifiers associated with the origin of a VXLAN-encapsulated Ethernet frame. Tag-based match conditions are used in security policies to enforce micro-segmentation. |
| source-address — |
Match traffic originating from specified IP address or address book entry. |
| source-address-excluded— |
Exclude specified source addresses from the match |
| source-end-user-profile — |
Match traffic based on source end-user profile. |
| source-identity — |
Match based on source identity (e.g., user or device identity). |
| source-identity-feed— |
Match source identity from external identity feeds. |
| source-l3vpn-vrf-group— |
Match traffic based on source VRF group name. |
| url-category — |
Match traffic based on URL category (e.g., social media, finance). |
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 8.5. Statement updated with the
source-identity option in Junos OS Release 12.1. Statement
updated with the destination-identity-context option in Junos OS
Release 23.4R1.