Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


rule-sets (Security Application Firewall)


Hierarchy Level


Configure the set of rules for the application firewall.

The application firewall is defined by a collection of rule sets. These rule sets can be defined independently and shared across network security policies. A rule set defines the rules that specify match criteria, including dynamic applications, and the action to be taken for matching traffic.

To implement an application firewall, you need to:

  • Define one or more application firewall rule sets.

  • Create rules for each rule set that permit, reject, or deny traffic based on the application ID.

  • Configure a security policy to invoke the application firewall service and specify the rule set to be applied to permitted traffic.

The application firewall support in the policies provides additional security control for dynamic applications.

Starting in Junos OS Release 18.2R1, the application firewall (AppFW) functionality is deprecated. As a part of this change, the [edit security application-firewall] hierarchy and all the configuration options under this hierarchy are deprecated— rather than immediately removed—to provide backward compatibility and an opportunity to bring your configuration into compliance with the new configuration.



Name of the rule set.

profile profile-name

Profile for block message.


Specify default rule.


Specify security rule match-criteria

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 11.1. Statement updated in Junos OS Release 12.1X44-D10 to include the ssl-encryption and reject options. The block-message options added in Junos OS Release 12.1X45-D10.