Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?




Hierarchy Level


Identifies users and roles to be used as match criteria for a policy. If a value other than any is specified as match criteria for a policy within a zone pair, the traffic is matched to table entries to retrieve associated user and roles before policy lookup occurs. Users and roles are retrieved from the local authentication table or from a UIT pushed to the SRX Series Firewall from an access control service when a user is authenticated.


The following entries specify the source identities that match a policy:


A list of specific users and roles.

  • Range: 0 through 39 characters


    SRX Series Firewalls truncate imported roles to 39 characters. You need to ensure that all of your roles are 39 characters or less.


Any user or role, as well as the keywords authenticated-user, unauthenticated-user, and unknown-user.


All users and roles that have been authenticated.


Any user or role that does not have an IP-address mapped to authentication sources and the authentication source is up and running.


Any user or role that does not have an IP address mapped to authentication sources, because the authentication source is disconnected from the SRX Series Firewall. In this case, users are unable to be authenticated due to an authentication server disconnection, such as a power outage.

Unknown-user must be configured for non-domain users to be able to authenticate and log in.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 12.1. Statement updated in Junos OS Release 12.1X44-D10. Statement is supported in [edit security advance-policy-based-routing from-zone zone-name policy policy-name match] hierarchy in Junos OS Release 19.1R1.