Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

pre-id-default-policy

Syntax

Hierarchy Level

Description

Configure pre-ID default policy settings.

Starting in Junos OS Release 23.4R1, the flow process is optimized to deny the traffic (without AppID) when all the potential policies (including the default policy) would deny the traffic.

The flow does not proceed to the Pre-ID default policy (pre-id-default-policy) but is instead denied by the default policy or by the topmost rule in the unified policy. The sessions matching Pre-Id default Policy are denied if there is no potential permit policy before performing application identification (AppID).

When the device receives the first packet of a traffic flow, it performs basic 5-tuple matching and checks the defined potential policies to determine how to treat the packet. If all potential policies have action as deny, and the default policy action is also set to deny, then the device denies the traffic and does not perform application identification.

If any policy has action as other than deny then the device performs DPI to identify the application.

The device checks for potential policies on both zone context and global context.

In the Junos OS Release prior to 23.4R1, the pre-ID default policy temporarily allows the session to get created so that DPI can get the packet and perform application identification (AppID).

CAUTION:

Configuring session-init logging for the pre-id-default-policy can generate a large amount of logs. Each session that enters the SRX that initially matches the pre-id-default-policy will generate an event. We recommend only using this option for troubleshooting purposes.

Options

then

Specifies the policy action that has to be taken when the packet matches the criteria.
log

Specifies the log details at session close time and session initialization time.

  • Values:

    • session-init—Log at the beginning of a session

    • session-close—Log at the closure of a session

    Note:

    In recent versions of Junos OS, the factory-default configuration of an SRX includes the session-close knob. If not already present, we recommend that customers implement session-close logging within their pre-id-default-policy. This will ensure security logs are generated by the SRX if a flow is unable to leave the pre-id-default-policy. These events are generally a result of JDPI being unable to properly classify traffic, although they may also indicate potential attempts at evading the APPID engine.
session-timeout

When you update a session, the session timeout is configured, which specifies the session timeout details in seconds.

  • Values: icmp—Timeout value for ICMP sessions (seconds)

  • Range: 4 through 86,400

  • Values: icmp6—Timeout value for ICMP6 sessions (seconds)

  • Range: 4 through 86,400

  • Values: ospf—Timeout value for OSPF sessions (seconds)

  • Range: 4 through 86,400

  • Values: others—Timeout value for other sessions (seconds)

  • Range: 4 through 86,400

  • Values: tcp—Timeout value for TCP sessions (seconds)

  • Range: 4 through 86,400

  • Values: udp—Timeout value for UDP sessions (seconds)

  • Range: 4 through 86,400

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 18.2R1.

Related Documentation