Device Security
Pre-ID default policy enhancements (SRX Series Firewalls and vSRX Virtual Firewall)—Starting in Junos OS Release 23.4R1, the Pre-ID default policy (
pre-id-default-policy
) denies the flow before performing application identification (AppID) when there are no potential policies to permit the flow.When the device receives the first packet of a traffic flow, it performs a basic 5-tuple matching and checks the defined potential policies to determine how to treat the packet. If all potential policies have action as "deny", and the default policy action is also set to "deny", then the device denies the traffic and does not perform application identification.
If any policy has action other than "deny", then the device performs deep packet inspection (DPI) to identify the application.
The device checks for potential policies on both zone context and global context.
See [ Pre-id-default-policy].-
Security Policy Support for Explicit Web Proxy (SRX1500, SRX4100, SRX4200, SRX4600, and vSRX 3.0)—Starting in Junos OS Release 23.4R1, we support explicit web proxy profile security policy. The Juniper Networks® SRX Series Firewalls apply security enforcement based on the rules created in the explicit web proxy profile policy.
The explicit proxy profile policy can enforce fine-grained rules to filter and inspect the web traffic.
See [Explicit Web Proxy].
-
User authentication for Explicit Proxy (SRX1500, SRX4100, SRX4200, SRX4600, and vSRX 3.0)— Starting in Junos OS Release 23.4R1, we support firewall LDAP-based user authentication to control user access to the network for explicit web-proxy deployments. We support web authentication with web redirection and usage of captive portals.
With explicit web proxy authentication in place, when a user first connects to the proxy server, the browser is prompted to provide their credentials. The explicit proxy then verifies the username and password with the LDAP server. If the credentials are valid, the proxy grants access to the client and stores their information in the database.
See [Explicit Web Proxy].
-
Explicit Web Proxy support is available for on-premises deployment (SRX1500, SRX4100, SRX4200, SRX4600, and vSRX 3.0)—Starting in Junos OS Release 23.4R1, Explicit Web Proxy support is available for on-premises deployment use cases on the following platforms:
SRX1500
SRX4100
SRX4200
SRX4600
vSRX3.0
The Explicit Web Proxy feature and the configurations are available by default.
SSL proxy support is required to enable SSL decryption service for explicit proxy sessions.