Identity Aware Firewall

Optimized session report mechanism in user firewall authentication (SRX Series Firewalls and vSRX 3.0)—An optimized session report mechanism enhances user firewall authentication performance by reducing Routing Engine delays. The mechanism updates the authentication entry timeout on the Routing Engine and reduces the number of messages that the Packet Forwarding Engine must send for session report updates. Firewall administrators benefit from the faster, accurate session reporting and gain overall system efficiency.

[See show services user-identification authentication-table.]

SAML-based firewall authentication (cSRX, SRX Series Firewalls, and vSRX 3.0)—You can authenticate users through Security Assertion Markup Language (SAML)-based access profiles using your organization's identity provider (IdP) for firewall authentication. This method generates SAML requests and processes SAML assertions, enhancing the security and flexibility of user authentication. The integration supports single sign-on (SSO) using HTTP Redirect and HTTP POST SAML bindings, providing benefits such as improved security and reduced password management. Include the access-profile profile-name statement under set security policies from-zone zone-name to-zone zone-name policy policy-name then permit firewall-authentication user-firewall hierarchy to enable SAML-based captive portal authentication.

To apply a default Secure Sockets Layer (SSL) termination profile, use the set access firewall authentication user-firewall default-ssl-termination-profile default-ssl-termination-profile command. Enable this configuration to enforce security for all access profiles.

[See user-firewall (Access Firewall-Authentication), default-ssl-termination-profile (Access), user-firewall, policy (Security Policies), SAML Authentication in Juniper Secure Connect, saml, and authentication-order (Access Profile).]