policies
Syntax
policies {
default-policy (deny-all | permit-all);
from-zone from-zone-name {
to-zone;
policy name {
description description;
match (Security Policies Global) {
source-address (Security Policies);
destination-address (Security Policies);
application (Security Policies);
source-identity;
source-end-user-profile <source-end-user-profile-name>;
dynamic-application (Security Policies);
url-category;
from-zone (Security Policies Global);
to-zone (Security Policies Global);
source-l3vpn-vrf-group [ source-l3vpn-vrf-group ... ];
destination-l3vpn-vrf-group [ destination-l3vpn-vrf-group ... ];
destination-address-excluded;
source-address-excluded;
}
scheduler-name scheduler-name;
then {
deny;
permit {
application-services {
(redirect-wx | reverse-redirect-wx);
advanced-anti-malware-policy advanced-anti-malware-policy;
application-traffic-control {
rule-set rule-set;
}
gprs-gtp-profile gprs-gtp-profile;
gprs-sctp-profile gprs-sctp-profile;
icap-redirect icap-redirect;
idp;
idp-policy idp-policy;
security-intelligence-policy security-intelligence-policy;
ssl-proxy {
profile-name profile-name;
}
uac-policy {
captive-portal captive-portal;
}
utm-policy utm-policy;
web-proxy {
profile-name profile-name;
}
}
destination-address (Security IDP Policy) {
(drop-translated | drop-untranslated);
}
firewall-authentication {
pass-through {
access-profile access-profile;
auth-only-browser;
auth-user-agent name;
client-match [ client-match ... ];
ssl-termination-profile ssl-termination-profile;
web-redirect;
web-redirect-to-https;
}
user-firewall {
access-profile access-profile;
auth-only-browser;
auth-user-agent name;
domain domain;
ssl-termination-profile ssl-termination-profile;
web-redirect;
web-redirect-to-https;
}
web-authentication {
client-match [ client-match ... ];
}
push-to-identity-management;
}
services-offload;
tcp-options {
initial-tcp-mss initial-tcp-mss;
reverse-tcp-mss reverse-tcp-mss;
sequence-check-required;
syn-check-required;
window-scale;
}
tunnel {
ipsec-vpn ipsec-vpn;
pair-policy pair-policy;
}
}
reject {
profile profile;
ssl-proxy {
profile-name profile-name;
}
}
count {
}
log {
session-close;
session-init;
}
}
}
}
global {
policy name {
description description;
match (Security Policies Global) {
source-address (Security Policies);
destination-address (Security Policies);
application (Security Policies);
source-identity;
source-end-user-profile <source-end-user-profile-name>;
dynamic-application (Security Policies);
url-category;
from-zone (Security Policies Global);
to-zone (Security Policies Global);
source-l3vpn-vrf-group [ source-l3vpn-vrf-group ... ];
destination-l3vpn-vrf-group [ destination-l3vpn-vrf-group ... ];
destination-address-excluded;
source-address-excluded;
}
scheduler-name scheduler-name;
then {
deny;
permit {
application-services {
(redirect-wx | reverse-redirect-wx);
advanced-anti-malware-policy advanced-anti-malware-policy;
application-traffic-control {
rule-set rule-set;
}
gprs-gtp-profile gprs-gtp-profile;
gprs-sctp-profile gprs-sctp-profile;
icap-redirect icap-redirect;
idp;
idp-policy idp-policy;
security-intelligence-policy security-intelligence-policy;
ssl-proxy {
profile-name profile-name;
}
uac-policy {
captive-portal captive-portal;
}
utm-policy utm-policy;
web-proxy {
profile-name profile-name;
}
}
destination-address {
(drop-translated | drop-untranslated);
}
firewall-authentication {
pass-through {
access-profile access-profile;
auth-only-browser;
auth-user-agent name;
client-match [ client-match ... ];
ssl-termination-profile ssl-termination-profile;
web-redirect;
web-redirect-to-https;
}
user-firewall {
access-profile access-profile;
auth-only-browser;
auth-user-agent name;
domain domain;
ssl-termination-profile ssl-termination-profile;
web-redirect;
web-redirect-to-https;
}
web-authentication {
client-match [ client-match ... ];
}
push-to-identity-management;
}
services-offload;
tcp-options {
initial-tcp-mss initial-tcp-mss;
reverse-tcp-mss reverse-tcp-mss;
sequence-check-required;
syn-check-required;
window-scale;
}
tunnel {
ipsec-vpn ipsec-vpn;
pair-policy pair-policy;
}
}
reject {
profile profile;
ssl-proxy {
profile-name profile-name;
}
}
count {
}
log {
session-close;
session-init;
}
}
}
}
policy-rematch <extensive>;
policy-stats {
system-wide (disable | enable);
}
pre-id-default-policy {
then {
log {
session-close;
session-init;
}
session-timeout {
icmp seconds;
icmp6 seconds;
ospf seconds;
others seconds;
tcp seconds;
udp seconds;
}
}
}
stateful-firewall-rule name {
match-direction (input | input-output | output);
policy name {
description description;
match (Security Policies Global) {
source-address (Security Policies);
destination-address (Security Policies);
application (Security Policies);
source-identity;
source-end-user-profile <source-end-user-profile-name>;
dynamic-application (Security Policies);
url-category;
from-zone (Security Policies Global);
to-zone (Security Policies Global);
source-l3vpn-vrf-group [ source-l3vpn-vrf-group ... ];
destination-l3vpn-vrf-group [ destination-l3vpn-vrf-group ... ];
destination-address-excluded;
source-address-excluded;
}
scheduler-name scheduler-name;
then {
deny;
permit {
application-services {
(redirect-wx | reverse-redirect-wx);
advanced-anti-malware-policy advanced-anti-malware-policy;
application-traffic-control {
rule-set rule-set;
}
gprs-gtp-profile gprs-gtp-profile;
gprs-sctp-profile gprs-sctp-profile;
icap-redirect icap-redirect;
idp;
idp-policy idp-policy;
security-intelligence-policy security-intelligence-policy;
ssl-proxy {
profile-name profile-name;
}
uac-policy {
captive-portal captive-portal;
}
utm-policy utm-policy;
web-proxy {
profile-name profile-name;
}
}
destination-address {
(drop-translated | drop-untranslated);
}
firewall-authentication {
pass-through {
access-profile access-profile;
auth-only-browser;
auth-user-agent name;
client-match [ client-match ... ];
ssl-termination-profile ssl-termination-profile;
web-redirect;
web-redirect-to-https;
}
user-firewall {
access-profile access-profile;
auth-only-browser;
auth-user-agent name;
domain domain;
ssl-termination-profile ssl-termination-profile;
web-redirect;
web-redirect-to-https;
}
web-authentication {
client-match [ client-match ... ];
}
push-to-identity-management;
}
services-offload;
tcp-options {
initial-tcp-mss initial-tcp-mss;
reverse-tcp-mss reverse-tcp-mss;
sequence-check-required;
syn-check-required;
window-scale;
}
tunnel {
ipsec-vpn ipsec-vpn;
pair-policy pair-policy;
}
}
reject {
profile profile;
ssl-proxy {
profile-name profile-name;
}
}
count {
}
log {
session-close;
session-init;
}
}
}
}
stateful-firewall-rule-set name {
stateful-firewall-rule name;
}
traceoptions (Security Policies) {
file <filename> <files files> <match match> <size size> <(world-readable | no-world-readable)>;
flag name;
no-remote-trace;
}
unified-policy {
max-lookups max-lookups;
}
}
Hierarchy Level
[edit security]
Description
Configure a network security policies with IPv6 addresses only if flow support for IPv6 traffic is enabled on the device.
Options
| default-policy | Configure a default action when no user-defined policy match.
|
| policy-rematch | Re-evaluate the policy when changed.
|
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 8.5.
Support for the services-offload option added in
Junos OS Release 11.4.
Support for the source-identitiy option added in
Junos OS Release 12.1.
Support for the description option added in Junos
OS Release 12.1.
Support for the ssl-termination-profile and web-redirect-to-https options are added starting
from Junos OS Release 12.1X44-D10 and
Junos OS Release 15.1X49-D40.
Support for the user-firewall option added in Junos
OS Release 12.1X45-D10.
Support for the domain option, and for the from-zone and to-zone global policy match options, added in Junos
OS Release 12.1X47-D10.
Support for the initial-tcp-mss and reverse-tcp-mss options added in Junos OS Release 12.3X48-D20. Support for the extensive option for policy-rematch added in Junos
OS Release 15.1X49-D20.
Starting in Junos OS Release 18.2R1, an IDP policy is available within unified security policy. The IDP policy access is simplified and made available under the unified policy as one of the policy. When an IDP policy is available within a unified security policy, configuring source or destination address, source and destination-except, from and to zone, or application is not required, because the match happens in the security policy itself.
Starting in Junos OS Release 18.3R1, when an SRX Series Firewall is configured with a unified policies, you can configure multiple IDP policies and set one of those policies as the default IDP policy. If multiple IDP policies are configured for a session and when policy conflict occurs, the device applies the default IDP policy for that session and thus resolves any policy conflicts.
If you have configured two or more IDP policies in a unified security policy, then you must configure the default IDP policy.