Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add a Rule to a Security Policy

You are here: Security Policies & Objects > Security Policies.

Note:

To reference the Content Security policies and the AppQoS profiles in a security policy rules, create Content Security polices and AppQoS profiles before creating or editing security policy rules if required. To create Content Security policies, go to Security Services > Content Security > Content Security Policies and to create AppQoS profiles, go to Network > Application QoS.

To add a rule to a security policy:

  1. Click + available on the upper-right corner of the Security Policies page.

    The inline editable fields will appear.

  2. Complete the configuration according to the guidelines provided in Table 1.
  3. Click the tick icon on the upper right of the row once done with the configuration.
    Note:

    Scroll back the horizontal bar if the inline tick and the cancel icons are not available when creating a new rule.

  4. Click Save to save the changes or click Discard to discard the changes.
    Note:

    You must perform Step 3 and Step 4 before performing any further actions in the J-Web UI.

Table 1: Fields on the Security Policies Page

Field

Action

Rule Name

Enter a name for the new rule or policy.

Rule Description

Enter a description for the security policy.

Global Policy

Enable this option to specify that the policy defined is a global policy and zones are not required.

Source Zone

To add sources:

  1. Click +.

    The Select Sources page appears.

  2. Enter the following details:

    • Zone—Select the source zone from the list to which you want the rule to be associated.

    • Addresses—Select any or Specific.

      Note:
      • You can select the IP feeds to define the matching criteria for a policy. Also, you can view source type (Address, Address group, Wild card, Range, IP feeds) in the new Type column.

      • Feeds are only displayed if you have enrolled to Juniper ATP Cloud. You can also download the feeds using the command, request services security-intelligence download.

      To select a specific address or IP feed, select the addresses or IP feeds from the Available column and then click the right arrow to move it to the Selected column. You can select Exclude Selected to exclude only the selected address from the list.

      To create a new address, click +. The Create Address page appears. For more information on fields, see Table 2.

    • Source identity—Select the user identity from the Available column and then click the right arrow to move it to the Selected column.

      To create a source identity, click +. Enter a new username or identity in the Create Source Identity page and click OK.

    • Source identity feed—You can select user identity threat feed to define the matching criteria for a policy.

      Select the user identity threat feed from the Available column and then click the right arrow to move it to the Selected column.

      Maximum user identity threat feed count is 1024. That is, sum of source identity feed and destination identity feed per policy.

      Note:

      Feeds are only displayed if you have enrolled to Juniper ATP Cloud. You can also download the feeds using the command, request services security-intelligence download.

Destination Zone

To add a destination:

  1. Click +.

    The Select Destination page appears.

  2. Enter the following details:

    • Zone—Select the destination zone from the list to which you want the rule to be associated.

    • Addresses—Select any or Specific.

      Note:
      • You can select the IP feeds to define the matching criteria for a policy. Also, you can view source type (Address, Address group, Wild card, Range, IP feeds) in the new Type column.

      • Feeds are only displayed if you have enrolled to Juniper ATP Cloud. You can also download the feeds using the command, request services security-intelligence download.

      To select a specific address or IP feed, select the addresses or IP feeds from the Available column and then click the right arrow to move it to the Selected column. You can select Exclude Selected to exclude only the selected address from the list.

      To create a new address, click +. For more information on fields, see Table 2.

    • Dynamic applications—Select Any, Specific, or None.

      Note:

      The Dynamic Applications option is not supported for tenants.

      To select a specific application, select the application from the Available column and then click the right arrow to move it to the Selected column.

      Note:

      The select all check box is only available when you search for specific dynamic applications.

      To create a new application, click +. The Create Application Signature page appears. For more information on fields, see Add Application Signatures.

      Note:

      For logical systems, you cannot create a dynamic application inline.

    • Services—Select Any, Specific, or None.

      To select a specific service, select the service from the Available column and then click the right arrow to move it to the Selected column.

      To create a new service, click +. The Create Service page appears. For more information on fields, see Table 3.

    • URL category—Select any, Specific, or None to match criteria for a web filtering category.

      To select a specific URL category, select the URL category from the Available column and then click the right arrow to move it to the Selected column.

      Note:

      This option is not available for logical systems and tenants.

    • Destination identity feed—You can select user identity threat feed to define the matching criteria for a policy.

      Select the user identity threat feed from the Available column and then click the right arrow to move it to the Selected column.

      Maximum user identity threat feed count is 1024. That is, sum of source identity feed and destination identity feed per policy.

      Note:

      Feeds are only displayed if you have enrolled to Juniper ATP Cloud. You can also download the feeds using the command, request services security-intelligence download.

Action

Select an action to take when traffic matches the criteria:

  • Permit—Allows packet to pass through the firewall.

  • Deny—Block and drop the packet, but do not send notification back to the source.

  • Reject—Block and drop the packet and send a notice to the source host.

Advanced Services

Click +. The Select Advanced Services page appears.

Note:
  • When the action is Reject:

    • You can configure only the SSL Proxy and Redirect Profile options.

    • You can configure only the SSL Proxy option if the dynamic application is None.

    • Advanced Security option is not supported for logical systems and tenants.

  • When the action is Permit:

    • For logical systems, only IPS, IPS policy, Content Security, threat prevention policy, ICAP redirect profile, and AppQOS options are supported.

    • For tenant systems, only threat prevention policy and AppQOS are supported.

SSL proxy

Select the SSL proxy policy to associate with this rule from the list.

Content Security

Select the Content Security policy you want to associate with this rule from the list. The list displays all the Content Security policies available.

If you want to create a new Content Security policy, click Add New. The Create a Content Security Policy page appears. For more information on creating a new Content Security policy, see Create a Content Security Policy.

IPS policy

Select the IPS policy from the list.

Threat prevention policy

Select the configured threat prevention policy from the list.

ICAP redirect profile

Select the configured ICAP redirect profile name from the list.

AAMW

Select an anti-malware profile from the list that you want to associate with the security policy.

Note:

Starting in Junos OS 22.2R1 Release, you can associate an anti-malware profile with the security polices.

SecIntel profile group

Select a SecIntel profile group from the list that you want to associate with the security policy.

Note:

Starting in Junos OS 22.2R1 Release, you can associate a SecIntel profile group with the security polices.

IPsec VPN

Select the IPsec VPN tunnel from the list.

Note:

If you select Dynamic applications in the destination, IPsec VPN option is not supported.

Pair policy name

Enter the name of the policy with the same IPsec VPN in the opposite direction to create a pair policy.

Note:

If you select Dynamic applications in the destination, Pair Policy Name option is not supported.

Application QoS profile

Select the configured AppQoS profile from the list.

If you want to create a new AppQoS profile, click Add New. The Add AppQoS Profile page appears. For more information on creating a new AppQoS profile, see Add an Application QoS Profile.

Threat profiling

Starting in Juons OS Release 21.4R1, you can enable this option to generate threat profiling feeds.

Note:

Feeds are only displayed if you have enrolled to Juniper ATP Cloud. You can also download the feeds using the command, request services security-intelligence download.

You can add source and destination addresses, and source and destination identities to the threat feeds. After the feeds are generated, you can configure other security policies to use the feeds to match designated traffic and perform policy actions.

  • Add source IP to feed—Select the threat feed from the list to add it to the source IP address.

  • Add source identity to feed—Select the threat feed from the list to add it to the source user identity.

  • Add destination IP to feed—Select the threat feed from the list to add it to the destination IP address.

  • Add destination identity to feed—Select the threat feed from the list to add it to the destination user identity.

Packet capture

Enable to capture unknown application traffic specific to a security policy rule.

By default, this option is disabled. Once enabled, you can view the packet capture (PCAP) file details or download the PCAP file on the Monitor > Log > Sessions page.

Rule Options

Click on Rule Options. The SELECT RULE OPTIONS page appears.

Logging

Session initiate

Enable this option to log an event when a session is created.

Session close

Enable this option to log an event when the session closes.

Count

Enable this option to collect statistics of the number of packets, bytes, and sessions that pass through the firewall with this policy.

Specifies statistical counts. An alarm is triggered whenever traffic exceeds specified packet and byte thresholds.

Note:

Alarm threshold fields are disabled if Enable Count is not enabled.

Authentication
Note:
  • If you select Dynamic applications in the destination, Authentication option is not supported.

  • This option is not supported for logical systems and tenant systems.

Push auth entry to JIMS

Enable this option to push authentication entries from firewall authentication, that are in auth-success state, to Juniper Identity Management Server (JIMS). This will enable the SRX device to query JIMS to get IP/user mapping and device information.

This is not a mandatory option. You can select it when at least one domain is configured on local Active Directory or configure identity management.

Type

Select the firewall authentication type from the list. The options available are: None, Pass-through, User-firewall, and Web-authentication.

Access profile

Select an access profile from the list.

Note:

This option is not supported if you select the authentication type as Web-authentication.

Client name

Enter the client username or client user group name.

Note:

This option is not supported if you select the authentication type as User-firewall.

Domain

Select a domain name that must be in a client name from the list.

Note:

This option is supported only if you select the authentication type as User-firewall.

Web redirect (http)

Enable this option to redirect HTTP requests to the device’s internal webserver by sending a redirect HTTP response to the client system to reconnect to the webserver for user authentication.

Note:

This option is not supported if you select the authentication type as Web-authentication.

Captive portal

Enable this option to redirect a client HTTP or HTTPS request to the internal HTTPS webserver of the device. The HTTPS client requests are redirected when SSL termination profile is configured.

Note:

This option is not supported if you select the authentication type as Web-authentication.

Interface

Select an interface for the webserver where the client HTTP or HTTPS request is redirected.

Note:

You cannot edit this once the policy is created. To edit the interface, go to Network > Connectivity > Interfaces.

IPv4 address

Enter IPv4 address of the webserver where the client HTTP or HTTPS request is redirected.

Note:

You cannot edit this once the policy is created. To edit the interface, go to Network > Connectivity > Interfaces.

SSL termination profile

Select an SSL termination profile from the list which contains the SSL terminated connection settings. SSL termination is a process where the SRX Series device acts as an SSL proxy server, terminates the SSL session from the client.

To add a new SSL termination profile:

  1. Click Add.

    The Create SSL Termination Profile page appears.

  2. Enter the following details:

    • Name—Enter SSL termination profile name; 63-character maximum.

    • Server certificate—Select a server certificate from the list that is used to authenticate the server identity.

      To add a certificate, click Add. For more information on adding a device certificate, see Add a Device Certificate.

      To import a certificate, click Import. For more information on importing a device certificate, see, Import a Device Certificate.

Auth only browser

Enable this option to drop non-browser HTTP traffic to allow for captive portal to be presented to unauthenticated users who request access using a browser.

Note:

This option is not supported if you select the authentication type as Web-authentication.

User agents

Enter a user-agent value which is used to verify that the user’s browser traffic is HTTP/HTTPS traffic.

Note:

This option is not supported if you select the authentication type as Web-authentication.

Advanced Settings

Destination address translation

Select the action to be taken on a destination address translation from the list. The options available are: None, Drop Translated, and Drop Untranslated.

Redirect options

Select a redirect action from the list. The options available are: None, Redirect Wx, and Reverse Redirect Wx.

Note:

This option is not supported for SRX5000 line of devices.

TCP Session Options

Sequence number check

Enable or disable checking of sequence numbers in TCP segments during stateful inspections at policy rule level. By default, the check happens at the global level. To avoid commit failure, turn off Sequence number check under Global Options > Flow > TCP Session.

SYN flag check

Enable or disable the checking of the TCP SYN bit before creating a session at policy rule level. By default, the check happens at the global level. To avoid commit failure, turn off SYN flag check under Global Options > Flow > TCP Session.

Schedule

Schedule

Click Schedule and select one of the configured schedules from the list.

To add a new schedule, click Add New Schedule. The Add New Schedule page appears. For more information on creating a new schedule, see Table 4.

Table 2: Fields on the Create Address Page

Field

Action

Name

Enter a name for the address. The name must be a unique string that must begin with an alphanumeric character and can include colons, periods, dashes, and underscores; no spaces allowed; 63-character maximum.

IP type

Select IPv4 or IPv6.

IPv4

IPv4 address

Enter a valid IPv4 address.

Subnet

Enter a subnet mask for the IPv4 address.

IPv6

IPv6 address

Enter a valid IPv6 address.

Subnet prefix

Enter a subnet prefix for the IPv6 address.

Table 3: Fields on the Create Service Page

Field

Action

Global Settings

Name

Enter a unique name for the application.

Description

Enter description of the application.

Application protocol

Select an option from the list for application protocol.

Match IP protocol

Select an option from the list to match IP protocol.

Source port

Select an option from the list for source port.

Destination port

Select an option from the list for destination port.

ICMP type

Select an option from the list for ICMP message type.

ICMP code

Select an option from the list for ICMP message code.

RPC program numbers

Enter a value for RPC program numbers.

The format of the value must be W or X-Y. Where, W, X, and Y are integers between 0 and 65535.

Inactivity timeout

Select an option from the list for application specific inactivity timeout.

UUID

Enter a value for DCE RPC objects.

Note:

The format of the value must be 12345678-1234-1234-1234-123456789012.

Custom application group

Select an application set name from the list.

Terms

Click +. The Create Term page appears.

Name

Enter a name for the term.

ALG

Select an option from the list for ALG.

Match IP protocol

Select an option from the list to match IP protocol.

Source port

Select an option from the list for source port.

Destination port

Select an option from the list for destination port.

ICMP type

Select an option from the list for ICMP message type.

ICMP code

Select an option from the list for ICMP message code.

RPC program numbers

Enter a value for RPC program numbers.

Note:

The format of the value must be W or X-Y. Where, W, X, and Y are integers between 0 and 65535.

Inactivity timeout

Select an option from the list for application specific inactivity timeout.

UUID

Enter a value for DCE RPC objects.

Note:

The format of the value must be 12345678-1234-1234-1234-123456789012.

Table 4: Fields on the Add New Schedule Page

Field

Action

Name

Enter the name for the schedule.

Description

Enter a description for the schedule.

Repeats

Select an option from the list to repeat the schedule:

  • Never

  • Daily

  • Weekly

All Day

Enable this option to schedule an event for an entire day.

This option is available only for Never and Daily repeat type schedule.

Start date

Select the schedule start date in the YYYY-MM-DD format.

This option is available only for Never repeat type schedule.

Stop date

Select the schedule stop date in the YYYY-MM-DD format.

This option is available only for Never repeat type schedule.

Start time

Enter the start time for the schedule in HH:MM:SS 24 hours format.

This option is available only for Daily repeat type schedule.

Stop time

Enter the end time for the schedule in HH:MM:SS 24 hours format.

This option is available only for Daily repeat type schedule.

Repeat on

Select the days and time on which you want to repeat the schedule.

To set time for the selected day(s):

  1. Click Set Time or Set Time to Selected Days.

    The Set Time to Selected Days page appears.

  2. Enter the following details:

    • Name—Displays the day(s) you have selected.

    • All day—Enable this option for the event to run for the entire day.

    • Start time—Enter the start time in HH:MM:SS 24 hours format.

    • Stop time—Enter the stop time in HH:MM:SS 24 hours format.

  3. Click OK to save changes.

This option is available only for Weekly repeat type schedule.

Schedule criteria

Select any of the following options:

  • Schedule Never Stops—Schedule can be active forever (recurrent), but only as specified by the daily or weekly schedule.

  • Schedule Specify Window—Schedule can be active during a single time slot, as specified by a start date and a stop date.

    Enter the following details:

    • Schedule starts—Enter the schedule start date in the YYYY-MM-DD format.

    • Schedule ends—Enter the schedule start date in the YYYY-MM-DD format.

This option is available only for Daily and Weekly repeat type schedule.