Security Policies Overview
Security policies enforce specific rules to manage traffic through a device, allowing or blocking it as dictated by these rules. These regulations not only control the flow of data but can also integrate both network transport (Layer 4) and application (Layer 7) protocols into one regulation. Rules in security policies usually include source and destination information, IP addresses, user identities, URL categories, services, and applications.
You can create, edit, and remove security policies that are linked to devices. To access this page, select SRX > Security Policy > SRX Policy.
On CPE devices or next-gen firewalls with Junos OS Release 18.2R1 or later, a security policy functions as a unified security policy. This permits dynamic applications to serve as matching criteria alongside conditions, eliminating the need for a distinct application security configuration to control application traffic.
Security Policy Benefits
- Permits, rejects, denies, redirects, or tunnels the traffic based on the application.
- Recognizes not just HTTP traffic but also any applications operating over it, which helps in enforcing policies effectively. For instance, a security rule for applications might block HTTP traffic originating from Facebook while permitting HTTP web access to Microsoft Outlook.
- Provides advanced security protection by
specifying the following:
- Intrusion prevention system (IPS) profile
- Content security profile
- SSL proxy profile
-
Categorizes rules as zone-based rules and global rules.
-
Zone-based-rules are rules with zones as source and destination endpoints.
-
Global rules give the flexibility to perform action on the traffic without any zonal restrictions.
Table 1: Parameters for Zone-based and Global rules Sources Destinations Applications/Services Action Advanced Security Options Supported Options Zone
Addresses
Identity
Zone
Addresses
URL Categories
Applications
Services
Permit
Deny
Reject
Redirect
Tunnel
IPS Profile
Content Security Profile
SSL Proxy Profile
Schedules
Logging
Rule Options
-
Security Policy and Rule Order
Security policies and rules are applied in the order they appear.
-
Security policies and the rules within a security policy are applied in a sequential order from top to bottom. For example, consider a scenario with the following two security policies:
-
P1 containing Rule-a and Rule-b with the sequence number 1
-
P2 containing Rule-a and Rule-b with the sequence number 2
After deploying, the security policies and rules are applied in the following sequence:
-
P1 Rule-a
-
P1 Rule-b
-
P2 Rule-a
-
P2 Rule-b
-
-
New security policies and rules are added at the end of the list.
-
The default policy is the last policy in the list, and it denies all traffic.
-
One security policy rule can mask another security policy rule.
-
You can change the order of the security policies and rules by using the Reorder functions.
Field Descriptions
Field |
Description |
---|---|
Seq. |
The order number of the policy. |
Name |
The name of the security policy. |
Rules |
The number of rules associated with the policy. If no rule is associated with the policy, Add Rule link is displayed. See Add a Security Policy Rule |
Devices |
The number of devices associated with the policy. |
Status |
The deployment status of the security policy.
|
Modified By |
The user who modified the policy. |
Last Modified |
The date and time when the policy was modified. |
Description |
The description of the security policy. |