Create Rule Options
When a rule options is created, Juniper Security Director Cloud creates an object in the database to represent the rule options. You can use this object to create security policies.
Use the Rule Options page to create an object that specifies the basic settings of a security policy.
To create rule option:
-
Select Shared Services > Firewall
Profiles > Rule Options.
The Rule Options page appears.
-
Click the plus icon (+).
The Create Rule Options page appears.
-
Complete the configuration settings according to the guidelines provided in Rule Options Overview.
Note:
Fields marked with an asterisk (*) are mandatory.
-
Click OK.
The new rule option is created and a confirmation message is displayed.
Table 1: Fields on the Create Rule Options Page Field Description Name
Enter a unique string of alphanumeric characters that can include spaces and some special characters.
The maximum length is 255 characters.
Description
Enter a description for the policy; the maximum length is 255 characters.
General Hardware Acceleration
Enable this option to process fast-path packets in the network processor instead of in the Services Processing Unit (SPU). When performing the policy check, the SPU verifies if the traffic is qualified for services offloading.
Redirect Options
Select an option:
- None
- Redirect Wx- Select this option if you want to enable WX redirection for packets that arrive from the LAN.
- Reverse Redirect Wx-Select this option if you want to enable WX redirection for the reverse flow of packets that arrive from the WAN.
Authentication
Note:Authentication is supported only when the permit action is enabled.
Push Auth Entry to JIMS
Enable Push to JIMS.
Authentication Type
Select an option to restrict or permit users individually or in groups. Select None if you do not want to use any authentication to restrict or permit clients.
- Pass Through-Pass-through user authentication is a form of active authentication. The user is prompted to enter a username and password when pass-through authentication is invoked.
- Web-Web authentication is an alternative to pass-through user authentication. Instead of pointing to the resource that you want to connect to from your client browser, you point the browser to an IP address on the device that is enabled for Web authentication. This initiates an HTTP session to the IP address hosting the Web authentication feature on the device. The device then prompts you for your username and password and caches the result in the device. Later, when traffic encounters a Web authentication policy, you are allowed or denied access based on the prior Web authentication results.
- User Firewall-Firewall authentication policies that restrict and permit access of firewall users to protected resources behind a firewall.
- Infranet-Select this option to configure the SRX Series Firewall to act as a Junos OS Enforcer in a Unified Access Control (UAC) deployment..
TCP Option Syn-check
Enable this option for the device to reject TCP segments with non-SYN flags set unless they belong to an established session.
Sequence Check
Enable this option to monitor the TCP byte sequence counter and to validate the trusted acknowledgment number against the untrusted sequence number.
Window Scale
Enable this option to increase the network transmission speed
Initial TCP MSS
Select the TCP maximum segment size (MSS) for packets arriving at the ingress interface (initial direction). If the value in the packet is higher than the one you select, the configured value overrides the TCP MSS value in the incoming packet. The range is 64 through 65535.
Reverse TCP MSS
Select the TCP maximum segment size (MSS) for packets that match a specific policy and travel in the reverse direction of a session. If the value in the packet is higher than the one you select, the configured value replaces the TCP MSS value. The range is 64 through 65535.
Advanced Settings Destination NAT Control
Select an option
- None
- Drop Untranslated-Drop packets with translated destination IP addresses. Traffic permitted by the security policy is limited to packets where the destination IP address has not been translated.
- Drop Translated-Drop packets without translated destination IP addresses. Traffic permitted by the security policy is limited to packets where the destination IP address has been translated by means of a destination NAT rule.