Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add and Manage Security Policy Rules

Security policies apply security policy rules to the network traffic within a context, such as the from-zone to the to-zone.

The network traffic is classified by matching the security policy rules match criteria—the source and destination zones, the source and destination addresses, and the application that the traffic carries in its protocol headers with the policy database.

You can also enable advanced security protection by specifying these security profiles:

  • Content Security profile

  • Decrypt profile

  • Flow-based antivirus profile

  • Intrusion prevention system (IPS) profile

  • Anti-malware profile

  • Secintel profile group

  • Secure Web proxy profile

Add Security Policy Rules

Creating a security policy rule involves setting conditions for traffic between network zones. Ensure the policy rules align with your network's security strategy.

Consider the following key differences to decide whether to create zone-based rules or global rules:

Feature

Zone-Based Rules

Global Rules

Scope

Specific zone-to-zone traffic

  • Traffic flows must be controlled between specific network segments.

  • Policies depend on directional context.

All traffic

  • Controls must apply universally.

  • Fallback or default enforcement mechanism is needed.

Zone requirement

Mandatory

Not required

Granularity

High, context-aware

Broad, policy-wide

Use cases

Segmentation, directional control

Baseline enforcement, global restrictions

Before creating security policy rules:

  • Clearly define what traffic the rule should allow or deny.

  • Define clear, consistent zone definitions that reflect logical traffic boundaries, such as trust levels or deployment areas.

  • Verify the source zone from which traffic originates.

  • Verify the destination zone to which traffic is directed.

  • Determine whether traffic should be matched using applications, addresses, or a combination of both.

  • Identify any specific traffic that must be evaluated before broader conditions.

  • Determine the rule placement sequence. Place more specific and restrictive rules before broader allow or deny rules to ensure predictable policy evaluation.

  1. Click Security > Security Policies.
    The Security Policies page is displayed.
  2. Click the security policy to add the rule.
    The security policy page is displayed.
  3. Click Create and select Zone rule or Global rule.
    The option to create security policy rule is displayed inline on the the security policy page. You will need to configure these parameters for zone-based and global rules.
    Table 1: Parameters for Zone-based and Global rules
    Sources Destinations Applications/Services Action Advanced Security Options Supported Options

    Zone

    Addresses

    Identity

    Zone

    Addresses

    URL Categories

    Applications

    Services

    Permit

    Deny

    Reject

    Redirect

    Tunnel

    IPS Profile

    Content Security Profile

    SSL Proxy Profile

    Schedules

    Logging

    Rule Options

  4. Complete the configuration according to the guidelines provided below:
    Table 2: Fields on the Security Policy Page
    Field Action
    General Information

    Name

    Enter a name containing maximum 63 alphanumeric characters without spaces. The name can contain dashes (-) and underscores (_).

    If you do not enter a name, the rule is saved with a default name assigned by Juniper Security Director Cloud.

    Description

    Enter a description for the policy rule containing maximum 900 characters.

    The description cannot contain special characters such as ampersand (&), angular brackets (<, >) or a new line.

    Sources

    Select a source endpoint.

    Click the plus icon (+) to select an endpoint from the list of zone, addresses, and users to apply the security policy rule.

    • Zone—Select a source zone, either a standard or variable zone, for SRX Series Firewalls to define the context for the policy. Zone policies are applied on traffic entering from a source zone to a destination zone.

      Ensure that the variable zone is not same for both source and destination zones. If you select the same variable zone for both zones, an error message is displayed when you deploy the security policy.

    • Addresses—Enter the IPv4 or IPv6 addresses or address groups to include in the security policy rule. Select Any to add any address, Specific to select the addresses.

      You can copy and paste addresses to a rule using Copy-Paste Objects. Here is an example:

      For more details, see Copy Paste an Object to a Security Policy Rule in Add and Manage Security Policy Rules.

    • Exclude addresses—Select the IPv4 addresses to exclude from the security policy rule. This setting is available only when you select Specific in Addresses.

    • Identity—Select the source identity to use as the match criteria for the policy. You can have different policy rules based on user roles and user groups.

    Destinations

    Select a destination endpoint.

    Click the plus icon (+) to select the endpoint from the list of zones, addresses, and URL categories to apply the security policy rule.

    • Zone—Select a destination zone, either a standard or variable zone, for SRX Series Firewalls to define the context for the policy. Zone policies are applied on traffic entering from a source zone to a destination zone.

      Ensure that the variable zone is not same for both source and destination zones. If you select the same variable zone for both zones, an error message is displayed when you deploy the security policy.

    • Addresses—Enter the IPv4 or IPv6 addresses or address groups to include in the security policy rule. Select Any to add any address, Specific to select the addresses.

    • Exclude addresses—Select the IPv4 addresses to exclude from the security policy rule. This setting is available only when you select Specific in Addresses.

    • URL categories—Select Any to add any URL in the security policy rule, Specific to select the URLs, or None.

      You can copy and paste addresses to source and destination and URL categories to a destination column of rules using Copy-Paste Objects. For more details, see Copy Paste an Object to a Security Policy Rule in Add and Manage Security Policy Rules.

    Applications/Services

    Select the applications and services.

    Click the plus icon (+) to select the application and service options.

    • Applications—Select Any to add any application, Specific to select the applications, or None. Use the search field to find a specific application.

    • Services—Select Any to add any services, Specific to select the services, or Default to add Junos-default services. Select the check box for the services, click the arrow (>) to transfer them to the Selected column. Use the search fields at the top of each column to find specific services.

      You can copy and paste applications and services to a rule using Copy-Paste Objects. For more details, see Copy Paste an Object to a Security Policy Rule in Add and Manage Security Policy Rules.

    The secure Web proxy feature does not support unified policies. If you want to associate a secure Web proxy profile with the rule, you must disable Applications. You can select the required applications when you configure the secure Web proxy profile.

    Action

    Select the action for the traffic between the source and destination from the drop-down list.

    • Permit—Devices permit the traffic.
    • Deny—Devices silently drop all packets for the session and do not send any active control messages such as TCP reset or ICMP unreachable.
    • Reject—Devices drop the packets and send the following message based on the traffic type:
      • TCP traffic: Devices send the TCP reset message to the source host.
      • UDP traffic: Devices send the destination unreachable, port unreachable ICMP message.
      • For all other traffic: Devices drop the packets without notifying the source host.
    • Redirect—Define a response in the unified policy to notify the connected client when a policy blocks HTTP or HTTPS traffic with a reject action.

      • Message—Select the message from the drop-down list, or click Create redirect message and enter the message.

      • URL—Select the redirect URL from the drop-down list, or click Add redirect URL and enter the redirect URL.

    • Tunnel—Devices permit traffic using the type of VPN tunneling options applied to the policy.

    Security Subscriptions

    Select the security subscriptions to apply to the security policy rule.

    • IPS—When you select the Permit action, you can specify an IPS profile by selecting a profile from the list to monitor and prevent intrusions.

    • Content Security—When you select the Permit action, you can specify a content security profile for protection against multiple threat types including spam and malware, and control access to unapproved websites and content. To select a Content Security profile:

      1. Enable Content Security and click Customize.

        The Security Subscription window opens.

      2. Select the Content Security profile from the list or click Create New to create a new content security profile inline.

      If you select Content Security profile with Juniper NextGen web filtering profile, you must have Junos OS version 23.4R1 or later installed.

    • Decrypt—When you select the Permit, Reject, or Redirect action, you can configure a decrypt profile to perform SSL encryption and decryption between the client and the server and obtain granular application information which enables you to apply advanced security subscriptions protection and detect threats.

    • Flow-based AV—When you set the action to Permit, you can assign a flow-based antivirus profile to the security policy to scan packets in the payload content for threats in real-time and block the content if a threat is detected.

    • Anti-malware—When you set the action to Permit, you can assign the anti-malware profile to the security policy to define the files to send to the ATP cloud for inspection and the action to be taken when malware is detected.

    • SecIntel—When you set the action to Permit, you can assign the SecIntel profile group to the security policy to add SecIntel profiles, such as C&C, DNS, and infected hosts.

    • Secure Web Proxy—When you set the action to Permit, you can enable the toggle switch to assign the secure Web proxy profile to enable applications to bypass a proxy server and connect to a web server directly. See Secure Web Proxy Overview for more information about secure Web proxy profile.
    • ICAP Redirect—When you select the Permit or Reject action, you can assign the ICAP redirect profile to decrypt HTTP or HTTPS traffic and redirect HTTP messages to a third-party, on-premise DLP server.

    Click Customize to configure the security subscription profiles. If there is no default profile configured, you can configure it using the customize option or set the default profile using Global Options. See Configure Global Options for Security Policies.

    This setting is available only if you select the Permit or the Reject action.

    Options

    Schedule

    Select a pre-saved schedule. The schedule options are populated with the selected schedule data.

    Policy schedules enable you to define when a policy is active and are an implicit match criterion. You can define the day of the week and the time of the day when the policy is active. For example, you can define a security policy that opens or closes access based on business hours.

    Session initiate logs

    Select this option to enable logging of events when sessions are created.

    Session close logs

    Select this option to enable logging of events when sessions are closed.

    When logging is enabled, the system logs at session close time by default.

    Rule options

    Create an object to specify the redirect options, the authentication, the TCP-options, and the action for destination-address translated or untranslated packets.

  5. Click the check mark () to save the changes.

The new security policy rule is saved and a confirmation message is displayed. Based on the source and destination endpoints, the rules are categorized as zone-based rules or global rules.

Copy and Paste an Object to a Security Policy Rule

Use Copy-Paste Objects to add shared objects like Addresses, Services, Applications, and URL Categories directly into security policy rules. The Copy-Paste Objects tab enables you to browse, select, copy, and paste objects into rule cells, and create new ones without leaving the page. You can also add, edit, delete, filter, and search objects conveniently.

To copy and paste an object to firewall policy rules:

  1. Select a rule and click the Copy-Paste Objects tab.
  2. Navigate between the four tabs, Addresses, Services, Applications, and URL Categories to find the required objects.
  3. Select one or more objects, and click Copy to copy the objects to the clipboard, and paste them into the corresponding cells of a rule by clicking on valid target cells.
    The selected objects are copied to the target rules.

Manage Security Policy Rules

  • Edit—Click the policy, select the rule, then click the pencil icon (Blue pencil icon indicating edit functionality.).

  • Clone—Click the policy, select the rule, then click More > Clone.

  • Delete—Click the policy, select the rule, then click the trash can icon (Blue trash can icon representing delete or remove function.).