Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add a Secure Edge Policy Rule

Use this page to add Secure Edge policy rule that controls transit traffic within a context. The traffic is classified by matching its source sites, the source and destination addresses, and the application that the traffic carries in its protocol headers with the policy database.

You can also enable advanced security protection by specifying one or more of the following:

  • Intrusion prevention system (IPS) profile
  • Decrypt profile
  • Web filtering
  • Content filtering
  • SecIntel group
  • Anti-malware
  • Cloud Access Security Broker (CASB)

Juniper Secure Edge provides the following methods to authenticate your on-premises users and devices:

  • Juniper Identity Management System (JIMS)—You may deploy Juniper Identity Management System (JIMS) Collectors at your locations. JIMS retrieves the domain-joined authenticated users from your Active Directory and passes the information to Juniper Secure Edge service. This action allows your domain-joined users to access their applications seamlessly through Juniper Secure Edge without having to re-authenticate again, ensuring the best user experience.

    Note:

    You can also retrieve user group information without deploying on-premises JIMS Collectors. Configure Identity Provider (IdP) settings in Juniper Secure Edge to retrieve user group information from Microsoft Entra ID (Azure AD) or Okta . Juniper Secure Edge receives user group information from Microsoft Entra ID or Okta. Administrators can use the user groups to manage security policies.

  • Captive portal—You may also enable the captive portal option to require Juniper Secure Edge to authenticate your on-premises users. Consider this option if you want to authenticate your non-domain joined users by Juniper Secure Edge and if you want to have a backup authentication mechanism in case JIMS Collectors are not able to communicate with your Active Directory servers. By default, this feature is disabled for on-premises users. Before enabling the captive portal feature, consider the following:

    • You must make policy exceptions for on-premises users (such as guest users) and devices that your Active Directory cannot authenticate.

      • If you want to permit such users or devices to access through Juniper Secure Edge, you must place such exception policies above the captive portal policy.
      • Furthermore, you must place such users and devices in their own IP subnets so that manage the policy configurations.

    • The captive portal policy will work only for browser-based traffic.

    • The recommended DHCP lease time is five hours. You must renew the lease before it expires or request a new IP address if the lease is not renewed. If the DHCP lease is not renewed or if a new IP address is assigned by DHCP, you must re-authenticate again.

To configure a Secure Edge policy rule:

  1. Select Secure Edge > Security Policy.

    The Secure Edge Policy page appears.

  2. Click +.
    The option to create Secure Edge policy rule appears inline on the Secure Edge Policy page.
  3. Complete the configuration according to the guidelines provided in Table 1.
  4. Click the check mark icon ✓ to save the changes.
    A new Secure Edge policy rule with the provided configuration is saved, and a confirmation message is displayed.
    Table 1: Fields on the Secure Edge Policy Add Page
    Field Description
    Rule Name Enter a unique string beginning with a number or letter and consisting of letters, numbers, dashes and underscores. No spaces are allowed, and the maximum length is 63 characters. If you do not enter a name, the rule is saved with a default name assigned by Juniper Secure Edge.
    Description Enter a description for the policy rule; maximum length is 900 characters. The description must be a string excluding '&', '<', '>' and '\n' characters.
    Sources Click the add icon (+) to select the source end points on which the Secure Edge policy rule applies, from the displayed list of sites, addresses, and user groups.
    Destinations Click the add icon (+) to select the destination end points on which the Secure Edge policy rule applies, from the displayed list of addresses and URL categories.
    Application/Services Click the add icon (+) to select the applications and services.
    Note:

    Select the dependent applications for the CASB supported cloud applications. For information on the dependent applications, see Create a CASB Profile.
    Action From the drop-down menu, select the action for the traffic between the source and destination.
    • Permit—Device permits the traffic.
    • Deny—Device silently drops all packets for the session and does not send any active control messages such as TCP Resets or ICMP unreachable.
    • Reject—Device drops the packet and sends the following message based on traffic type:
      • TCP traffic: Device sends the TCP reset message to the source host.
      • UDP traffic: Device sends the ICMP message “destination unreachable, port unreachable”.
      • For all other traffic: Device drops the packet without notifying the source host.
    • Redirect—When a policy blocks HTTP or HTTPS traffic with a reject action, you can define a response in the unified policy to notify the connected client. Redirect options:

      • Message—Select the message from the drop-down list or click Create redirect message and enter the message (in the Block Message field).

      • URL—Select the redirect URL from the drop-down list, or click Add redirect URL and enter the redirect URL.
    Security Subscriptions
    Note:

    You can configure all the security subscription options only if you select Permit for the action.
    • IPS— When you set the action to Permit, you can enable an IPS profile.

      Enable an IPS profile to monitor and prevent intrusions.

    • Decrypt profile—When you set the action to Permit or Reject, you can specify a decrypt profile by selecting a profile from the list.

      You can use the Decrypt profile to specify the traffic that may be decrypted or bypassed for decryption by Secure Edge.

      Click Create New, if you want to add a new Decrypt profile.

      You must select a decrypt profile if you have selected a CASB profile.

      Note:

      If you use CASB-supported Microsoft Teams application, you must edit the decrypt profile to identify the activities.

      By default, the decrypt profile (exempt list) includes the following Microsoft URLs:

      • *.delivery.mp.microsoft.com
      • *.teams.microsoft.com
      • *.update.microsoft.com
      • *.vortex-win.data.microsoft.com
      • activation.sls.microsoft.com
      • update.microsoft.com
      • windowsupdate.microsoft.com
      • *.windowsupdate.microsoft.com

      You must remove *.teams.microsoft.com from exempt list to identify Microsoft Teams activities.

    • Web filtering—When you set the action to Permit, you can specify a Web filtering profile by selecting a profile from the list.

      You can use the Web filtering profile to manage internet usage by preventing access to inappropriate Web content over HTTP.

      Click Create New, if you want to add a new Web filtering profile.

    • Content filtering—When you set the action to Permit, you can specify a Content filtering profile by selecting a profile from the list.

      You can use the Content filtering profile to filter the content based on the file type, application, and direction. The content filtering policy evaluates traffic before all other content security policies. Therefore, if traffic meets criteria configured in the content filter, the content filter acts first upon this traffic.

      Click Create New, if you want to add a new Content filtering profile.

    • SecIntel group—When you set the action to Permit, you can specify a SecIntel profile group by selecting a profile from the list.

      You use the SecIntel profile group to assign a group of different SecIntel profiles.

      Click Create New, if you want to add a new SecIntel group.

    • Anti-malware—When you set the action to Permit, you can specify an antimalware profile by selecting a profile from the list.

      You can use the antimalware profile to define the content to scan for any malware and the action to be taken when a malware is detected.

      Click Create New if you want to add a new antimalware profile.

    • CASB—When you set the action to Permit, you can specify a CASB profile by selecting a profile from the list. You must select a decrypt profile to assign a CASB profile.

      A pop-up window opens when you assign a CASB profile to a Secure Edge policy. By default, the cloud application groups are selected for the respective CASB-supported cloud applications. You cannot edit these groups as this option is grayed out. For more information on the cloud application groups, see Create a CASB Profile.

      You can use the CASB profile to automatically detect anomalous usage and suspicious behavior.

      Click Create New if you want to add a new CASB profile. For more information, see Create a CASB Profile.
    Options Select a pre-saved schedule from the list.

    Policy schedules enable you to define when a policy is active, and thus are an implicit match criterion. Click Create Schedule to define a new schedule. You can define the day of the week and the time of the day when the policy is active. For instance, you can define a security policy that opens or closes access based on business hours.

    Enable the Logging option to log events when sessions are created.

    Enable the Captive Portal for site traffic option to allow authenticated on-premises site users to log in to Juniper Secure Edge. By default, captive portal option is enabled for roaming users and disabled for on-premises site users.