Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add a Secure Edge Policy Rule

Use this page to add Secure Edge policy rule that controls transit traffic within a context. The traffic is classified by matching its source sites, the source and destination addresses, and the application that the traffic carries in its protocol headers with the policy database.

You can also enable advanced security protection by specifying one or more of the following:

  • Intrusion prevention system (IPS) profile
  • Decrypt profile
  • Web filtering
  • Content filtering
  • SecIntel group
  • Anti-malware

To configure a Secure Edge policy rule:

  1. Select Secure Edge > Security Policy.

    The Secure Edge Policy page appears.

  2. Click +.
    The option to create Secure Edge policy rule appears inline on the Secure Edge Policy page.
  3. Complete the configuration according to the guidelines provided in Table 1.
  4. Click the check mark icon ✓ to save the changes.
    A new Secure Edge policy rule with the provided configuration is saved, and a confirmation message is displayed.
    Table 1: Fields on the Secure Edge Policy Add Page
    Field Description
    Rule Name Enter a unique string beginning with a number or letter and consisting of letters, numbers, dashes and underscores. No spaces are allowed and the maximum length is 63 characters. If you do not enter a name, the rule is saved with a default name assigned by Juniper Secure Edge.
    Description Enter a description for the policy rule; maximum length is 900 characters. The description must be a string excluding '&', '<', '>' and '\n' characters.
    Sources Click the add icon (+) to select the source end points on which the Secure Edge policy rule applies, from the displayed list of sites, addresses, and user groups.
    Destinations Click the add icon (+) to select the destination end points on which the Secure Edge policy rule applies, from the displayed list of addresses and URL categories.
    Application/Services Click the add icon (+) to select the applications and services.
    Action From the drop-down menu, select the action for the traffic between the source and destination.
    • Permit—Device permits the traffic.
    • Deny—Device silently drops all packets for the session and does not send any active control messages such as TCP Resets or ICMP unreachable.
    • Reject—Device drops the packet and sends the following message based on traffic type:
      • TCP traffic: Device sends the TCP reset message to the source host.
      • UDP traffic: Device sends the ICMP message “destination unreachable, port unreachable”.
      • For all other traffic: Device drops the packet without notifying the source host.
    • Redirect—When a policy blocks HTTP or HTTPS traffic with a reject action, you can define a response in the unified policy to notify the connected client. Redirect options:
      • Message—Select the message from the drop-down list or click Create redirect message and enter the message (in the Block Message field).

      • URL—Select the redirect URL from the drop-down list, or click Add redirect URL and enter the redirect URL.

    Advanced Security
    Note:

    You can configure all the advanced security options only if you select Permit for the action.

    • IPS— When you set the action to Permit, you can enable an IPS profile.

      Enable an IPS profile to monitor and prevent intrusions.

    • Decrypt profile—When you set the action to Permit or Reject, you can specify a decrypt profile by selecting a profile from the list.

      You can use the Decrypt profile to specify the traffic that may be decrypted or bypassed for decryption by Secure Edge.

      Click Create New, if you want to add a new Decrypt profile.

    • Web filtering—When you set the action to Permit, you can specify a Web filtering profile by selecting a profile from the list.

      You can use the Web filtering profile to manage internet usage by preventing access to inappropriate Web content over HTTP.

      Click Create New, if you want to add a new Web filtering profile.

    • Content filtering—When you set the action to Permit, you can specify a Content filtering profile by selecting a profile from the list.

      You can use the Content filtering profile to filter the content based on the file type, application, and direction. The content filtering policy evaluates traffic before all other content security policies. Therefore, if traffic meets criteria configured in the content filter, the content filter acts first upon this traffic.

      Click Create New, if you want to add a new Content filtering profile.

    • SecIntel group—When you set the action to Permit, you can specify a SecIntel profile group by selecting a profile from the list.

      You use the SecIntel profile group to assign a group of different SecIntel profiles.

      Click Create New, if you want to add a new SecIntel group.

    • Anti-malware—When you set the action to Permit, you can specify a antimalware profile by selecting a profile from the list.

      You can use the antimalware profile to define the content to scan for any malware and the action to be taken when a malware is detected.

      Click Create New if you want to add a new antimalware profile.

    Options Select a pre-saved schedule from the list.

    Policy schedules enable you to define when a policy is active, and thus are an implicit match criterion. Click Create Schedule to define a new schedule. You can define the day of the week and the time of the day when the policy is active. For instance, you can define a security policy that opens or closes access based on business hours.

    Enable the Logging option to log events when sessions are created.