Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add SRX Policy Rules to Secure Edge Policy (From SRX Policy Page)

To migrate your on-premises security policies to Secure Edge, you must convert the security policy rules to Secure Edge policy. Use the Add SRX policy rules to Secure Edge policy page to add rules from the SRX policy to Secure Edge policy.
The Secure Edge policy supports only a single pair of zones (trust to untrust). All the selected zones of the SRX policy in the source endpoints are converted as trust zone. The destination endpoints are converted as untrust zone.
Note:

Before initiating the conversion of SRX policy rules to Secure Edge policy, the system administrator must ensure that the source identities referred in the SRX policy rules are in-sync with JIMS Secure Edge source identities. This is to avoid any customization issues at a later stage.

To add the SRX policy rules to Secure Edge policy:
  1. Select SRX > Security Policies > SRX Policy.
    The Security Policies page appears.
  2. Select the SRX policy that you want to convert. Right-click or from the More list, select Add SRX policy rules to Secure Edge policy.
    The Getting Started page provides additional information about adding the SRX policy rules to Secure Edge policy. as shown in Figure 1.
    Figure 1: Getting Started Page Getting Started Page
  3. Click Next.
  4. Complete the configuration as shown in Table 1.
    Table 1: Fields on the Add Rule Options page
    Field Description
    Add Rule Options

    Name

    Name of the SRX policy.

    Source (trust) zones

    Select zones in the existing rules that are applicable for the Internet. These zones are set as source (trust) zones in the Secure Edge policy rule.

    Destination (untrust) zones

    Select zones in the existing rules that are applicable for the Internet. These zones are set as destination (untrust) zones in the Secure Edge policy rule.

  5. Click Next.

    The Review Rules Page appears, as shown in Figure 2

    Figure 2: Rules Preview Page Rules Preview Page
  6. In the Review Rules page, preview the converted rules.

    For the advanced security profiles conversion, Secure Edge policy takes the following actions:

    • IPS—Policy is ignored and not converted. Default IPS of Secure Edge policy is associated. For more information, see About the IPS Profiles Page.

    • Content filtering—Policy is ignored and not converted. Default Content filtering profile of Secure Edge policy is associated. For more information, see About the Content Filtering Profiles Page.

    • Decrypt profile—Decrypt profiles are converted as it is except for the root certificate. The root certificate set is converted to Secure Edge with the name "jsec-ssl-proxy-root-cert". The decrypt profile name is prefixed with “jse-“.

    • Web filtering—Profile is converted and a new Secure Edge Web Filtering profile is created with categories that map to current actions and defaults.

    • Antivirus profile—Profile is ignored and not converted.

    • Antispam profile—Profile is ignored and not converted.

    • SecIntel profile—SecIntel profiles are converted as it is. The profile name is prefixed with “jse-“.

    • Anti-malware profiles—SMTP and IMAP Anti-malware profiles are ignored and not converted. HTTP Anti-malware profile is converted as it is. The profile name is prefixed with “jse-“.

  7. Click Finish after reviewing the rules.
    A job is created to add rules to Secure Edge. Once the conversion is successful, you are directly taken to the Secure Edge Policy page under Secure Edge > Security Policy. The converted rules are appended at the bottom of the existing Secure Edge policy rules. You can reorder the converted rules. You can perform all the other operations on the converted rules.
    Figure 3: Secure Edge Policy Page Secure Edge Policy Page

    The final step is to deploy the converted policy. Select the policy and click Deploy.

Note:
  • You cannot reconvert SRX policy rules that are already converted to the Secure Edge Policy rules. However, if you have added new rules to that particular SRX policy, only the newly added rules are added to the Secure Edge policy rules.

  • Global rules are selected only if they are matched with the selected source and destination zones.