Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add a Security Policy Rule

Use this page to add a security policy rule that controls transit traffic within a context. The traffic is classified by matching its source and destination zones, the source and destination addresses, and the application that the traffic carries in its protocol headers with the policy database.

You can also enable advanced security protection by specifying one or more of the following:

  • Content security profile
  • Decrypt profile
  • Intrusion prevention system (IPS) profile
  • Anti-malware profile
  • Secintel profile group
  • secure Web proxy profile

To configure a security policy rule:

  1. Select SRX>Security Policy>SRX Policy.
    The Security Policies page appears.
  2. Click the security policy to which you want to add the rule.
    The Security-Policy-Name page appears.
  3. Click the add icon (+).
    The option to create security policy rule appears inline on the The Security-Policy-Name page.
  4. Complete the configuration according to the guidelines provided in Table 1.
    Table 1: Fields on the Security Policy Name Page
    Field Description
    General Information

    Name

    		 Enter a unique string beginning with a number or letter and consisting of letters, numbers, dashes and underscores. No spaces are allowed and the maximum length is 63 characters. If you do not enter a name, the rule is saved with a default name assigned by Juniper Security Director Cloud.

    Description

    		 Enter a description for the policy rule; maximum length is 900 characters. The description must be a string excluding '&', '<', '>' and '\n' characters.

    Sources

    		 Click the add icon (+) to select the source endpoint on which the security policy rule applies, from the displayed list of zone, addresses, and users.
    Note:

    You can choose to save a rule as a zone-based rule or a global rule for the following conditions:

    • The Save rule option is enabled in the organization settings. See Save rule option

    • You have selected single zone as source and single zone as destination.

    Destinations

    		 Click the add icon (+) to select the destination endpoint on which the security policy rule applies, from the displayed list of zone, addresses, and URL categories.
    Note:

    You can choose to save a rule as a zone-based rule or a global rule for the following conditions:

    • The Save rule option is enabled in the organization settings. See Save rule option

    • You have selected single zone as source and single zone as destination.

    Applications/Services

    		 Click the add icon (+) to select the applications and services.

    The secure Web proxy feature does not support unified policies. So, if you want to associate a secure Web proxy profile with the rule, you must disable the Applications toggle switch. However, you can select the required applications when you configure the secure Web proxy profile.

    Action

    		 From the drop-down menu, select the action for the traffic between the source and destination.
    • Permit—Device permits the traffic.
    • Deny—Device silently drops all packets for the session and does not send any active control messages such as TCP Resets or ICMP unreachable.
    • Reject—Device drops the packet and sends the following message based on traffic type:
      • TCP traffic: Device sends the TCP reset message to the source host
      • UDP traffic: Device sends the ICMP message “destination unreachable, port unreachable”.
      • For all other traffic: Device drops the packet without notifying the source host.

    • Redirect—When a policy blocks HTTP or HTTPS traffic with a reject action, you can define a response in the unified policy to notify the connected client. Redirect Options:

      • Message

        Select the message from the drop-down list or click Create redirect message and enter the message (in the Block Message field).

      • URL

        Select the redirect URL from the drop-down list or click Add redirect URL and enter the redirect URL.

    • Tunnel—Device permits traffic using the type of VPN tunneling options you applied to the policy.
    Security Subscriptions
    Note:

    This field is enabled only if you either select Permit or Reject for the action.

    • IPS profile— When you set the action to Permit, you can specify an IPS profile by selecting a profile from the list (under IPS Profiles ).

      You specify an IPS profile to monitor and prevent intrusions.

    • Content Security profile— When you set the action to Permit, you can specify a content security profile by selecting a profile from the list (under Content Security Profiles).

      You specify a content security profile for protection against multiple threat types including spam and malware, and control access to unapproved websites and content.

      You can add a new content security profile by clicking + in the End Points pane and selecting Content Security Profiles.

    • Decrypt profile

      You can configure decrypt profile when the action is Permit or Reject or Redirect.

      Decrypt profile performs SSL encryption and decryption between the client and the server to obtain granular application information and enable you to apply advanced security subscriptions protection and detect threats.

    • Anti-malware profile—When you set the action to Permit, you can assign the anti-malware profile to the security policy by enabling the toggle. The anti-malware profile lets you define which files to send to the ATP cloud for inspection and the action to be taken when malware is detected.

    • SecIntel profile group— When you set the action to Permit, you can assign the SecIntel profile group to the security policy by enabling the toggle. SecIntel profile group are used to add SecIntel profiles, such as C&C, DNS, and infected hosts.

    • Secure Web Proxy— When you set the action to Permit, you can enable the toggle switch to assign the secure Web proxy profile. A secure Web proxy profile enables applications to bypass a proxy server and connect to a web server directly. For more information about secure Web proxy profile, see About the Secure Web Proxy Page.

    • Customize— Use this option to configure the security subscriptions for the policy. If there is no default profile configured, you can configure it using the cutomize option or set the default profile using Global options. See Configure Global Options for more details.

    Options

    Schedule

    Policy schedules enable you to define when a policy is active, and thus are an implicit match criterion. You can define the day of the week and the time of the day when the policy is active. for example, you can define a security policy that opens or closes access based on business hours. Select a pre-saved schedule and the schedule options are populated with the selected schedule data.

    Session initiate logs

    Select this option to enable logging of events when sessions are created.

    Session close logs

    Select this option to enable logging of events when sessions are closed.

    When logging is enabled, the system logs at session close time by default.

    Rule options

    Use this page to create an object to specify redirect options, Authentication, TCP-options, and action for destination-address translated or untranslated packets.

  5. Click the check mark icon to save the changes.
    A new security policy rule with the provided configuration is saved and a confirmation message is displayed. Based on the source and destination end points, the rules are categorized as zone-based rules and global rules.