Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Create Rule Options

When a rule options is created, Juniper Security Director Cloud creates an object in the database to represent the rule options. You can use this object to create security policies.

Use the Rule Options page to create an object that specifies the basic settings of a security policy.

To create rule option:

  1. Select Shared Services > Firewall Profiles > Rule Options.
    The Rule Options page appears.
  2. Click the plus icon (+).
    The Create Rule Options page appears.
  3. Complete the configuration settings according to the guidelines provided in About Rule Options Page.
    Note:

    Fields marked with an asterisk (*) are mandatory.
  4. Click OK.
    The new rule option is created and a confirmation message is displayed.
    Table 1: Fields on the Create Rule Options Page
    Field Description

    Name

    Enter a unique string of alphanumeric characters that can include spaces and some special characters.

    The maximum length is 255 characters.

    Description

    Enter a description for the policy; the maximum length is 255 characters.
    General

    Hardware Acceleration

    Enable this option to process fast-path packets in the network processor instead of in the Services Processing Unit (SPU). When performing the policy check, the SPU verifies if the traffic is qualified for services offloading.

    Redirect Options

    Select an option:

    • None
    • Redirect Wx- Select this option if you want to enable WX redirection for packets that arrive from the LAN.
    • Reverse Redirect Wx-Select this option if you want to enable WX redirection for the reverse flow of packets that arrive from the WAN.

    Authentication

    Note:

    Authentication is supported only when the permit action is enabled.

    Push Auth Entry to JIMS

    Enable Push to JIMS.

    Authentication Type

    Select an option to restrict or permit users individually or in groups. Select None if you do not want to use any authentication to restrict or permit clients.

    • Pass Through-Pass-through user authentication is a form of active authentication. The user is prompted to enter a username and password when pass-through authentication is invoked.
    • Web-Web authentication is an alternative to pass-through user authentication. Instead of pointing to the resource that you want to connect to from your client browser, you point the browser to an IP address on the device that is enabled for Web authentication. This initiates an HTTP session to the IP address hosting the Web authentication feature on the device. The device then prompts you for your username and password and caches the result in the device. Later, when traffic encounters a Web authentication policy, you are allowed or denied access based on the prior Web authentication results.
    • User Firewall-Firewall authentication policies that restrict and permit access of firewall users to protected resources behind a firewall.
    • Infranet-Select this option to configure the SRX Series Firewall to act as a Junos OS Enforcer in a Unified Access Control (UAC) deployment..
    TCP Option

    Syn-check

    Enable this option for the device to reject TCP segments with non-SYN flags set unless they belong to an established session.

    Sequence Check

    Enable this option to monitor the TCP byte sequence counter and to validate the trusted acknowledgment number against the untrusted sequence number.

    Window Scale

    Enable this option to increase the network transmission speed

    Initial TCP MSS

    Select the TCP maximum segment size (MSS) for packets arriving at the ingress interface (initial direction). If the value in the packet is higher than the one you select, the configured value overrides the TCP MSS value in the incoming packet. The range is 64 through 65535.

    Reverse TCP MSS

    Select the TCP maximum segment size (MSS) for packets that match a specific policy and travel in the reverse direction of a session. If the value in the packet is higher than the one you select, the configured value replaces the TCP MSS value. The range is 64 through 65535.
    Advanced Settings

    Destination NAT Control

    Select an option

    • None
    • Drop Untranslated-Drop packets with translated destination IP addresses. Traffic permitted by the security policy is limited to packets where the destination IP address has not been translated.
    • Drop Translated-Drop packets without translated destination IP addresses. Traffic permitted by the security policy is limited to packets where the destination IP address has been translated by means of a destination NAT rule.

Related Documentation