All security entries on a security device are called policies. A policy includes source and destination addresses, services, actions, and options.
Policies allow you to permit, deny, encrypt, authenticate, prioritize, schedule, and monitor the traffic attempting to cross from one security zone to another. You decide which users and what information can enter and leave along with when and where they can go.
For a policy-based IPSec virtual private network (VPN), the policy specifies the VPN to be used.
Warning: Some of the available policy options are processor-intensive and, under certain high-traffic conditions, can cause high processor utilization. These options include Deep Inspection (DI), antivirus (AV), Web filtering, logging, traffic counting, and traffic shaping..
Enter the necessary information:
Name (optional): Assign a name that is meaningful to you.
Source Address: Specify an IP addressfor the host or network that generates the connection. You can select New Address and enter an IP address, or you can select an address from the Address Book Entry drop-down list. (The addresses that appear in the drop-down list are addresses that you have previously defined. See IP Address Configuration.) After entering one source address, you can also click Multiple to add other addresses to the source address component of the policy. To do this, you select an address in the Available Members column, click the << button to move the selection to the Selected Members column, and then click OK.
Note: If you select the Negate the Following check box, the security device applies the policy to every address except those in the Selected Members column.
Destination Address: Specify an IP addressfor the server that receives the connection request. You can select New Address and enter an IP address, or you can select an address from the Address Book Entry drop-down list. (The addresses that appear in the drop-down list are addresses that you have previously defined. See IP Address Configuration.) After entering one destination address, you can also click Multiple to add other addresses to the destination address component of the policy. To do this, you select an address in the Available Members column, click the << button to move the selection to the Selected Members column, and then click OK.
Note: If you select the Negate the Following check box, the security device applies the policy to every address except those in the Selected Members column.
Service: Select a service for the type of connection to be established. Services define the type of traffic. Juniper Networks provides predefined core Internet services, or your administrator can define custom services. You define services in the List section. After selecting one service from the Service drop-down list, you can also click Multiple to add other services to the service component of the policy. To do this, you select a service in the Available Members column, click the << button to move the selection to the Selected Members column, and then click OK.
Application:The application specifies the Layer 7 application that maps to the Layer 4 service that you reference in the policy. A predefined service already has a mapping to a Layer 7 application. However, for custom services, you must link the service to an application explicitly, especially if you want the policy to apply an application layer gateway (ALG) or Deep Inspection to the custom service.
GTP Inspection Object: Select a GTP Inspection Object to enable the security device to perform GTP traffic inspection on the current policy. To create a GTP Inspection Object, see GTP Inspection Object Basic Configuration.
URL Filtering: Select this option to apply Web Filtering to all HTTP traffic to which the policy applies. (For information on configuring Web Filtering, see Web Filtering.) If you have enabled integrated Web Filtering, you can select a Web Filtering profile for the policy. If you do not select a profile, the security device uses the default profile, ns-profile.
Action: Select Permit, Deny, Reject, or Tunnel. The security device applies the action selected for this policy against traffic that matches the first three criteria: source address, destination address, and service.
Deep Inspection:To configure a policy for Deep Inspection (DI), click Deep Inspection. Then make the following choices:
Severity: The severity level of the attack object referenced in the policy maps to the severity level of the event log message that appears when the security device detects an attack. Select Default to use the severity level that has been preset for each attack object. To customize the severity level, select one of the other options from the drop-down list. The specified custom severity level applies to all attack objects in the group.
Group: Select a group whose attack objects you want the security device to check for when applying Deep Inspection.
Action: Select one of the following attack actions that you want the security device to take if it detects an attack. (The default is Drop.)
None: The security device logs the event but takes no action.
Ignore: The security device logs the event and stops checking—or ignores—the remainder of the connection.
Drop Packet: The security device logs the event and drops the packet containing the attack object, but it does not sever the connection.
Drop: The security device logs the event and severs the connection without sending either the client or the server TCP RST packets.
Close Client: The security device logs the event, severs the connection, and (for TCP traffic) sends a TCP RST packet to the client.
Close Server: The security device logs the event, severs the connection, and (for TCP traffic) sends a TCP RST to the server.
Close: The security device logs the event, severs the connection, and (for TCP traffic) sends TCP RST packets to both the client and the server.
Log: Check this option if you want the security device to make an event log entry when it detects an attack.
Brute Force Attack Action: Select one of the following actions that you want the security device to perform when it detects a brute force attack:
Notify: The security device logs the event but does not take any action against further traffic that matches the target definition for the length of the specified timeout.
Block: The security device logs the event and drops all further traffic that matches the target definition for the length of the specified timeout.
Close: The security device logs the event and drops all further traffic that matches the target definition for the length of the specified timeout. The device also sends a Reset (RST) for TCP traffic to the source and destination addresses.
Brute Force Attack Target: The target specifies a set of elements that must match in order for the security device to identify a packet as part of a brute force attack. The specified set of elements in an IP packet that arrives during a specified timeout period must match those same elements of the packet that the security device identified as part of a brute force attack in order for the subsequent packet to be considered part of the same attack. The default target definition is Serv. You can select any of the following definitions:
Serv: The source and destination IP addresses, destination port number, and protocol
Src-IP: The source IP address
Zone-Serv: The source security zone, source and destination IP addresses, destination port number, and protocol
Dst-IP: The destination IP address
Zone: The security zone to which the ingress interface is bound; that is, the source security zone from which the attacking packets originate
Timeout: Enter a value for the period that follows a brute-force-attack detection during which you want the security device to perform an IP action on packets matching the specified target parameters. The default timeout is 60 seconds.
Antivirus Objects:(For security devices that support internal antivirus) To apply antivirus (AV) protection to the policy, select scan-mgr in the Available AV Object Names column, and then click the << button to move it to the Attached AV Object Names column. A single policy can use up to three AV scanners.
Tunnel VPN: If you selected Tunnel in the Action field, select the appropriate VPN tunnel that matches the source and destination. The VPN tunnels that appear in the drop-down list have already been configured in the VPN section of the WebUI. If you have not selected Tunnel in the Action field, select None.
Modify matching bidirectional VPN policy: If you selected Tunnel in the Action field, you can select this option to create or modify a VPN policy for the opposite direction.
L2TP: This is a Point-to-Point Protocol (PPP)-based tunneling protocol for remote access. It provides interoperability with IPSec clients. You can create a policy for an L2TP tunnel or combine it with an IPSec VPN tunnel—if both have the same endpoints—to create a tunnel combining the characteristics of each. This is called L2TP-over-IPSec.
Logging: Select this option to have the security device log all traffic to which this policy applies. The security device generates logs when sessions end. Select at Session Beginning to have the security device generate logs when sessions start.
Position at Top: Select this option to position the policy at the top of the access control list (ACL). The security device checks all attempts to traverse the firewall against policies, beginning with the first policy listed in the ACL for the appropriate direction (incoming or outgoing) and moving through the list. Because action applies to the first matching access policy, you must arrange them from the most specific to the most general.
Session Limit: Select this to limit the session count from each source IP address in the current policy to the configured threshold value.
Counter: Enter the maximum allowed session count for the source IP address. You can enter a maximum session count of 128064.
Alarm without drop: Select this option to allow the session count beyond the session limit configured without dropping packets. However, the device issues an alarm.
Click Advanced to select other features such as source and destination network address translation (NAT-src and NAT-dst), authentication, alarm threshold, traffic counting, and traffic shaping.
Click OK to save your configuration.