Policy Configuration

All security entries on a security device are called policies. A policy includes source and destination addresses, services, actions, and options.

Policies allow you to permit, deny, encrypt, authenticate, prioritize, schedule, and monitor the traffic attempting to cross from one security zone to another. You decide which users and what information can enter and leave along with when and where they can go.

For a policy-based IPSec virtual private network (VPN), the policy specifies the VPN to be used.

Warning: Some of the available policy options are processor-intensive and, under certain high-traffic conditions, can cause high processor utilization. These options include Deep Inspection (DI), antivirus (AV), Web filtering, logging, traffic counting, and traffic shaping..

 

To Create a Policy

  1. Enter the necessary information:

Name (optional): Assign a name that is meaningful to you.

Source Address: Specify an IP addressfor the host or network that generates the connection. You can select New Address and enter an IP address, or you can select an address from the Address Book Entry drop-down list. (The addresses that appear in the drop-down list are addresses that you have previously defined. See IP Address Configuration.) After entering one source address, you can also click Multiple to add other addresses to the source address component of the policy. To do this, you select an address in the Available Members column, click the << button to move the selection to the Selected Members column, and then click OK.

Note: If you select the Negate the Following check box, the security device applies the policy to every address except those in the Selected Members column.

Destination Address: Specify an IP addressfor the server that receives the connection request. You can select New Address and enter an IP address, or you can select an address from the Address Book Entry drop-down list. (The addresses that appear in the drop-down list are addresses that you have previously defined. See IP Address Configuration.) After entering one destination address, you can also click Multiple to add other addresses to the destination address component of the policy. To do this, you select an address in the Available Members column, click the << button to move the selection to the Selected Members column, and then click OK.

Note: If you select the Negate the Following check box, the security device applies the policy to every address except those in the Selected Members column.

Service: Select a service for the type of connection to be established. Services define the type of traffic. Juniper Networks provides predefined core Internet services, or your administrator can define custom services. You define services in the List section. After selecting one service from the Service drop-down list, you can also click Multiple to add other services to the service component of the policy. To do this, you select a service in the Available Members column, click the << button to move the selection to the Selected Members column, and then click OK.

Application:The application specifies the Layer 7 application that maps to the Layer 4 service that you reference in the policy. A predefined service already has a mapping to a Layer 7 application. However, for custom services, you must link the service to an application explicitly, especially if you want the policy to apply an application layer gateway (ALG) or Deep Inspection to the custom service.

GTP Inspection Object: Select a GTP Inspection Object to enable the security device to perform GTP traffic inspection on the current policy. To create a GTP Inspection Object, see GTP Inspection Object Basic Configuration.

URL Filtering: Select this option to apply Web Filtering to all HTTP traffic to which the policy applies. (For information on configuring Web Filtering, see Web Filtering.) If you have enabled integrated Web Filtering, you can select a Web Filtering profile for the policy. If you do not select a profile, the security device uses the default profile, ns-profile.

Action: Select Permit, Deny, Reject, or Tunnel. The security device applies the action selected for this policy against traffic that matches the first three criteria: source address, destination address, and service.

Deep Inspection:To configure a policy for Deep Inspection (DI), click Deep Inspection. Then make the following choices:

Antivirus Objects:(For security devices that support internal antivirus) To apply antivirus (AV) protection to the policy, select scan-mgr in the Available AV Object Names column, and then click the << button to move it to the Attached AV Object Names column. A single policy can use up to three AV scanners.

Tunnel VPN: If you selected Tunnel in the Action field, select the appropriate VPN tunnel that matches the source and destination. The VPN tunnels that appear in the drop-down list have already been configured in the VPN section of the WebUI. If you have not selected Tunnel in the Action field, select None.

Modify matching bidirectional VPN policy: If you selected Tunnel in the Action field, you can select this option to create or modify a VPN policy for the opposite direction.

L2TP: This is a Point-to-Point Protocol (PPP)-based tunneling protocol for remote access. It provides interoperability with IPSec clients. You can create a policy for an L2TP tunnel or combine it with an IPSec VPN tunnel—if both have the same endpoints—to create a tunnel combining the characteristics of each. This is called L2TP-over-IPSec.

Logging: Select this option to have the security device log all traffic to which this policy applies. The security device generates logs when sessions end. Select at Session Beginning to have the security device generate logs when sessions start.  

Position at Top: Select this option to position the policy at the top of the access control list (ACL). The security device checks all attempts to traverse the firewall against policies, beginning with the first policy listed in the ACL for the appropriate direction (incoming or outgoing) and moving through the list. Because action applies to the first matching access policy, you must arrange them from the most specific to the most general.

Session Limit: Select this to limit the session count from each source IP address in the current policy to the configured threshold value.

Counter: Enter the maximum allowed session count for the source IP address. You can enter a maximum session count of 128064.

Alarm without drop: Select this option to allow the session count beyond the session limit configured without dropping packets. However, the device issues an alarm.

  1. Click Advanced to select other features such as source and destination network address translation (NAT-src and NAT-dst), authentication, alarm threshold, traffic counting, and traffic shaping.

  2. Click OK to save your configuration.