To
Create a PolicyAll security entries on the security device are policies. Policies are comprised of addresses (source and destination), services, actions, and options.
Policies allow you to permit, deny, encrypt, authenticate, prioritize, schedule, and monitor the traffic attempting to cross from one security zone to another. You decide which users and what information can enter and leave, and when and where they can go.
Alternatively, your policies can define connections that must be encrypted, thus forming a Virtual Private Network (VPN).
To
Create a PolicyEnter the necessary information:
Name (optional): Assign a name that is meaningful to you.
Source Address: Specify an IP addressfor the host or network generating the connection. You can select New Address and enter an IP address, or you can select an address from the Address Book Entry drop-down list. (The addresses that appear in the drop-down list are addresses that you have previously defined. See IP Address Configuration.) After entering one source address, you can also click Multiple to add other addresses to the source address component of the policy. To do that, you select an address in the Available Members column, click the << button to move the selection to the Selected Members column, and then click OK.
Note: If you select the Negate the Following check box, the security device applies the policy to every address except those in the Selected Members column.
Destination Address: Specify an IP addressfor the server receiving the connection request. You can select New Address and enter an IP address, or you can select an address from the Address Book Entry drop-down list. (The addresses that appear in the drop-down list are addresses that you have previously defined. See IP Address Configuration.) After entering one destination address, you can also click Multiple to add other addresses to the destination address component of the policy. To do that, you select an address in the Available Members column, click the << button to move the selection to the Selected Members column, and then click OK.
Note: If you select the Negate the Following check box, the security device applies the policy to every address except those in the Selected Members column.
Service: Select a service for the type of connection to be established. Services define the type of traffic. Juniper Networks has predefined core Internet services or the administrator can define custom services. Services are defined in the List section. After selecting one service from the Service drop-down list, you can also click Multiple to add other services to the service component of the policy. To do that, you select a service in the Available Members column, click the << button to move the selection to the Selected Members column, and then click OK.
Application:The application specifies the Layer 7 application that maps to the Layer 4 service that you reference in the policy. A predefined service already has a mapping to a Layer 7 application. However, for custom services, you must link the service to an application explicitly, especially if you want the policy to apply an application layer gateway (ALG) or Deep Inspection to the custom service.
GTP Inspection Object: Select a GTP Inspection Object to enable the NetScreen device to perform GTP traffic inspection on the current policy. To create a GTP Inspection Object, see GTP Inspection Object Basic Configuration.
URL Filtering: Select this option to apply URL filtering to all HTTP traffic to which the policy applies. (For information on configuring URL filtering, see URL Filtering.) If you enabled integrated URL filtering, you can select a URL filtering profile for the policy. If you do not select a profile, the security device uses the default profile, ns-profile.
Action: Select Permit, Deny, Reject, or Tunnel. The security device applies the action selected for this policy against traffic that matches the first three criteria: source address, destination address, and service.
Deep Inspection:To configure a policy for Deep Inspection (DI), click Deep Inspection. Then make the following choices:
Severity: The severity level of the attack object referenced in the policy maps to the severity level of the event log message that appears when the security device detects an attack. Select Default to use the severity level that has been preset for each attack object. To customize the severity level, select one of the other options from the drop-down list. The specified custom severity level applies to all attack objects in the group.
Group: Select a group whose attack objects you want the security device to check for when applying Deep Inspection.
Action: Select one of the following attack actions that you want the security device to take if it detects an attack. (The default is Drop.)
None: The security device logs the event but takes no action.
Ignore: The security device logs the event and stops checking—or ignores—the remainder of the connection.
Drop Packet: The security device logs the event and drops the packet containing the attack object, but it does not sever the connection.
Drop: The security device logs the event and severs the connection without sending either the client or the server TCP RST packets.
Close Client: The security device logs the event, severs the connection, and (for TCP traffic) sends a TCP RST packet to the client.
Close Server: The security device logs the event, severs the connection, and (for TCP traffic) sends a TCP RST to the server.
Close: The security device logs the event, severs the connection, and (for TCP traffic) sends TCP RST packets to both the client and server.
Log: Check this option if you want the security device to make an event log entry when it detects an attack.
Brute Force Attack Action: Select one of the following actions that you want the security device to perform when it detects a brute force attack:
Notify: The security device logs the event but does not take any action against further traffic matching the target definition for the period of time specified in the timeout setting.
Block: The security device logs the event and drops all further traffic matching the target definition for the period of time specified in the timeout setting.
Close: The security device logs the event and drops all further traffic matching the target definition for the period of time specified in the timeout setting, and sends a Reset (RST) for TCP traffic to the source and destination addresses.
Brute Force Attack Target: The target specifies a set of elements that must match for the security device to consider a packet part of a brute force attack. The specified set of elements in an IP packet arriving during a specified timeout period must match that in the packet that the security device detected as part of a brute force attack for the subsequent packet to be considered part of the same attack. The default target definition is Serv. You can select any of the following definitions:
Serv: The source and destination IP addresses, destination port number, and protocol
Src-IP: The source IP address
Zone-Serv: The source security zone, source and destination IP addresses, destination port number, and protocol
Dst-IP: The destination IP address
Zone: The security zone to which the ingress interface is bound; that is, the source security zone from which the attacking packets originate
Timeout: Enter a period of time following brute force attack detection during which the security device performs an IP action on packets matching specified target parameters. The default timeout is 60 seconds.
Antivirus Objects:(For security devices that support internal antivirus) To apply antivirus (AV) protection to the policy, select scan-mgr in the Available AV Object Names column, and then click the << button to move it to the Attached AV Object Names column. A single policy can use up to three AV scanners.
Note: Juniper Networks does not support an external AV solution in ScreenOS 5.3.0—only internal AV on select platforms.
Tunnel VPN: If you selected Tunnel in the Action field, select the appropriate VPN tunnel that matches the source and destination. The VPN tunnels that appear in the drop-down list have already been configured in the VPN section of the WebUI. If you have not selected Tunnel in the Action field, select None.
Modify matching bidirectional VPN policy: If you selected Tunnel in the Action field, you can select this option to create or modify a VPN policy for the opposite direction.
L2TP: This is a PPP-based tunnel protocol for remote access. It provides interoperability with Microsoft Windows 2000 and other IPSec clients. You can create a policy for an L2TP tunnel or combine it with an IPSec VPN tunnel—if both have the same endpoints—to create a tunnel combining the characteristics of each. This is called L2TP-over-IPSec.
Logging: Select this option to have the security device log all traffic to which this policy applies. The security device generates logs when sessions end. Select at Session Beginning to have the security device generate logs when sessions start.
Position at Top: Select this option to position the policy at the top of the access control list (ACL). The security device checks all attempts to traverse the firewall against policies, beginning with the first policy listed in the ACL for the appropriate direction (incoming or outgoing) and moving through the list. Because action applies to the first matching access policy, you must arrange them from the most specific to the most general.
Click Advanced to select other features such as source and destination network address translation (NAT-src and NAT-dst), authentication, alarm threshold, traffic counting, and traffic shaping.
Click OK to save your configuration.