Config Router

  • Google Sheets
  • CCNA Online training
    • CCNA
  • CISCO Lab Guides
    • CCNA Security Lab Manual With Solutions
    • CCNP Route Lab Manual with Solutions
    • CCNP Switch Lab Manual with Solutions
  • Juniper
  • Linux
  • DevOps Tutorials
  • Python Array
You are here: Home / Juniper / Understanding the source-identity based policy in SRX

Understanding the source-identity based policy in SRX

June 15, 2016 by Marques Brownlee

This article provides information about the new feature – source-identity based policy in SRX.

Information about the new feature – source-identity based policy in SRX.

From Junos 12.1 on SRX, Juniper Networks supports user role based firewall security policies, which will let you classify traffic based on the roles, to which a user is assigned.

With this policy being configured, you can match the policy by collecting the user role either locally on the SRX Series device or from a Junos Pulse Access Control Service device (UAC).

Note: Authenticated users are those who have role information on the firewall; un-authenticated users are those who do not have role information on the firewall.

Example 1: source-identity based policy for authenticated users; with captive portal re-direction:

from-zone user to-zone untrust {
     policy user-role-fw1 {
         match {
             source-address any;
             destination-address any;
             application http;
             source-identity user-role
         }
then {
    permit {
        application-services {
            uac-policy {
                captive-portal acs-device;
            }
        }
    }
}
     }
}

Note: To match the above policy, you should have the role information either locally configured on SRX or from the Junos Pulse Access Control Service device (UAC). You will get the role information from the auth-table, only if you have already authenticated from UAC.

Example 2: source-identity based policy for unauthenticated users; with captive portal re-direction:

from-zone user to-zone untrust {
     policy user-role-fw2 {
         match {
             source-address any;
             destination-address any;
             application http;
             source-identity unauthenticated
         }
then {
    permit {
        application-services {
            uac-policy {
                captive-portal acs-device;
           }
       }

    }
}
     }
}

Note: ‘unauthenticated’ is not a role name; it is a string which is used to match all the unauthenticated users.
Example 3: source-identity based policy for any users with captive portal re-direction:

from-zone user to-zone untrust {
    policy user-role-fw3 {
        match {
            source-address any;
            destination-address any;
            application http;
            source-identity any;
        }
then {
    permit {
        application-services
   {
uac-policy {
    captive-portal acs-device;
}
}

    }
}

 

Related

Filed Under: Juniper Tagged With: SRX

Recent Posts

  • How do I give user access to Jenkins?
  • What is docker volume command?
  • What is the date format in Unix?
  • What is the difference between ARG and ENV Docker?
  • What is rsync command Linux?
  • How to Add Music to Snapchat 2021 Android? | How to Search, Add, Share Songs on Snapchat Story?
  • How to Enable Snapchat Notifications for Android & iPhone? | Steps to Turn on Snapchat Bitmoji Notification
  • Easy Methods to Fix Snapchat Camera Not Working Black Screen Issue | Reasons & Troubleshooting Tips to Solve Snapchat Camera Problems
  • Detailed Procedure for How to Update Snapchat on iOS 14 for Free
  • What is Snapchat Spotlight Feature? How to Make a Spotlight on Snapchat?
  • Snapchat Hack Tutorial 2021: Can I hack a Snapchat Account without them knowing?

Copyright © 2025 · News Pro Theme on Genesis Framework · WordPress · Log in