Config Router

You are here: Home / Juniper / Understanding the source-identity based policy in SRX

Understanding the source-identity based policy in SRX

by

This article provides information about the new feature – source-identity based policy in SRX.

Information about the new feature – source-identity based policy in SRX.

From Junos 12.1 on SRX, Juniper Networks supports user role based firewall security policies, which will let you classify traffic based on the roles, to which a user is assigned.

With this policy being configured, you can match the policy by collecting the user role either locally on the SRX Series device or from a Junos Pulse Access Control Service device (UAC).

Note: Authenticated users are those who have role information on the firewall; un-authenticated users are those who do not have role information on the firewall.

Example 1: source-identity based policy for authenticated users; with captive portal re-direction:

from-zone user to-zone untrust {
     policy user-role-fw1 {
         match {
             source-address any;
             destination-address any;
             application http;
             source-identity user-role
         }
then {
    permit {
        application-services {
            uac-policy {
                captive-portal acs-device;
            }
        }
    }
}
     }
}

Note: To match the above policy, you should have the role information either locally configured on SRX or from the Junos Pulse Access Control Service device (UAC). You will get the role information from the auth-table, only if you have already authenticated from UAC.

Example 2: source-identity based policy for unauthenticated users; with captive portal re-direction:

from-zone user to-zone untrust {
     policy user-role-fw2 {
         match {
             source-address any;
             destination-address any;
             application http;
             source-identity unauthenticated
         }
then {
    permit {
        application-services {
            uac-policy {
                captive-portal acs-device;
           }
       }

    }
}
     }
}

Note: ‘unauthenticated’ is not a role name; it is a string which is used to match all the unauthenticated users.
Example 3: source-identity based policy for any users with captive portal re-direction:

from-zone user to-zone untrust {
    policy user-role-fw3 {
        match {
            source-address any;
            destination-address any;
            application http;
            source-identity any;
        }
then {
    permit {
        application-services
   {
uac-policy {
    captive-portal acs-device;
}
}

    }
}