JuniperSRX¶

Header Format¶

targets:
    srx: from-zone [zone name] to-zone [zone name] {inet}

• from-zone: static keyword, followed by user specified zone
• to-zone: static keyword, followed by user specified zone
• inet: Address family (only IPv4 tested at this time)

Term Format¶

• for common keys see common.md

• destination-exclude: Exclude one or more address tokens from the specified destination-address

• destination-zone: one or more destination zones tokens. Only supported by global policy
• dscp_except: Do not match the DSCP number.
• dscp_match: Match a DSCP number.
• dscp_set: Match a DSCP set.
• logging: Specify that these packets should be logged.
• Based on the input value the resulting logging actions will follow this logic:
  • action is 'accept':
  • logging is 'true': resulting SRX output will be 'log { session-close; }'
  • logging is 'log-both': resulting SRX output will be 'log { session-init; session-close; }'
  • action is 'deny':
  • logging is 'true': resulting SRX output will be 'log { session-init; }'
  • logging is 'log-both': resulting SRX output will be 'log { session-init; session-close; }'
  • See here for explanation.
• owner: Owner of the term, used for organizational purposes.
• source-exclude: exclude one or more address tokens from the specified source-address.
• source-zone: one or more source zones tokens. Only supported by global policy
• timeout: specify application timeout. (default 60)
• verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.
• vpn: Encapsulate outgoing IP packets and decapsulate incomfing IP packets.

Sub Tokens¶

Actions¶

• accept
• count
• deny
• dscp
• log
• reject