Note: The Juniper SRX generator is currently in beta testing.
target:: srx from-zone [zone name] to-zone [zone name] {inet}
- from-zone: static keyword, followed by user specified zone
- to-zone: static keyword, followed by user specified zone
- inet: Address family (only IPv4 tested at this time)
- action:: The action to take when matched. See Actions section for valid options.
- comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
- destination-address:: One or more destination address tokens
- destination-exclude:: Exclude one or more address tokens from the specified destination-address
- destination-port:: One or more service definition tokens
- destination-zone:: one or more destination zones tokens. Only supported by global policy
- dscp_except:: Do not match the DSCP number.
- dscp_match:: Match a DSCP number.
- dscp_set:: Match a DSCP set.
- expiration:: stop rendering this term after specified date. YYYY-MM-DD
- icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
- logging:: Specify that these packets should be logged.
- Based on the input value the resulting logging actions will follow this logic:
- action is 'accept':
- logging is 'true': resulting SRX output will be 'log { session-close; }'
- logging is 'log-both': resulting SRX output will be 'log { session-init; session-close; }'
- action is 'deny':
- logging is 'true': resulting SRX output will be 'log { session-init; }'
- logging is 'log-both': resulting SRX output will be 'log { session-init; session-close; }'
- See here for explanation.
- action is 'accept':
- Based on the input value the resulting logging actions will follow this logic:
- name:: Name of the term.
- option:: See platforms supported Options section.
- owner:: Owner of the term, used for organizational purposes.
- platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
- protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
- source-address:: one or more source address tokens.
- source-exclude:: exclude one or more address tokens from the specified source-address.
- source-port:: one or more service definition tokens.
- source-zone:: one or more source zones tokens. Only supported by global policy
- timeout:: specify application timeout. (default 60)
- verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.
- vpn:: Encapsulate outgoing IP packets and decapsulate incomfing IP packets.
- accept
- count
- deny
- dscp
- log
- reject