SRX Services Gateway
SRX Services Gateway

AppFW best practice configuration

‎12-15-2014 09:04 AM

Does anyone have a best practice configuration or guide for AppFW?  The documentation I have found online thus far has only shown examples applying AppFW rules to inbound traffic from the untrust zone.  I would think you would want to apply your policies in the opposite direction, from trust-to-untrust?  You apply AppTrack to the Trust zone to see what apps are being utilized the most, and then apply AppFW rules accordingly to lock it down if needed.   Would you really want to manage Untrust-to-Trust traffic via these rules as well?  I had been looking at this document:



SRX Services Gateway
Accepted by topic author peterbishop
‎08-26-2015 01:27 AM

Re: AppFW best practice configuration

‎12-20-2014 04:06 AM

I think you are correct and the kb has the zones accidently backwards.  I submitted a rating question to the author to have this checked.


the Appfw rules are embedded in normal security policy rules.  And in the case of applications like those listed in the example the zone direction for that policy would almost always be trust to untrust.  The Appfw rules won't kick in unless the main policy is hit so the main policy must capture the correct direction of traffic initiation.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)