Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Configuring Logging for a Stateless Firewall Filter Term

Requirements

No special configuration beyond device initialization is required before configuring this example.

Overview

In this example, you use a stateless firewall filter that logs and counts ICMP packets that have 192.168.207.222 as either their source or destination.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

• Configure the Syslog Messages File for the Firewall Facility
• Configure the Stateless Firewall Filter
• Apply the Stateless Firewall Filter to a Logical Interface
• Confirm and Commit Your Candidate Configuration

CLI Quick Configuration

Configure the Syslog Messages File for the Firewall Facility

Step-by-Step Procedure

1. Configure a messages file for all syslog messages generated for the firewall facility.

   user@host# set system syslog file messages_firewall_any firewall any

2. Restrict permission to the archived firewall facility syslog files to the root user and users who have the Junos OS maintenance permission.

   user@host# set system syslog file messages_firewall_any archive no-world-readable

Configure the Stateless Firewall Filter

Step-by-Step Procedure

1. Create the stateless firewall filter icmp_syslog.

   [edit]user@host# edit firewall family inet filter icmp_syslog

2. Configure matching on the ICMP protocol and an address.

   [edit firewall family inet filter icmp_syslog]user@host# set term icmp_match from address 192.168.207.222/32user@host# set term icmp_match from protocol icmp

3. Count, log,, and accept matching packets.

   [edit firewall family inet filter icmp_syslog]user@host# set term icmp_match then count packetsuser@host# set term icmp_match then loguser@host# set term icmp_match then accept

4. Accept all other packets.

   [edit firewall family inet filter icmp_syslog]user@host# set term default_term then accept

Apply the Stateless Firewall Filter to a Logical Interface

Step-by-Step Procedure

1. Configure the logical interface to which you will apply the stateless firewall filter.

   [edit]user@host# edit interfaces ge-0/0/1 unit 0 family inet

2. Configure the interface address for the logical interface.

   [edit interfaces ge-0/0/1 unit 0 family inet]user@host# set address 10.1.2.3/30

3. Apply the stateless firewall filter to the logical interface.

   [edit interfaces ge-0/0/1 unit 0 family inet]user@host# set filter input icmp_syslog

Confirm and Commit Your Candidate Configuration

Step-by-Step Procedure

1. Confirm the configuration of the syslog message file for the firewall facility by entering the show system configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

   [edit]user@host# show system

   syslog {file messages_firewall_any {firewall any;archive no-world-readable;}}

2. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

   [edit]user@host# show firewall

   family inet {filter icmp_syslog {term icmp_match {from {address {192.168.207.222/32;}protocol icmp;}then {count packets;log;accept;}}term default_term {then accept;}}}

3. Confirm the configuration of the interface by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

   [edit]user@host# show interfaces

   ge-0/0/1 {unit 0 {family inet {filter {input icmp_syslog;}address 10.1.2.3/30;}}}

4. If you are done configuring the device, commit your candidate configuration.

   [edit]user@host# commit

Verification

To confirm that the configuration is working properly, enter the show log filter command:

Mar 20 08:03:11 hostname feb FW: ge-0/1/0.0   A icmp 192.168.207.222

192.168.207.223      0     0 (1 packets)

This output file contains the following fields:

• Date and Time—Date and time at which the packet was received (not shown in the default).
• Filter action:
  • A—Accept (or next term)
  • D—Discard
  • R—Reject
• Protocol—Packet’s protocol name or number.
• Source address—Source IP address in the packet.
• Destination address—Destination IP address in the packet.
  Note: If the protocol is ICMP, the ICMP type and code are displayed. For all other protocols, the source and destination ports are displayed.

The last two fields (both zero) are the source and destination TCP/UDP ports, respectively, and are shown for TCP or UDP packets only. This log message indicates that only one packet for this match has been detected in about a 1-second interval. If packets arrive faster, the system log function compresses the information so that less output is generated, and displays an output similar to the following:

Mar 20 08:08:45 hostname feb FW: ge-0/1/0.0   A icmp 192.168.207.222 

192.168.207.223     0     0 (515 packets)