Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Examples: Configuring Stateful Firewall Rules

The following example show a stateful firewall configuration containing two rules, one for input matching on a specified application set and the other for output matching on a specified source address:

[edit services]
stateful-firewall {rule Rule1 {match-direction input;term 1 {from {application-sets Applications;}then {accept;}}term accept {then {accept;}}}rule Rule2 {match-direction output;term Local {from {source-address {10.1.3.2/32;}}then {accept;}}}}

The following example has a single rule with two terms. The first term rejects all traffic in my-application-group that originates from the specified source address, and provides a detailed system log record of the rejected packets. The second term accepts Hypertext Transfer Protocol (HTTP) traffic from anyone to the specified destination address.

[edit services stateful-firewall]
rule my-firewall-rule {match-direction input-output;term term1 {from {source-address 10.1.3.2/32;application-sets my-application-group;}then {reject;syslog;}}term term2 {from {destination-address 10.2.3.2/32;applications http;}then {accept;}}}

The following example shows use of source and destination prefix lists. This requires two separate configuration items.

You configure the prefix list at the [edit policy-options] hierarchy level:

[edit]
policy-options {prefix-list p1 {1.1.1.1/32;2.2.2.0/24;}prefix-list p2 {3.3.3.3/32;4.4.4.0/24;}}

You reference the configured prefix list in the stateful firewall rule:

[edit]
services {stateful-firewall {rule r1 {match-direction input;term t1 {from {source-prefix-list {p1;}destination-prefix-list {p2;}}then {accept;}}}}}

This is equivalent to the following configuration:

[edit]
services {stateful-firewall {rule r1 {match-direction input;term t1 {from {source-address {1.1.1.1/32;2.2.2.0/24;}destination-address {3.3.3.3/32;4.4.4.0/24;}}then {accept;}}}}}

You can use the except qualifier with the prefix lists, as in the following example. In this case, the except qualifier applies to all prefixes included in prefix list p2.

[edit]
services {stateful-firewall {rule r1 {match-direction input;term t1 {from {source-prefix-list {p1;}destination-prefix-list {p2 except;}}then {accept;}}}}}

For additional examples that combine stateful firewall configuration with other services and with virtual private network (VPN) routing and forwarding (VRF) tables, see the configuration examples.

 

Related Documentation

 

Published: 2013-02-15

Previous Page Next Page