The following example show a stateful firewall configuration containing two rules, one for input matching on a specified application set and the other for output matching on a specified source address:
- [edit services]
- stateful-firewall {
-
- rule Rule1 {
- match-direction input;
-
- term 1 {
-
- from {
- application-sets Applications;
- }
-
- then {
- accept;
- }
- }
-
- term accept {
-
- then {
- accept;
- }
- }
- }
-
- rule Rule2 {
- match-direction output;
-
- term Local {
-
- from {
-
- source-address {
- 10.1.3.2/32;
- }
- }
-
- then {
- accept;
- }
- }
- }
- }
The following example has a single rule with two terms. The first term rejects all traffic in my-application-group that originates from the specified source address, and provides a detailed system log record of the rejected packets. The second term accepts Hypertext Transfer Protocol (HTTP) traffic from anyone to the specified destination address.
- [edit services stateful-firewall]
- rule my-firewall-rule {
- match-direction input-output;
-
- term term1 {
-
- from {
- source-address 10.1.3.2/32;
- application-sets my-application-group;
- }
-
- then {
- reject;
- syslog;
- }
- }
-
- term term2 {
-
- from {
- destination-address 10.2.3.2;
- applications http;
- }
-
- then {
- accept;
- }
- }
- }
The following example shows use of source and destination prefix lists. This requires two separate configuration items.
You configure the prefix list at the [edit policy-options] hierarchy level:
- [edit]
- policy-options {
-
- prefix-list p1 {
- 1.1.1.1/32;
- 2.2.2.0/24;
- }
-
- prefix-list p2 {
- 3.3.3.3/32;
- 4.4.4.0/24;
- }
- }
You reference the configured prefix list in the stateful firewall rule:
- [edit]
- services {
-
- stateful-firewall {
-
- rule r1 {
- match-direction input;
-
- term t1 {
-
- from {
-
- source-prefix-list {
- p1;
- }
-
- destination-prefix-list {
- p2;
- }
- }
-
- then {
- accept;
- }
- }
- }
- }
- }
This is equivalent to the following configuration:
- [edit]
- services {
-
- stateful-firewall {
-
- rule r1 {
- match-direction input;
-
- term t1 {
-
- from {
-
- source-address {
- 1.1.1.1/32;
- 2.2.2.0/24;
- }
-
- destination-address {
- 3.3.3.3/32;
- 4.4.4.0/24;
- }
- }
-
- then {
- accept;
- }
- }
- }
- }
- }
You can use the except qualifier with the prefix lists, as in the following example. In this case, the except qualifier applies to all prefixes included in prefix list p2.
- [edit]
- services {
-
- stateful-firewall {
-
- rule r1 {
- match-direction input;
-
- term t1 {
-
- from {
-
- source-prefix-list {
- p1;
- }
-
- destination-prefix-list {
- p2 except;
- }
- }
-
- then {
- accept;
- }
- }
- }
- }
- }
For additional examples that combine stateful firewall configuration with other services and with virtual private network (VPN) routing and forwarding (VRF) tables, see Examples: Services Interfaces Configuration.