[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Subscribing to Firewall Services

The basic firewall that you configure will be enforced on all Internet access links subordinate to the subscriber you select in the navigation pane. When you have configured a basic firewall, you can create firewall exceptions—variances from the basic firewall—for specific categories of traffic.

Firewall exception rules block traffic that otherwise would be permitted to traverse the firewall, or to admit traffic that would otherwise be blocked. Exceptions specify criteria against which each packet is inspected.

How you configure firewall exceptions depends on which type of firewall service the ISP enabled. Enterprise Manager Portal can support one of the following:

With stateless firewalls, you can configure exceptions to take customized actions, such as policing specified traffic at a specified rate, or setting the ToS byte. By using customized actions, you can allow traffic from a specified IP address or for a specified IP protocol to traverse the firewall. In addition, you can specify quality of service (QoS) properties such as values for the type of service (ToS) byte.

An application is typically associated with a stateful firewall rule. After a flow or conversation meets firewall criteria, packets in that flow can pass through the firewall. For example for an FTP connection, when an FTP control connection requests a file download, the stateful firewall knows to expect and allows a TCP data connection to start. You can also create firewall exceptions for traffic associated with a particular application protocol, such as FTP, that originates at a particular address in the enterprise. See Classifying Traffic for Stateful Firewall Exceptions and NAT Rules for information about defining an application object, which defines traffic associated with a particular application protocol.

Before You Configure Firewall Exception Rules

Before you configure firewall exception rules, make sure that you understand which types of packets you want to pass through a firewall.

Enterprise Manager Portal must be set to Advanced configuration mode to configure some of the properties for a firewall. If the portal is not in Advanced mode, some of the settings appear as read-only fields. For information about setting the portal mode, see Setting the Configuration Level for Enterprise Manager Portal.

Creating Subscriptions to Firewall Services

To create a subscription to a basic firewall service:

  1. In the navigation pane of Enterprise Manager Portal, click the subscriber for whom you want to create a subscription to a basic firewall service.
  2. Click the Firewall tab.

The Firewall page appears.

  1. Click the help icon above the firewall service to review information about the available firewalls.
  2. Select a firewall service from the menu, and click Apply.

The Firewall page changes to allow you to create firewall exceptions.

Firewall Service

Creating Firewall Exceptions for Stateless Firewalls

To create a firewall exception for a subscriber:

  1. Access the subscriber's Firewall page (see Figure 40).
  2. In the Firewall page, click Create Firewall Exception.

The Create Exception dialog box appears. Figure 38 shows the appearance of the dialog box when Enterprise Manager Portal is set to Advanced mode.


Figure 38: Create Exception Dialog Box for Stateless Firewalls

Using the field descriptions below, configure the values for the firewall exception. Which protocols you select determines which associated protocol fields are available for editing.

NOTE: If a user changes the value for a protocol when the configuration level for the portal is set to Normal mode, values for the following fields may be deleted: TCP Flags, Fragmentation Flags, Fragmentation Offset, Packet Length, ICMP Type, and ICMP Code.

If the value of a protocol is changed to the original setting, the portal restores the associated field values that were previously removed.


  1. Click Create.

The Firewall page shows the exception configured. Figure 39 shows three exceptions configured for a brickwall firewall service. The exceptions appear in priority order.


Figure 39: Firewall Page with Firewall Service Applied and Exceptions Configured

Rule Name

IP Protocols

ToS Byte

Use an x to indicate a bit to be ignored.

Specify the ToS byte in this field if you want to specify a specific type of service. If you want to specify all types of service, leave this field empty.

Source IP Addresses

Source Ports

Destination IP Addresses

For information about how JUNOS routing platforms evaluate prefixes, see the JUNOS Policy Framework Configuration Guide.

Destination Ports

TCP Flags

You can enter a logical expression that contains the symbols for the six TCP flags: urgent, ack, push, rst, syn, and fin. You can use the following logical operators in the list of flags:

You can use the following expression instead of the entire expression:

The interface displays text synonyms for expressions if stored data matches the expression.

This field appears enabled only if the configuration level is set to Advanced. Although the value can be changed when the configuration level is set to Normal, we recommend that the value of this field not be changed if the field appears disabled.

Fragmentation Flags

Fragment Offset

Packet Length

ICMP Type

The following list shows the symbolic name and associated numbers for ICMP types. The ICMP types are the same as those on JUNOS routing platforms with the addition of traceroute.

This field appears enabled only if the configuration level is set to Advanced. Although the value can be changed when the configuration level is set to Normal, we recommend that the value of this field not be changed if the field appears disabled.

ICMP Code

This field appears enabled only if the configuration level is set to Advanced. Although the value can be changed when the configuration level is set to Normal, we recommend that the value of this field not be changed if the field appears disabled.

Priority

Direction

Action

Enabled

Creating Firewall Exceptions for Stateful Firewalls

To create a firewall exception for a subscriber:

  1. If you want to create a firewall exception for a particular application object, first create that object (see Classifying Traffic for Stateful Firewall Exceptions and NAT Rules).
  2. Access the subscriber's Firewall page.

Figure 40: Firewall Page with Firewall Service Applied
  1. Using the field descriptions below, configure the values for the firewall exception.
  2. Click Create.

Priority

Name

Direction

Source IPs

Destination IPs

Application

Firewall Action

Schedule

Enabled

Adding a Schedule to a Firewall Exception

A schedule must be configured before you can apply one to a firewall exception. For information about configuring schedules in Enterprise Manager Portal, see Managing Schedules.

To add a schedule to a firewall exception:

  1. Access the subscriber's Firewall page (see Figure 39).
  2. In the Firewall page, select a schedule from the Schedule menu for the exception. See the following field description for details.

Schedule

Modifying Firewall Exceptions

To modify a firewall exception:

  1. Start at the Firewall page for the subscriber (see Figure 40).
  2. Change the values in the fields for this firewall exception.
  3. For stateless firewalls, to change the values for affected traffic, click Edit under Affected Traffic, make changes in the Edit Exception dialog box, and click Apply.

or

For stateful firewalls, click Apply for the application protocol.

Deleting Firewall Exceptions

To delete a firewall exception:

  1. Start at the Firewall page for the subscriber (see Figure 40).
  2. Click Delete for the firewall exception.

Deleting Basic Firewalls

To delete a basic firewall:

  1. Disable all firewall exceptions and NAT rules configured for this subscriber.

For information about disabling these values, see the field descriptions in Creating Firewall Exceptions for Stateful Firewalls and Applying NAT Rules to Traffic.

  1. Disable all firewall exceptions and NAT rules that this subscriber inherits from parent subscribers.
  2. Disable all firewall exceptions and NAT rules defined for this subscriber's subordinate subscribers.
  3. Access the Firewall page for the subscriber for which you configured the firewall (see Figure 40).
  4. Select No Firewall from the Firewall Service menu.
  5. Click Apply.

Monitoring the Use of Subscriptions to Firewall Services

To monitor the use of firewall subscriptions:

  1. Access the subscriber's Firewall page (see Figure 40).
  2. In the Firewall page, click the Usage Data link in the last column.

or

Click the Usage Data link under Firewall Service.

The Service Usage Data page appears.


[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]