Subscribing to Firewall Services
The basic firewall that you configure will be enforced on all Internet access links subordinate to the subscriber you select in the navigation pane. When you have configured a basic firewall, you can create firewall exceptions—variances from the basic firewall—for specific categories of traffic.
Firewall exception rules block traffic that otherwise would be permitted to traverse the firewall, or to admit traffic that would otherwise be blocked. Exceptions specify criteria against which each packet is inspected.
How you configure firewall exceptions depends on which type of firewall service the ISP enabled. Enterprise Manager Portal can support one of the following:
With stateless firewalls, you can configure exceptions to take customized actions, such as policing specified traffic at a specified rate, or setting the ToS byte. By using customized actions, you can allow traffic from a specified IP address or for a specified IP protocol to traverse the firewall. In addition, you can specify quality of service (QoS) properties such as values for the type of service (ToS) byte.
- Stateful firewalls—Track traffic flows and conversations between applications and evaluate this information when applying exception rules.
An application is typically associated with a stateful firewall rule. After a flow or conversation meets firewall criteria, packets in that flow can pass through the firewall. For example for an FTP connection, when an FTP control connection requests a file download, the stateful firewall knows to expect and allows a TCP data connection to start. You can also create firewall exceptions for traffic associated with a particular application protocol, such as FTP, that originates at a particular address in the enterprise. See Classifying Traffic for Stateful Firewall Exceptions and NAT Rules for information about defining an application object, which defines traffic associated with a particular application protocol.
Before You Configure Firewall Exception Rules
Before you configure firewall exception rules, make sure that you understand which types of packets you want to pass through a firewall.
Enterprise Manager Portal must be set to Advanced configuration mode to configure some of the properties for a firewall. If the portal is not in Advanced mode, some of the settings appear as read-only fields. For information about setting the portal mode, see Setting the Configuration Level for Enterprise Manager Portal.
Creating Subscriptions to Firewall Services
To create a subscription to a basic firewall service:
- In the navigation pane of Enterprise Manager Portal, click the subscriber for whom you want to create a subscription to a basic firewall service.
- Click the Firewall tab.
![]()
- Click the help icon
above the firewall service to review information about the available firewalls.
- Select a firewall service from the menu, and click Apply.
The Firewall page changes to allow you to create firewall exceptions.
Firewall Service
- Name of the firewall service.
- Value—Menu of firewall services in the directory available for this subscriber
- Default—No Firewall
- Example—BasicFW1
Creating Firewall Exceptions for Stateless Firewalls
To create a firewall exception for a subscriber:
- Access the subscriber's Firewall page (see Figure 40).
- In the Firewall page, click Create Firewall Exception.
The Create Exception dialog box appears. Figure 38 shows the appearance of the dialog box when Enterprise Manager Portal is set to Advanced mode.
![]()
Using the field descriptions below, configure the values for the firewall exception. Which protocols you select determines which associated protocol fields are available for editing.
The Firewall page shows the exception configured. Figure 39 shows three exceptions configured for a brickwall firewall service. The exceptions appear in priority order.
![]()
Rule Name
- Name of the subscription to the firewall service.
- Value—Alphanumeric string
- Guidelines—You must specify a name for the rule. Do not use spaces, dots, or punctuation characters in the name.
- Default—No value
- Example—WebAccess
IP Protocols
- IP protocol associated with this rule.
- Value—Type of IP protocols separated by commas, with the protocol specified by:
- ah—authentication header
- egp—exterior gateway protocol
- esp—Encapsulating Security Payload
- gre—generic routing encapsulation
- icmp—Internet Control Message Protocol
- igmp—Internet Group Management Protocol
- ipip—IP over IP
- ospf—Open Shortest Path First
- pim—Protocol Independent Multicast
- rsvp—Resource Reservation Protocol
- sctp—Stream Control Transmission Protocol
- tcp—Transmission Control Protocol
- udp—User Datagram Protocol
ToS Byte
- DiffServ—DiffServ is used to classify packets by the selected value.
- Precedence—Value for the drop precedence.
- Free Format—ToS byte in binary format.
Use an x to indicate a bit to be ignored.
Specify the ToS byte in this field if you want to specify a specific type of service. If you want to specify all types of service, leave this field empty.
Source IP Addresses
- IP addresses (as contained in the IP packets) of traffic to which the rule applies.
- Value—[ not ]<networkAddress>/<networkMask>
- not—All addresses except the listed addresses
- <networkAddress>—IP address of the network
- <networkMask>—Subnet mask
- Guidelines—To specify traffic with a particular source IP address, enter an IP address. To specify all traffic except that with a particular source IP address, precede the IP address with the keyword not. To specify traffic with any source IP address, leave the field empty. To specify multiple source IP addresses, enter multiple addresses on different lines. You can specify multiple source IP addresses only if the configuration level is set to Advanced.
- Default—No value
- Example—192.0.2.0/24
Source Ports
- Port number
- Comma-separated list of port numbers and ranges of port numbers (JUNOS routing platforms)
- Ranges of port numbers separated by two dots (..)
- Guidelines— To specify all ports, leave this field empty. If you specify an IP protocol other than TCP or UDP for this subscription, the port field will dim, and you will not be able to specify port numbers in this field.
- Default—No value
- Example
Destination IP Addresses
- Destination IP addresse(es) (contained in the IP packets) of traffic affected by this rule.
- Value—[ not ]<networkAddress>/<networkMask>
- not—Address, or set of IP addresses as expressed by the netmask, for which the firewall service is not available
- <networkAddress>—IP address of the network
- <networkMask>—Netmask expressed as an integer 0-32, which specifies how many of the first bits in the address specify the network
- Guidelines—To specify a netmask for a destination IP address or a set of IP addresses that should not be included, precede the IP address with the keyword not. The order in which you list prefixes, identified by the IP address-netmask pair, is not significant. They are all evaluated to determine whether a match occurs. If prefixes overlap, longest-match rules are used to determine whether a match occurs. For an address to be considered a match, it must match one of the rules in the list.
For information about how JUNOS routing platforms evaluate prefixes, see the JUNOS Policy Framework Configuration Guide.
Destination Ports
- Port number
- Comma-separated list of port numbers and ranges of port numbers (JUNOS routing platforms)
- Ranges of port numbers separated by two dots (..)
- Guidelines—To specify all ports, leave this field empty. If you specify an IP protocol other than TCP or UDP for this subscription, the port field will dim, and you will not be able to specify port numbers in this field.
- Default—No value
- Example
TCP Flags
- Conditions in the TCP flags in the TCP message header. This field is enabled when the TCP protocol is selected.
- Value—Expression or text synonym that identifies the TCP flags
- Guidelines—You can enter a value for TCP flags only if you select TCP as the IP protocol.
You can enter a logical expression that contains the symbols for the six TCP flags: urgent, ack, push, rst, syn, and fin. You can use the following logical operators in the list of flags:
- &—And. Separates flag settings in the list.
- !—Not. Flags preceded by ! are cleared; flags not preceded by ! are set.
You can use the following expression instead of the entire expression:
The interface displays text synonyms for expressions if stored data matches the expression.
This field appears enabled only if the configuration level is set to Advanced. Although the value can be changed when the configuration level is set to Normal, we recommend that the value of this field not be changed if the field appears disabled.
Fragmentation Flags
- Logical expression using the dont-fragment, more-fragments, and reserved IP fragmentation flags.
- Value—Flags expression
- Guidelines—The expression can also contain the following logical operators:
- &—And. Separates flag settings in the list.
- !—Not. Flags preceded by ! are cleared; flags not preceded by ! are set.
Fragment Offset
- IP fragment offset—a value that defines the order in which to assemble fragments for an IP datagram.
- Value—One of the following:
Packet Length
ICMP Type
- Type of message for Internet Control Management Protocol (ICMP).
- Value—Type of ICMP message in the following formats:
- Number of the ICMP message type in the range 0-255
- Symbolic name for an ICMP message type
- Comma-separated list of ICMP types and ranges of ICMP types
- Ranges of ICMP types separated by two dots (..) within the range 0-255
- Blank—Any ICMP type
- Guidelines—You can enter a value for this field only if you select the icmp protocol (protocol number 1).
The following list shows the symbolic name and associated numbers for ICMP types. The ICMP types are the same as those on JUNOS routing platforms with the addition of traceroute.
- 0—echo-reply
- 8—echo-request
- 16—info-reply
- 15—info-request
- 18—mask-reply
- 17—mask-request
- 12—parameter-problem
- 5—redirect
- 9—router-advertisement
- 10—router-solicit
- 4—source-quench
- 11—time-exceeded
- 13—timestamp
- 14—timestamp-reply
- 30—traceroute
- 3—unreachable
This field appears enabled only if the configuration level is set to Advanced. Although the value can be changed when the configuration level is set to Normal, we recommend that the value of this field not be changed if the field appears disabled.
ICMP Code
- Number of ICMP code in the range 0-255
- Comma-separated list of code numbers and ranges of code numbers
- Ranges of code numbers separated by two dots (..) within the range 0-255
- Blank—Any ICMP code
This field appears enabled only if the configuration level is set to Advanced. Although the value can be changed when the configuration level is set to Normal, we recommend that the value of this field not be changed if the field appears disabled.
Priority
- Numeric value that indicates which firewall exception takes precedence if a subscriber has multiple exceptions for a firewall service.
- Value—Integer in the range specified by the online help for this field
- Guidelines—You must specify a priority for the firewall exception. A lower number indicates a higher priority. Use a unique priority for each firewall exception that relates to the same traffic. If two rules have the same priority, they will be applied to traffic in an unpredictable order.
- Default—No value
- Example—5
Direction
- Incoming—Applies to traffic that starts outside the enterprise
- Outgoing—Applies to traffic that starts inside the enterprise
- Both—Applies to traffic flows that start inside or outside the enterprise
- Guidelines—If you select a custom firewall rule, you cannot specify a direction. Custom firewall rules should have names that reflect what the rule does.
Action
- Allow—Let the traffic through the firewall.
- Reject—Send an ICMP reply that explains why the firewall blocked the traffic.
- Discard—Drop the traffic without sending any reply.
- A custom value configured by the service provider.
- Guidelines—Other actions may be available—one for each custom firewall rule.
- Default—Allow
- Example—Discard
Enabled
- Gray box—Rule is inherited from a parent subscriber or the rule is scheduled
- White box—Rule is configured for this subscriber
- Box with check mark—Rule is enabled
- Empty box—Rule is disabled
Creating Firewall Exceptions for Stateful Firewalls
To create a firewall exception for a subscriber:
- If you want to create a firewall exception for a particular application object, first create that object (see Classifying Traffic for Stateful Firewall Exceptions and NAT Rules).
- Access the subscriber's Firewall page.
![]()
Priority
- Numeric value to indicate which firewall exception takes precedence if a subscriber has multiple exceptions for a firewall service.
- Value—Integer in the range specified by the online help for this field
- Guidelines—You must specify a priority for the firewall exception. A lower number indicates a higher priority. Use a unique priority for each firewall exception that relates to the same traffic. If two rules have the same priority, they will be applied to traffic in an unpredictable order.
- Default—No value
- Example—5
Name
- Name of the subscription to the firewall service.
- Value—Text string
- Guidelines—You must specify a name for the firewall exception.
- Default—No value
- Example—videoConference
Direction
- Incoming—Applies to an initial traffic flow that starts outside the enterprise
- Outgoing—Applies to an initial traffic flow that starts inside the enterprise
- Both—Applies to initial traffic flows that start inside or outside the enterprise
Source IPs
- Source IP addresses (as contained in the IP packets) of traffic to which the firewall exception applies.
- Value—[ not ]<networkAddress>/<networkMask>
- not—All addresses except the listed addresses
- <networkAddress>—IP address of the network
- <networkMask>—Subnet mask
- Guidelines—To specify traffic with a particular source IP address, enter an IP address. To specify all traffic except that with a particular source IP address, precede the IP address with the keyword not. To specify traffic with any source IP address, leave the field empty. To specify multiple source IP addresses, set the configuration level of the portal to Advanced (see Setting the Configuration Level for Enterprise Manager Portal), and enter multiple addresses on different lines.
- Default—No value
- Example—192.0.2.0/24
Destination IPs
- Destination TCP/UDP ports (as contained in the IP packets) of traffic to which this firewall exception applies.
- Value—[ not ]<networkAddress>/<networkMask>
- not—All addresses except the listed addresses
- <networkAddress>—IP address of the network
- <networkMask>—Subnet mask
- Guidelines—To specify traffic with a particular destination IP address, enter an IP address. To specify all traffic except that with a particular destination IP address, precede the IP address with the keyword not. To specify multiple destination IP addresses, set the configuration level of the portal to Advanced (see Setting the Configuration Level for Enterprise Manager Portal), and enter multiple addresses on different lines.
- Default—No value
- Example—192.0.2.0/24
Application
- Application object to which the firewall applies.
- Value—Application object you defined
- Guidelines—Select an application object from the menu. For information about specifying an application object, see Classifying Traffic for Stateful Firewall Exceptions and NAT Rules.
- Default—Any
- Example—ftp
Firewall Action
- Allow—Let the traffic through the firewall
- Reject—Send an ICMP reply that explains why the firewall blocked the traffic
- Discard—Drop the traffic without sending any reply
Schedule
- Configured schedule to use.
- Name of the schedule
- Guidelines—This field appears if scheduling is enabled for the portal. For more information about schedules, see Managing Schedules.
- Default—No value
Enabled
- Gray box—Firewall exception is inherited from a parent subscriber
- White box—Firewall exception is configured for this subscriber
- Box with check mark—Firewall exception is enabled
- Empty box—Firewall exception is disabled
- Guidelines—Click box to enable or disable a firewall exception.
- Default—Firewall exception is disabled
Adding a Schedule to a Firewall Exception
A schedule must be configured before you can apply one to a firewall exception. For information about configuring schedules in Enterprise Manager Portal, see Managing Schedules.
To add a schedule to a firewall exception:
- Access the subscriber's Firewall page (see Figure 39).
- In the Firewall page, select a schedule from the Schedule menu for the exception. See the following field description for details.
Schedule
- Configured schedule to use.
- Name of the schedule
- Guidelines—This field appears if scheduling is enabled for the portal.
- Default—No value
Modifying Firewall Exceptions
To modify a firewall exception:
- Start at the Firewall page for the subscriber (see Figure 40).
- Change the values in the fields for this firewall exception.
- For stateless firewalls, to change the values for affected traffic, click Edit under Affected Traffic, make changes in the Edit Exception dialog box, and click Apply.
For stateful firewalls, click Apply for the application protocol.
Deleting Firewall Exceptions
To delete a firewall exception:
- Start at the Firewall page for the subscriber (see Figure 40).
- Click Delete for the firewall exception.
Deleting Basic Firewalls
For information about disabling these values, see the field descriptions in Creating Firewall Exceptions for Stateful Firewalls and Applying NAT Rules to Traffic.
- Disable all firewall exceptions and NAT rules that this subscriber inherits from parent subscribers.
- Disable all firewall exceptions and NAT rules defined for this subscriber's subordinate subscribers.
- Access the Firewall page for the subscriber for which you configured the firewall (see Figure 40).
- Select No Firewall from the Firewall Service menu.
- Click Apply.
Monitoring the Use of Subscriptions to Firewall Services
To monitor the use of firewall subscriptions:
- Access the subscriber's Firewall page (see Figure 40).
- In the Firewall page, click the Usage Data link in the last column.
Click the Usage Data link under Firewall Service.
The Service Usage Data page appears.
![]()