Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

external-header-nav
keyboard_arrow_up
close
keyboard_arrow_left
list Table of Contents
file_download PDF
keyboard_arrow_right

Configuring Traffic Filter Rules

date_range 11-May-22

Traffic filter rules can be configured on a device to enforce validation against protocols attributes and direct traffic accordingly to the configured attributes. These rules are based on zones on which network interfaces are bound.

The following procedure describes how to configure traffic filter rules to direct FTP traffic from source trustZone to destination untrustZone and from source network trustLan to destination network untrustLan. Here, traffic is traversing from the devices interface A on trustZone to interface B on untrustZone.

  1. Configure a zone and its interfaces.
    content_copy zoom_out_map
    [edit]
    user@host# set security zones security-zone trustLan interfaces ge-0/0/0
    
  2. Configure the security policy in the specified zone-to-zone direction and specify the match criteria.
    content_copy zoom_out_map
    [edit security policies]
    user@host# set from-zone trustZone to-zone untrustZone policy policy1 match source-address trustLan
    user@host# set from-zone trustZone to-zone untrustZone policy policy1 match destination-address untrustLan
    user@host# set from-zone trustZone to-zone untrustZone policy policy1 match application ftp
    
  3. Configure the security policy in the specified zone-to-zone direction and specify the action to take when a packet matches a criteria.
    content_copy zoom_out_map
    [edit security policies]
    user@host# set from-zone trustZone to-zone untrustZone policy policy1 then permit
    user@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-init
    user@host# set from-zone trustZone to-zone untrustZone policy policy1 then session-close
    
Note:

Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.

external-footer-nav