Configure Stateful Firewall Rule Content

To configure a stateful firewall rule, include the rule rule-name statement at the [edit services stateful-firewall] hierarchy level:

[edit services stateful-firewall]

rule rule-name {

    match-direction (input | output | input-output);

    term term-name {

        from {

            applications [ application-names ];

            application-sets [ set-names ];

            destination-address address;

            source-address address;

        }

        then {

            (accept | discard | reject);

            allow-ip-option [ values ];

            syslog;

        }

    }

}

Each stateful firewall rule consists of a set of terms, similar to a filter configured at the [edit firewall] hierarchy level. A term consists of the following:

• from statement—Specifies the match conditions and applications that are included and excluded.
• then statement—Specifies the actions and action modifiers to be performed by the router software.

In addition, each rule must include a match-direction statement that specifies the direction in which the rule match is applied. To configure where the match is applied, include the match-direction statement at the [edit services stateful-firewall rule rule-name] hierarchy level:

[edit services stateful-firewall]

rule rule-name {

    match-direction (input | output | input-output);

}

If you configure match-direction input-output, bidirectional rule creation is allowed.

The following sections describe stateful firewall rule content in more detail:

• Configure Stateful Firewall Match Conditions
• Configure Stateful Firewall Actions