Configure Stateful Firewall Match Conditions

To configure stateful firewall match conditions, include the from statement at the [edit services stateful-firewall rule rule-name term term-name] hierarchy level:

[edit services stateful-firewall rule rule-name term term-name]

from {

    applications [ application-names ];

    application-sets [ set-names ];

    destination-address address;

    source-address address;

}

You can use either the source address or the destination address as a match condition, in the same way that you would configure a firewall filter; for more information, see the JUNOS Policy Framework Configuration Guide. For destination addresses only, you can use the wildcard value any-unicast, which denotes matching all unicast addresses.

If you omit the from term, the stateful firewall accepts all traffic and the default protocol handlers take effect:

• UDP, TCP, and ICMP create a bidirectional flow with a predicted reverse flow.
• IP creates a unidirectional flow.

You can also include application protocol definitions you have configured at the [edit applications] hierarchy level; for more information, see Configure Applications.

• To apply one or more specific application protocol definitions, include the applications statement at the [edit services stateful-firewall rule rule-name term term-name from] hierarchy level.
• To apply one or more sets of application protocol definitions you have defined, include the application-sets statement at the [edit services stateful-firewall rule rule-name term term-name from] hierarchy level.
  

  NOTE: If you include one of the statements that specifies application protocols, the router derives port and protocol information from the corresponding configuration at the [edit applications] hierarchy level; you cannot specify these properties as match conditions.