Examples: Configure Stateful Firewall Properties

The following example show a stateful firewall configuration containing two rules, one for input matching on a specified application set and the other for output matching on a specified source address:

[edit services]

stateful-firewall {

    rule Rule1 {

        match-direction input;

        term 1 {

            from {

                application-sets Applications;

            }

            then {

                accept;

            }

        }

        term accept {

            then {

                accept;

            }

        }

    }

    rule Rule2 {

        match-direction output;

        term Local {

            from {

                source-address {

                    10.1.3.2/32;

                }

            }

            then {

                accept;

            }

        }

    }

}

The following example has a single rule with two terms. The first term rejects all traffic in my-application-group that originates from the specified source address, and provides a detailed system log record of the rejected packets. The second term accepts HTTP traffic from anyone to the specified destination address.

[edit services stateful-firewall

rule my-firewall-rule {

    match-direction input-output;

    term term1 {

        from {

            source-address 10.1.3.2/32

            application-sets my-application-group;

        }

        then {

            reject;

            syslog;

        }

    }

    term term2 {

        from {

            destination-address 12.2.3.2;

            applications http;

        }

        then {

            accept;

        }

    }

}

For additional examples that combine stateful firewall configuration with other services and with VRFs, see Examples: Services Interfaces Configuration.