Help Center User GuideGetting StartedFAQ
User Guide
Getting Started

Firewall Policy Overview

Contrail Service Orchestration (CSO) provides the ability to create, modify, and delete firewall policy intents associated with a firewall policy. Firewall policies are presented as intent-based policies. A firewall policy intent controls transit traffic within a context that is derived out of the end-points defined in the intent. Intent-based firewall policies can incorporate both transport layer (Layer 4) and application layer (Layer 7) firewall constructs in a single intent. The underlying system, automatically analyzes the intent, translates them into the set of rules the devices understand. The choice of sequence and the assignment happens implicitly based on the endpoints in the intent definition. The intent consist of source and destination endpoints. Endpoints could be applications (L7), sites or site groups, IP address/address-groups, services, or departments.


  • Intent based policies are not applicable for Hybrid WAN deployments.

  • Starting from CSO Release 5.0.1, if a device (CPE or next-generation firewall) is running Junos OS Release 18.2R1 or later, a firewall policy acts as a unified firewall policy. In a unified firewall policy, dynamic application can be used as a match condition along with the existing match conditions. Therefore, a separate application firewall is not configured on the device to allow or block traffic to an application.

    However, If the device is running a version earlier than Junos OS Release 18.2R1, the firewall policy does not act as a unified firewall policy and application firewalls continue to be configured on the device.

    See Unified Security Policies for information about unified firewall policies.

Firewall policies provide security functionality by enforcing intents on traffic that passes through a device. Traffic is permitted or denied based on the action defined as the firewall policy intent.

A firewall policy provides the following features:

In CSO, intents are categorized as zone-based intents and enterprise-based intents.

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      

Additional Comments

800 characters remaining

May we contact you if necessary?


Need product assistance? Contact Juniper Support