Configuring Traffic Filter Rules
Traffic filter rules can be configured on a device to enforce validation against protocols attributes and direct traffic accordingly to the configured attributes. These rules are based on zones on which network interfaces are bound.
The following procedure describes how to configure traffic filter rules to direct FTP traffic from source trustZone to destination untrustZone and from source network trustLan to destination network untrustLan. Here, traffic is traversing from the devices interface A on trustZone to interface B on untrustZone.
- Configure a zone and its interfaces.[edit]user@host# set security zones security-zone trustLan interfaces ge-0/0/0
- Configure the security policy in the specified zone-to-zone
direction and specify the match criteria.[edit security policies]user@host# set from-zone trustZone to-zone untrustZone policy policy1 match source-address trustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match destination-address untrustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match application ftp
- Configure the security policy in the specified zone-to-zone
direction and specify the action to take when a packet matches a criteria.[edit security policies]user@host# set from-zone trustZone to-zone untrustZone policy policy1 then permituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-inituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then session-close
Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.