Stateful Firewalls

A stateful firewall tracks connection state and performs a rule match only on the first packet.

In contrast, a stateless firewall does not track connection state and matches every packet to pre-configured rules; see Dynamic Firewall Filters for the JUNOS SDK implementation of stateless firewall filters.

The system creates flows once a rule match is completed and based on the configured rules, tracks the connection state at multiple levels as follows:

The microkernel on the Multiservices PIC includes a stateful firewall service, which is described in the JUNOS Services Interfaces Configuration Guide and is also available as part of the Services SDK. SDK applications on the Multiservices PIC can include the stateful firewall service in their configuration to take advantage of the supported application-layer gateways it provides, adding an extra level of security.

For details about how to configure a stateful firewall, see Configuring Stateful Firewalls in the JUNOS SDK. For detailed information about configuring JUNOS services, see the JUNOS Services Interfaces Configuration Guide.

The stateful firewall service requires a license. Please contact for information on obtaining the license.

Supported ALGs

The JUNOS SDK implementation of stateful firewall supports the following application-layer gateways (ALGs) in this release.

  tftp                 Trivial File Transfer Protocol
  dns                  Domain Name Service
  snmp                 SNMP
  ip                   IP
  login                Login
  shell                Shell
  exec                 Remote Execution Protocol
  traceroute           Traceroute
  icmp                 ICMP
  ftp                  File Transfer Protocol

The following ALGs are not currently supported in the SDK:

  h323                 H.323
  winframe             WinFrame
  netbios              NetBIOS
  netshow              NetShow
  realaudio            RealAudio
  iiop                 Internet Inter-ORB Protocol
  rpc                  RPC
  rpc-portmap          RPC portmap
  sqlnet               SQLNet
  sip                  Session Initiation Protocol
  dce-rpc              DCE RPC
  dce-rpc-portmap      DCE RPC portmap
  rtsp                 Real Time Streaming Protocol
  bootp                Bootstrap protocol

To list the supported ALGs from the command-line interface (CLI), use the following command:

set applications application x1 application-protocol ?


The application rules can choose applications from either the list of JUNOS default applications or from any user-configurable applications. You can query for the list of JUNOS default applications with the following CLI command:

# show groups junos-defaults applications application ?


The following actions are supported:


The following limitations apply to the stateful firewall support:

Plugin Functionality and Service Chaining
2007-2009 Juniper Networks, Inc. All rights reserved. The information contained herein is confidential information of Juniper Networks, Inc., and may not be used, disclosed, distributed, modified, or copied without the prior written consent of Juniper Networks, Inc. in an express license. This information is subject to change by Juniper Networks, Inc. Juniper Networks, the Juniper Networks logo, and JUNOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Generated on Sun May 30 20:26:47 2010 for Juniper Networks Partner Solution Development Platform JUNOS SDK 10.2R1 by Doxygen 1.4.5