Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Creating and Managing Packet Filter Policy Instances

 

You can optionally include filters associated with each service set to refine the target and additionally process the traffic. If you include the service-set statement without a service-filter definition, the router software assumes that the match condition is true and selects the service set for processing automatically. To configure service filters, include the firewall statement at the [edit] hierarchy level. You configure service filters in a similar way to firewall filters.

If you configure match-direction input-output, sessions initiated from both directions might match this rule.

The match direction is used with respect to the traffic flow through the AS or Multiservices PIC. When a packet is sent to the PIC, direction information is carried along with it.

With an interface service set, packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied.

With a next-hop service set, packet direction is determined by the interface used to route the packet to the AS or Multiservices PIC. If the inside interface is used to route the packet, the packet direction is input. If the outside interface is used to direct the packet to the PIC, the packet direction is output.

On the PIC, a flow lookup is performed. If no flow is found, rule processing is performed. Rules in this service set are considered in sequence until a match is found. During rule processing, the packet direction is compared against rule directions. Only rules with direction information that matches the packet direction are considered. Most packets result in the creation of bidirectional flows.

Creating a Packet Filter Policy

To configure a new Packet Filter policy or filter instance:

  1. From the View selector, select Gateway View. The View pane displays the devices in the entire network organized by the device type and device models pertaining to each device type.
  2. From the View pane, select the All Network item. Expand the tree to select the device type and device node, which denotes the SDGs in a high availability pair of SDGs or an SDG group.
  3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  4. Select Service Edit > Policy and Filter from the task pane. The Service Templates page is displayed.
  5. Click the plus sign (+) next to Policy and Filter to expand the tree in the task pane and view the list of filter templates.
  6. From the task pane, select Packet Filter Policy and Filter to open the Packet Filter Policy and Filter page on the right pane.
  7. Click the Add icon above the table of listed templates. The Create Policy and Filter window is displayed.
  8. Enter the name of the group policy in the Name field.
  9. Enter a description for the group policy rules in the Description field. Edge Services Director sends the comments entered in this field to the device.
  10. In the Match Direction list, specify the direction in which the rule match is applied. Select one of the following options:
    • input—Apply the rule match on the input side of the interface.

    • input-output—Apply the rule match bidirectionally.

    • output—Apply the rule match on the output side of the interface.

  11. In the SDG section, do the following:
    • From the SDG drop-down list, select the devices with which the NAT policy must be associated. Alternatively, you can select the high availability pair of SDG devices with which the NAT policy must be associated. All of the devices in the different SDG groups that were previously defined in the database are also listed in the drop-down menu.

  12. Create a Packet Filter rule term that must be added to the Packet Filter policy. For details on configuring a Packet Filter rule term, see Creating a Packet Filter Rule Term.
  13. The list of terms added, and the associated service sets and rule sets, are displayed in a tabular format in the Create Policy and Filter page. Select the check box next to the term you want to attach to the Packet Filter policy.
  14. Click Create to save the Packet Filter policy.
  15. Alternatively, click Validate in the Create Rule page to perform validation checks on the configuration planned to be deployed to examine and correct any syntax errors or incompatible settings.
Note

In the Create Policy and Filter window, you can also do the following:

  • Click the Create icon displayed beside the terms or attributes to add a new attribute. You can then use the newly defined attribute to add to a policy to cause the same selection for a particular term to be applied across all SDGs or groups.

  • Click the Edit icon displayed beside the terms or attributes to modify an attribute. You can then use the modified attribute to add to a policy to cause the same selection for a particular term to be applied across all SDGs or groups.

  • Select the check box beside the SDGs or SDG groups in the Create Packet Filter Term page to include the devices or the SDG groups in the Packet Filter policy for association. Deselect the check boxes beside the SDGs or groups to exclude the devices in the Packet Filter policy..

  • Click the Copy to All Hosts button to apply the defined term at the system or network level and not at a particular SDG or SDG group level.

Creating Addresses

To create an address:

  1. In the Source and Destination Address Selector dialog box, to create a new address. click the plus sign (+).

    The Create Address page appears.

  2. In the Object Type section, click the Address radio button to create an address.
  3. In the Name field, enter a name for the new address.
  4. In the Description field, enter a description for the new address.
  5. Direct Edge Services Director to resolve an IP address to a hostname or resolve a hostname to an IP address.
    • To specify an IP address as the address type, select Host from the drop-down menu and enter the IP address in the IP field.

    • To specify a hostname as the address type, select Host from the drop-down menu and enter the hostname in the Host Name field.

    • To specify an IP address range, select Range from the drop-down menu and enter the IP ranges in the Start IP and End IP fields.

    • To specify a network as an address type, select Network from the drop-down menu and enter the network address in the IP and Netmask fields.

    • To specify an IP address with a wildcard mask, select Wildcard from the drop-down menu and enter the IP address in the IP field and wildcard mask in the Wildcard Mask fields.

    • To specify a DNS name as an address type, select DNS Host from the drop-down menu and enter the DNS name in the DNS Name field.

    Note

    You can resolve an IP address to a hostname and a hostname to an IP address using the green arrows next to the IP and Host Name fields.

    Note

    The host and network address types support both IPv4 and IPv6 address types. These address types also supports multicast addresses. However, the range address type supports only IPv4 addresses. Packet Filter and IPsec VPNs do not support IPv6 addressing and wildcard addresses.

    Note

    Ensure that the first 8 bits of the address are not 0 and the highest bit of the mask is 1 when you are using the wildcard address type.

  6. Click Create to create an address.

    The new address appears in the Manage Address page.

Creating Address Groups

To create an address group:

  1. In the Source and Destination Address Selector dialog box, to create a new address group. click the plus sign (+).

    The Create Address Group page appears.

  2. Select the Object Type as Address Group.
  3. In the Name field, enter a name for the new address group.
  4. In the Description field, enter a description for the new address group.
  5. In the Addresses field, from the Available dialog box, select the address that you want to group, and click the right arrow to add to the Selected column.

    Click All to move all the addresses to the Selected column. The address you have selected appears in the Selected section of the dialog box.

  6. Click Create.

    The address group appears on the Address page.

Address and Address Groups Overview

You can use the Address Creation Wizard to create an address object that specifies an IP address or a hostname. You can specify a hostname and use the address resolution option to resolve it to an IP address. You can also resolve an IP address to the corresponding hostname.



You can group address objects to form an address group using the Address Group Creation Wizard. Junos Space creates an object in the Junos Space database to represent an address or an address group.

Creating a Packet Filter Rule Term

To add rules to a Packet Filter policy:

  1. In the Create Policy and Filter window, the list of rule terms already added, if any, to the Packet Filter policy are displayed.
  2. Next to the Terms field, click the + icon to add rules, and select the type of rule you want to add.
    Figure 1: Create a Packet Filter Rule Term Window
    Create a Packet Filter Rule Term Window
  3. In the Term Name field, specify the name of the rule.

    The list of SDGs with which you associated the Packet Filter policy in the Create Policy window are displayed with the form and then sections or clauses. If you selected SDG groups to associate with the Packet Filter policy, the SDG group names are displayed.

  4. In the From section, do the following to specify input conditions or match criteria for the Packet Filter term :
    • In the Source Address field, click the down arrow in the list. The address selector dialog box appears. Select the source addresses that need to be added to the Packet Filter policy from the Available column and click the right arrow to move these devices to the Selected column.

      Click OK to confirm the selection. Click Cancel to discard your changes and return to the Create Policy and Filter window.

      To create an address or address group from the address selector dialog box, see Creating Addresses and Creating Address Groups.

    • In the Destination Address field, click the down arrow in the list. The address selector dialog box appears. Select the destination addresses that need to be added to the Packet Filter policy from the Available column and click the right arrow to move these devices to the Selected column.

      Click OK to confirm the selection. Click Cancel to discard your changes and return to the Create Policy and Filter window.

      To create an address or address group from the address selector dialog box, see Creating Addresses and Creating Address Groups.

    • Specify a destination port to match the rule in the Destination Port field.

    • Specify a source port to match the rule in the Source Port field.

    • In the Add Term page, in the Application or Application Set sections, the application set selector dialog box is displayed. Select the applications or application sets that need to be added to the packet filter policy rule term from the Available column and click the right arrow to move these applications or application sets to the Selected column.

      To create a new application name or application set, see Creating Applications and Application Sets.

    • When you create a rule or filter term, and define the name of the filter, for SDGs that are part of a high availability pair of devices, the names of the SDGs are displayed as tabs and check boxes beside the hostnames of the SDGs are displayed. If you want the policy or filter term definition to apply to both the SDGs, select the check boxes next to the SDG names.

      Otherwise, when the click the SDG name tab for the SDG for which you did not select the check box, a blue highlight overlays the entire dialog box to indicate the settings are not enabled for configuration for that specific SDG.

    • Click the Copy to All Hosts button to apply the defined term at the system or network level and not at a particular SDG or SDG group level.

    • Select the name of the target application set from the Application Sets selector dialog box. Select the application sets that need to be added from the Available Column and click the right arrow to move the application sets to the Selected column.

    • In the Source Prefix field, click the down arrow in the list to specify the source prefix for rule matching traffic. The address selector dialog box appears. Select the source addresses that need to be added to the Packet Filter policy from the Available column and click the right arrow to move these devices to the Selected column.

      Click OK to confirm the selection. Click Cancel to discard your changes and return to the Create Policy and Filter window.

      To create an address or address group from the address selector dialog box, see Creating Addresses and Creating Address Groups.

    • In the Destination Prefix field, click the down arrow in the list to specify the destination prefix for rule matching traffic. The address selector dialog box appears. Select the source addresses that need to be added to the packet filter policy from the Available column and click the right arrow to move these devices to the Selected column.

      Click OK to confirm the selection. Click Cancel to discard your changes and return to the Create Policy and Filter window.

      To create an address or address group from the address selector dialog box, see Creating Addresses and Creating Address Groups.

    • Select the type of protocol from the Protocol drop-down menu. The Protocol selector dialog box appears. Select the protocols you want to add from the Available column, and click the right arrow to move them to the Selected column.

  5. In the To section, do the following to specify actions or modifiers to be performed for the Packet Filter term :
    • In the Count field, specify a name for the counter to compute the matched packet in the named counter

    • In the Forwarding Class list, select the name of the forwarding class that must be used to classify the packet. Select one of the following options:

      • forwarding-class-name

      • assured-forwarding

      • best-effort

      • expedited-forwarding

      • network-control

    • In the Actions field, click the down arrow in the list. Select one of the following options:

      accept—Accept the traffic and send it on to its destination.

      discard—Do not accept traffic or process it further.

      reject—Do not accept the traffic and return a rejection message. Rejected traffic can be logged or sampled.

      count—Add the packet to a counter total.

      log—Log the packet.

      port-mirror—Port-mirror the packet.

      sample—Sample the packet.

      service—Forward the packet for service processing.

      skip—Omit the packet from service processing.

    • In the Protocol list, select the protocol for which packets must be classified.

    • In the Routing Instance list, select the name of the configured routing instance for the SDG or SDG group to enable the packets to be directed for processing.

    • Click the Copy to All Hosts button to apply the defined term at the system or network level and not at a particular SDG or SDG group level.

    • When you create a rule or filter term, and define the name of the filter, for SDGs that are part of a high availability pair of devices, the names of the SDGs are displayed as tabs and check boxes beside the hostnames of the SDGs are displayed. If you want the policy or filter term definition to apply to both the SDGs, select the check boxes next to the SDG names.

      Otherwise, when the click the SDG name tab for the SDG for which you did not select the check box, a blue highlight overlays the entire dialog box to indicate the settings are not enabled for configuration for that specific SDG.

    • Select the Syslog check box to enable system logging. The system log information from the Multiservices PIC is passed to the kernel for logging in the /var/log directory.

  6. Click Save to create the rule. Alternatively, click Validate in the Create Rule page to perform validation checks on the configuration planned to be deployed to examine and correct any syntax errors or incompatible settings.
  7. A new rule is added in the last row depending on the type of rule you have added. The newly added rules blink with a different color for few seconds. The behavior is same if you add a new rule before or after a rule, clone a rule, or paste a rule.

    The rule is assigned a serial number based on the number of rules already added to the policy.

Creating an Application and Application Set

To create an application and an application set for a Packet Filter rule term:

  1. In the Add Term page, in the Application or Application Set sections, the application set selector dialog box is displayed. Select the applications or application sets that need to be added to the packet filter term from the Available column and click the right arrow to move these application sets to the Selected column.

Associating Service Sets and Rule Sets With a Packet Filter Rule

To associate a service set and a rule set with a Packet Filter rule term:

  1. In the Create Policy and Filter page, click Associate Service Sets/Rule Sets. The Associate Service Sets/Rule Sets section is displayed. The SDGs and SDG groups that are part of the Packet Filter rule term are shown in one column. Under the Association column, either the Configure or Edit icon appears. If you already created and mapped a service set with the particular SDG or group, the Edit icon shows.
  2. Click the Configure or Edit icon. The Configure Service Sets/Rule Sets dialog box is displayed.
  3. From the Type drop-down list, do either of the following:
    • Select Service Set to map a service set with the policy filter template.

    • Select Rule Set to map a rule set with the policy filter template.

    Depending on the option selected in the Type list as service set or rule set for association with the policy filter template, the options that are displayed in the Value list beneath the Type list varies.

  4. If you selected Service Set from the Type list, select a service set previously configured in the Service Designer workspace from the Value list. If you selected Rule Set from the Type list, select a rule set previously configured in the Service Designer workspace from the Value list. Click Add to map the service set or rule set with the Packet Filter rule.
  5. Click Save to save the settings. Alternatively, click Cancel to abort the changes.
  6. Click Copy to All Hosts in the Associate Service Sets dialog box to apply the defined term at the system or network level and not at a particular SDG or SDG group level. You are returned to the Add Term window.

Associating Interfaces With a Packet Filter Rule

To associate a service set and a rule set with a Packet Filter rule term:

  1. In the Create Policy and Filter page, click Associate Interfaces. The Associate Interfaces dialog box is displayed. The SDGs and SDG groups that are part of the packet filter rule term are shown in one column. Under the Association column, either the Configure or Edit link appears. If you already created and mapped a service set with the particular SDG or group, the Edit link shows.
  2. Click the Configure or Edit link. The Associate Interfaces dialog box is displayed.
  3. Select an interface previously configured in the Service Designer workspace from the Interfaces list. Select the logical unit number of the interface from the Unit list. Click Add to map the interface with the packet filter rule.
  4. Click Done to save the settings. Alternatively, click Cancel to abort the changes.
  5. Click Done in the Associate Interfaces dialog box. You are returned to the Add Term window.

Modifying Packet Filter Policies

Before you can edit the policy, you must lock it by clicking the lock icon, which is available in the policy tabular view. You can hold more than one policy lock at a given time. You can unlock the policy by clicking the unlock icon next to the lock icon in the policy tabular view. If you attempt to lock a policy that is already locked by another user, the following message appears, as shown in Figure 2. The tooltip shows the policy locked user information. Mouse over the policy that you want to lock to view the tooltip.

Figure 2: Lock Failure Error Message for the Second User
Lock Failure Error Message
for the Second User

If the locked policy is inactive for the set timeout value (default 5 minutes), just 1 minute before the timeout interval expires, the following message appears, as shown in Figure 3. If the policy lock timeout interval expires for multiple locked policies, the same warning message appears for each locked policy. To understand the configuration of timeout value and session timeout value, see Unlocking Locked Policies

Figure 3: Inactivity Timeout Error
Inactivity Timeout
Error

Click Yes to extend the locking period. If you click No, and if there is activity on the policy within the last minute of the lock’s life, the timer will be reset and the lock will not be released. If you ignore the message, when the policy lock timeout interval expires 1 minute later, you are prompted to either save the edited policy with a different name or lose the changes, as shown in Figure 4

Figure 4: Policy Lock Expired Message
Policy Lock Expired Message

If you click Yes to save the edited policy with a different name, the Save As window appears. If you navigate away from the locked policy, either the policy is unlocked (when there are no changes) or you will get an option to save the edited policy with a different name.

After editing a locked policy, if you move to another policy without saving your edited policy, or if you unlock the policy without saving, the following warning message appears, as shown in Figure 5.

Figure 5: Packet Filter Policy: Unsaved Changes Message
Packet Filter Policy: Unsaved
Changes Message

If the Edge Services Director administrator releases the lock, you will receive the following warning message, as shown in Figure 6.

Figure 6: Packet Filter Policy: Policy Unlock by Admin Message
Packet Filter Policy:
Policy Unlock by Admin Message

If you do not edit the locked policy and the policy lock timeout expires, the following warning message appears, as shown in Figure 7.

Figure 7: Packet Filter Policy Lock Release Message
Packet Filter Policy Lock
Release Message

The policy is locked and released for the following policy operations. Also, these operations are disabled for a policy, if the policy is locked by some other user.

  • Modify

  • Assign devices

  • Rollback

  • Delete

Note
  • You can unlock the policy by logging out of the application or when the policy lock timeout expires. You can unlock your policies even if they are not edited.

  • If the browser crashes when the policy is still locked, the policy is unlocked only after the timeout interval expires.

  • If there is an object conflict resolution during a migration, import, or rollback, and if you are editing any objects, you will receive a save as option for the edited objects. The behavior is the same when you import addresses from CSV.

  • Policy lock is not released under the following scenario:

    • If you save or discard you changes to the locked policy.

    • if you do not make any changes to the locked policy and navigate to another policy.

  • It is recommended to configure the session time longer than the lock timeout value.

To modify an existing Packet Filter policy or filter template:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. Select Service Edit > Policy and Filter from the task pane. The Packet Filter Policies page is displayed.
  4. From the task pane, select Packet Filter Policy and Filter to open the Packet Filter and Filter page on the right pane.
  5. Select a policy, and click the Lock icon above the table of listed policies.
  6. From the Service Gateway Name drop-down list, select the SDG group to which the packet filter must be applied.
  7. From the Host Name drop-down list, select the hostname of the SDG.
  8. In the Select Common Components section, select the check boxes beside the service modules or components, such as packet filters, SFW rules, or CGNAT rules, that are displayed. The displayed components depend on the attributes that are previously defined for that selected packet filter. For example, if the service policy is for stateful firewall, SFW rules and SFW rule sets are shown. Select the check box beside Config Category to select all the service components.
  9. Click Save to save the modified association.
  10. Select the check box beside the template you want to modify.
  11. Click the Modify button above the table of listed templates. The Modify Policy and Filter window is displayed.
  12. Modify the attributes that are needed and save the updated settings.

Creating a Deployment Plan

You must have previously defined service instances and policy or filter instances before you can create a deployment plan.

To create a deployment plan and assigning devices to it:

  1. From the View selector, select Gateway View or Service View. In Gateway view, the devices in the entire network are displayed, organized by the device types and the device models within each device type. In Service View, the different types of services are displayed in the View pane.select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the View pane, select the All Network item in Gateway view. Click the plus sign (+) beside the All Network item in the View pane to expand the tree and select the device node you want. Alternatively, from the View pane, click the plus sign (+) beside All Services to expand the tree and select the type of service.
  4. From the task pane, select Service Edit. The Service Templates page is displayed.
  5. If you are in Gateway view, click the plus sign (+) next to Service Edit to expand the tree in the task pane and view the list of filter templates.
  6. In the Service Edit page, from the tree that lists the SDGs, select All Service Gateways, or the SDG or SDG pair for which you want to view the previously configured policy or filter templates. This step is applicable only if you selected Gateway View.

    The list of SDGs are displayed on the left pane. You can drill-down to the SDG or pair of SDGs for which you want to process policies or filters. The policy and filter rules are displayed in the right pane.

  7. If you are in Service View, from the View pane, select the All Services item. The Services page is displayed.
  8. From the task pane, select Deploy Service > Packet Filter. The Packet Filter Policies page is displayed.
  9. Select the check boxes next to the policy instances that you want to assign to the plan.
  10. Click the down arrow in the Actions menu and select Send for Deployment to create a deployment plan for the particular service instance and save the plan.
    • If you create a deployment plan from Gateway view of Deploy mode, the Deployment Plan Summary dialog box appears, with the service name, type, and status listed.

      Click Send to create a deployment plan.

    • If you create a deployment plan from Service view of Deploy mode, the Edit Service Instance page is displayed. You can modify the SDGs associated with the service instance and also modify the service instance attributes as necessary by either clicking the buttons corresponding to the various settings at the top of the wizard page to directly traverse to the page you want to modify or clicking the navigation buttons at the bottom of the wizard page to go to the different pages of the wizard. Click Finish to create a deployment plan.

    A deploy plan is created for the service instance with the devices that are assigned to it when you view the Deployment Plans page.

  11. From the Deployment plans page, you can select Reject or Approve from the Actions drop-down list to reject or approve the deployment plan and make it available for commissioning to the devices.