Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Creating and Managing SFW Policy and Filter Instances

    A stateless firewall filter, often called a firewall filter or access control list (ACL), statically evaluates packet contents. In contrast, a stateful firewall filter, or stateful firewall policy, uses connection state information derived from past communications and other applications to make dynamic control decisions.

    Each stateful firewall rule consists of a set of terms, similar to a filter configured at the [edit firewall] hierarchy level. Each rule must include a match-direction statement that specifies the direction in which the rule match is applied. To configure where the match is applied, include the match-direction statement at the [edit services stateful-firewall rule rule-name] hierarchy level:

    [edit services stateful-firewall rule rule-name]match-direction (input | output | input-output);

    If you configure match-direction input-output, sessions initiated from both directions might match this rule.

    The match direction is used with respect to the traffic flow through the AS or Multiservices PIC. When a packet is sent to the PIC, direction information is carried along with it.

    With an interface service set, packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied.

    With a next-hop service set, packet direction is determined by the interface used to route the packet to the AS or Multiservices PIC. If the inside interface is used to route the packet, the packet direction is input. If the outside interface is used to direct the packet to the PIC, the packet direction is output.

    On the PIC, a flow lookup is performed. If no flow is found, rule processing is performed. Rules in this service set are considered in sequence until a match is found. During rule processing, the packet direction is compared against rule directions. Only rules with direction information that matches the packet direction are considered. Most packets result in the creation of bidirectional flows.

    Note: Before you create a policy and filter template for packet filters, SFW, or CGNAT services, you must have previously configured the different elements or attributes of the service, such as service sets, interface sets, rule sets, and syslogs during the creation of the service template. The sections in this procedural topic that describe the creation of such service elements apply during the creation of the service template and not during the creation of the service policy filters, such as CGNAT or SFW policies.

    Creating an SFW Policy

    To configure a new SFW policy or filter instance:

    1. From the View selector, select Gateway View. The View pane displays the devices in the entire network organized by the device type and device models pertaining to each device type.
    2. From the View pane, select the All Network item. Expand the tree to select the SDG in an SDG group.
    3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director banner.
      The functionalities that you can configure in this mode are displayed in the task pane.
    4. Select Service Edit from the task pane. The different service types are displayed in the task pane.
    5. Click the right arrow next to Service Edit in the task pane to expand the tree in the task pane and view the list of filter instances.
    6. From the task pane, select SFW Policy and Filter to open the SFW Policy and Filter page on the right pane.
    7. Click the Add icon above the table of listed templates. The Create Policy and Filter window is displayed.

      Figure 1: Create SFW Policy Window

      Create SFW Policy Window
    8. Enter the name of the group policy in the Name field.
    9. Enter a description for the group policy rules in the Description field. Edge Services Director sends the comments entered in this field to the device.
    10. In the Match Direction list, specify the direction in which the rule match is applied. Select one of the following options:
      • input—Apply the rule match on the input side of the interface.
      • input-output—Apply the rule match bidirectionally.
      • output—Apply the rule match on the output side of the interface.
    11. In the SDG section, do the following:
      • From the SDG drop-down list, select the devices with which the NAT policy must be associated. Alternatively, you can select the high availability pair of SDG devices with which the NAT policy must be associated. All of the devices in the different SDG groups that were previously defined in the database are also listed in the drop-down menu.
    12. Create an SFW rule term that must be added to the SFW policy. For details on configuring an SFW rule term, see Creating an SFW Rule Term.
    13. The list of terms added, and the associated service sets and rule sets, are displayed in a tabular format in the Create Policy and Filter page. Select the check box next to the term you want to attach to the SFW policy.
    14. Click Create to save the SFW policy.
    15. Click Validate to perform validation checks on the configuration planned to be deployed to examine and correct any syntax errors or incompatible settings. You can also validate without deploying the configuration.

    Note: In the Create Policy and Filter window, you can also do the following:

    • Click the Create icon displayed beside the terms or attributes to add a new attribute. You can then use the newly defined attribute to add to a policy to cause the same selection for a particular term to be applied across all SDGs or groups.
    • Click the Edit icon displayed beside the terms or attributes to modify an attribute. You can then use the modified attribute to add to a policy to cause the same selection for a particular term to be applied across all SDGs or groups.
    • Select the check box beside the SDGs or SDG groups in the Create SFW Term page to include the devices or the SDG groups in the SFW policy for association. Deselect the check boxes beside the SDGs or groups to exclude the devices in the SFW policy.
    • Click the Copy to All Hosts button to apply the defined term at the system or network level and not at a particular SDG or SDG group level.

    Creating a Service Set

    A service set is a collection of services to be performed by an Adaptive Services (AS) or Multiservices PIC. To create a service set as a component for the SFW template:

    1. From the View selector, select Gateway View. The View pane displays the devices in the entire network organized by the device type and device models pertaining to each device type.
    2. From the View pane, select the All Network item. Expand the tree to select the SDG in an SDG group.
    3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director banner.
      The functionalities that you can configure in this mode are displayed in the task pane.
    4. Select Service Edit from the task pane. The different types of services are displayed in the task pane.
    5. Click the right arrow next to Service Edit to expand the tree in the task pane and view the list of filter instances.
    6. From the task pane, select SFW Policy and Filter to open the SFW and Filter page on the right pane.
    7. Click the Add icon. The Create an SFW Policy and Filter Template window appears.
    8. Enter the name of the template, a description, and the direction in which the rule match must be applied in the respective fields. Also, select the SDG or SDG pair for which the syslog needs to be defined for the service set.
    9. In the Create Policy and Filter page, click Associate Service Sets/Rule Sets. The Associate Service Sets/Rule Sets section is displayed. The SDGs and SDG groups that are part of the NAT policy filter rule term are shown in one column. Under the Association column, either the Configure or Edit icon appears. If you already created and mapped a service set with the particular SDG or group, the Edit icon shows.
    10. Click the Configure or Edit icon. The Configure Service Sets/Rule Sets dialog box is displayed.
    11. From the Type drop-down list, select Service Set to map a service set with the policy filter instance.
    12. If you selected Service Set from the Type list, select a service set previously configured in the Service Designer workspace from the Value list.
    13. Click the green plus sign next to the Value drop-down list. The Addition of Service Sets dialog box appears.

      Note: If a green plus sign mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red minus mark shows that you can delete that particular attribute for that component.

    14. In the Name field, enter the name to identify the service set. Rules are combined into rule sets, and are associated with a service set for each application such as firewall or CGNAT.
    15. In the Sampling Service Choices section, do one of the following:
      • Click Interface Services to configure an interface-style service set. An interface service set is used as an action modifier across an entire interface
        • In the Service Interfaces field, specify the name for the adaptive services interface associated with an interface-wide service set.

          When you have defined and grouped the service rules by configuring the service-set definition, you can apply services to one or more interfaces installed on the router. When you apply the service set to an interface, it automatically ensures that packets are directed to the PIC.

        • From the Load Balancing Options section, configure the high availability (HA) options.

          The following hash keys can be configured in the egress direction: destination-ip (Use the destination IP address of the flow to compute the hash used in load balancing.) and source-ip (Use the source IP address of the flow to compute the hash used in load balancing.)

        • Click the green tick park beside the Egress Key element to configure the hash keys to be used in the egress flow direction. The configuration is mandatory if you are using AMS for Network Address Translation (NAT). This configuration is not mandatory if you are using AMS for stateful firewall; if the hash keys are not xconfigured, then the defaults are chosen.
        • Click the green tick park beside the Ingress Key element to configure the hash keys to be used in the ingress flow direction. The configuration is mandatory if you are using AMS for Network Address Translation (NAT). This configuration is not mandatory if you are using AMS for stateful firewall; if the hash keys are not configured, then the defaults are chosen.

        Configure the hash keys used for load balancing in aggregated multiservices (AMS) for service applications (Network Address Translation [NAT], stateful firewall, application-level gateway [ALG], HTTP header enrichment, and mobility). The hash keys supported in the ingress and egress direction are the source IP address and destination IP address.

        Hash keys are used to define the load-balancing behavior among the various members in the AMS group. For example, if hash-keys is configured as source-ip, then the hashing would be performed based on the source IP address of the packet. Therefore, all packets with the same source IP address land on the same member. Hash keys must be configured with respect to the traffic direction: ingress or egress. For example, if hash-keys is configured as source-ip in the ingress direction, then it should be configured as destination-ip in the egress direction. This is required to ensure that the packets of the same flow reach the same member of the AMS group.

        The configuration of the ingress and egress hash keys is mandatory if you are using AMS for NAT. This configuration is not mandatory if you are using AMS for stateful firewall; if the hash keys are not configured, then the defaults are chosen. Refer to Table 1 for the supported hash keys.

        The resource-triggered option enables anchor session PICs to use the load or resource information from the anchor services PICs to select the AMS member will anchor the services for the subscriber for load balancing among AMS members. In addition, for mobile subscriber-aware services (such as HTTP header enrichment), you must configure the resource-triggered statement, which means that the load balancing is not done using the ingress and egress keys.

        Table 1: Hash Keys Supported for AMS for Service Applications

        Service Set at Ingress Interface

        Service Set at Egress Interface

        Hash Keys for NAT

        NAT Type

        Ingress hash key

        Egress hash key

        Ingress hash key

        Egress hash key

        source static

        Destination IP address

        Source IP address

        Source IP address

        Destination IP address

        source dynamic

        Source IP address

        Destination IP address

        Destination IP address

        Source IP address

        Network Address Port Translation (NAPT)

        Source IP address

        Destination IP address

        Destination IP address

        Source IP address

        destination static

        Source IP address

        Destination IP address

        Destination IP address

        Source IP address

        Hash Keys for Stateful Firewall

        Stateful Firewall

        Destination IP address

        Source IP address

        Destination IP address

        Source IP address

        Stateful Firewall

        Source IP address

        Destination IP address

        Source IP address

        Destination IP address

        Note: If NAT is used in the service set (along with stateful firewall and ALG), then the hash keys should be based on the NAT type; otherwise, the hash keys of the stateful firewall should be used.

      • Click Next Hop Services to configure a next-hop style service set. A next-hop service set is a route-based method of applying a particular service. Only packets destined for a specific next hop are serviced by the creation of explicit static routes.
        • In the Inside Interface list, specify the interface type of the service interface associated with the service set applied inside the network. For inline IP reassembly, set the interface type to local. Also, specify the name and logical unit number of the service interface associated with the service set applied inside the network.

          When a next-hop service is configured, the AS or Multiservices PIC is considered to be a two-legged module with one leg configured to be the inside interface (inside the network) and the other configured as the outside interface (outside the network).

        • In the Outside Interface list, specify the interface type of the service interface associated with the service set applied outside the network. For inline IP reassembly, set the interface type to local. Also, specify the name and logical unit number of the service interface associated with the service set applied outside the network.
        • In the Service Interface Pool list, select the name of the pool of logical interfaces configured at the [edit services service-interface-pools pool pool-name] hierarchy level. You can configure a service interface pool only if the service set has a PGCP rule configured. The service set cannot contain any other type of rule.
      • Click Sampling Services to configure a sampling service set.
        • In the Service Interface field, specify the service interface, which is the interface the sampling is taken from. In the case of a sampling service set, the service interface must be a Multiservices PIC interface with a subunit number of 0 (zero). The subunit number defaults to 0. The reverse-flow statement is not mandatory. All sampled traffic is considered to be forward traffic. If you set the reverse-flow statement, it is ignored.
      • Select the Replication Service check box to configure the services replication options for inter-chassis high availability on MS-MIC and MS-MPC. This field is available only if you selected the Junos OS 12.1 version.
        • In the Replication Threshold field, specify the number of seconds for the replication threshold. When a flow has been active for more than the number of seconds specified as a threshold, flow state information is replicated to the backup device. Make sure that the replication-threshold value is than the open-timeout value(the timeout period for establishing a TCP connection). The default value of the replication threshold is 180 seconds. This value is also the minimum.
        • Select the Stateful Firewall check box to replicate stateful firewall state information.
        • Select the NAT check box to replicate NAPT44 information.
    16. Select the Service Set Options check box to specify the service set options to apply to a service set. This field is available only if you selected the Junos OS 14.1 version.
    17. In the Redundancy Set ID field, specify a unique identifer in the range of 1 through 100 for the redundancy set. The redundancy group IDs that the service redundancy daemon (srd) uses are associated with those configured for the ICCP daemon (iccpd) through the existing ICCP configuration hierarchy by using the same redundancy group ID in the configuration of the services redundancy group. This field is available only if you selected the Junos OS 14.1 version.

      The actions to be performed when configured redundancy events occur are defined in redundancy policies. Redundancy polices are associated with redundancy sets; they are analogous to rules associated with service sets. Redundancy sets are associated to redundancy groups by redundancy group IDs. Redundancy group details are defined by the underlying ICCPd configuration. Finally, service sets and redundancy sets are associated through the redundancy-sets statement in service sets configuration.

    18. In the SFW Rule Sets section, select the rule set you want to associate with the service set from the Available column and click the right arrow to move to the Selected column.
    19. In the SFW Rules section, select the rule you want to associate with the service set from the Available column and click the right arrow to move to the Selected column.
    20. In the SFW Syslogs section, select the syslog you want to associate with the service set from the Available column and click the right arrow to move to the Selected column.
    21. Click Save to save the service instance configuration. Else, click Close to discard the changes to the template.

    Creating a Syslog

    You can enable system logging. The system log information from the Adaptive Services or Multiservices PIC is passed to the kernel for logging in the /var/log directory. This setting overrides any syslog statement setting included in the service set or interface default configuration.

    To create a syslog for the SFW template:

    1. From the View selector, select Gateway View. The View pane displays the devices in the entire network organized by the device type and device models pertaining to each device type.
    2. From the View pane, select the All Network item. Expand the tree to select the SDG in an SDG group.
    3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director banner.
      The functionalities that you can configure in this mode are displayed in the task pane.
    4. Select Service Edit > Policy and Filter from the task pane. The Service Edit > Policy and Filter page is displayed.
    5. Click the plus sign (+) next to Policy and Filter to expand the tree in the task pane and view the list of filter instances.
    6. From the task pane, select SFW Policy and Filter to open the SFW and Filter page on the right pane.
    7. Click the Add icon. The Create an SFW Policy and Filter Template window appears.
    8. Enter the name of the template, a description, and the direction in which the rule match must be applied in the respective fields. Also, select the SDG or SDG pair for which the syslog needs to be defined for the service set.
    9. In the Create Policy and Filter page, click Associate Service Sets/Rule Sets. The Associate Service Sets/Rule Sets section is displayed. The SDGs and SDG groups that are part of the NAT policy filter rule term are shown in one column. Under the Association column, either the Configure or Edit icon appears. If you already created and mapped a service set with the particular SDG or group, the Edit icon shows.
    10. Click the Configure or Edit icon. The Configure Service Sets/Rule Sets dialog box is displayed.
    11. From the Type drop-down list, select Service Set to map a service set with the policy filter instance.
    12. If you selected Service Set from the Type list, select a service set previously configured in the Service Designer workspace from the Value list.
    13. Click the green plus sign next to the Value drop-down list. The Addition of Service Sets dialog box appears.

      Note: If a green plus sign mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red minus mark shows that you can delete that particular attribute for that component.

    14. Click the green plus sign next to the Syslog Settings field. The Addition of Service Sets dialog box appears.
    15. In the Host field, enter the hostname for the syslog component. Specify the fully qualified domain name or IP address for the syslog server.
    16. In the Services list, specify the system logging severity level. It assigns a severity level to the facility. Valid entries include:
      • alert—Conditions that should be corrected immediately.
      • any—Matches any level.
      • critical—Critical conditions.
      • emergency—Panic conditions.
      • error—Error conditions.
      • info—Informational messages.
      • notice—Conditions that require special handling.
      • warning—Warning messages.
    17. From the Facility Override list, select the override for the default facility for system log reporting. Valid values include:
      • authorization
      • daemon
      • ftp
      • kernel
      • local0 through local7
      • user
    18. In the Log Prefix field, set the system logging prefix value for all logging to the system log host.
    19. In the Port field, specify the port number to be used for connection with the remote syslog server.
    20. In the Source Address field, specify a source address to record in system log messages that are directed to a remote machine specified in the hostname statement. The supported interfaces are ms, rms, and mams interfaces. If you do not specify the interface parameter, the command loops on all supported interfaces. This field is available only if you selected the Junos OS 14.1 version.
    21. In the Class section, set the class of applications to be logged to the system log.
      • alg-logs—Log application-level gateway events.
      • ids-logs—Log intrusion detection system events.
      • nat-logs—Log Network Address Translation events.
      • packet-logs—Log general packet-related events.
      • session-logs—Log session open and close events.
      • session-logs open—Log session open events only.
      • session-logs close—Log session close events.
      • stateful-firewall-logs—Log stateful firewall events.
    22. Click Save to save the service instance configuration. Else, click Close to discard the changes to the template.

    Creating a Rule

    To create a rule for the SFW template:

    1. From the View selector, select Gateway View. The View pane displays the devices in the entire network organized by the device type and device models pertaining to each device type.
    2. From the View pane, select the All Network item. Expand the tree to select the SDG in an SDG group.
    3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director banner.
      The functionalities that you can configure in this mode are displayed in the task pane.
    4. Select Service Edit from the task pane.

      The Service Edit page is displayed.

    5. Click the right arrow next to Service Edit to expand the tree in the task pane and view the list of filter instances.
    6. From the task pane, select SFW Policy and Filter to open the SFW and Filter page on the right pane.
    7. Click the Add icon.

      The Create an SFW Policy and Filter Template window appears.

    8. Enter the name of the template and the service instance in the respective fields.
    9. Click the green plus sign in the Rules box. The Addition of Rules dialog box appears.

      Note: If a green tick mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red cross mark shows that you can delete that particular attribute for that component.

    10. From the Rule list, select one of the previously configured rules. The rules that you configured in the Service Templates workspace for SFW, packet filter, or CGNAT are displayed.
    11. Click Save to save the service instance configuration. Else, click Close to discard the changes to the template.

    Creating a Rule Set

    The rule-set statement defines a collection of stateful firewall rules that determine what actions the router software performs on packets in the data stream. You define each rule by specifying a rule name and configuring terms. Then, you specify the order of the rules by including the rule-set statement at the [edit services stateful-firewall] hierarchy level with a rule statement for each rule.

    The router software processes the rules in the order in which you specify them in the configuration. If a term in a rule matches the packet, the router performs the corresponding action and the rule processing stops. If no term in a rule matches the packet, processing continues to the next rule in the rule set. If none of the rules matches the packet, the packet is dropped by default.

    To create a rule set for the SFW template:

    1. From the View selector, select Gateway View. The View pane displays the devices in the entire network organized by the device type and device models pertaining to each device type.
    2. From the View pane, select the All Network item. Expand the tree to select the SDG in an SDG group.
    3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director banner.
      The functionalities that you can configure in this mode are displayed in the task pane.
    4. Select Service Edit from the task pane. The Service Edit page is displayed.
    5. Click the right arrow next to Service Edit to expand the tree in the task pane and view the list of filter instances.
    6. From the task pane, select SFW Policy and Filter to open the SFW and Filter page on the right pane.
    7. Click the Add icon. The Create an SFW Policy and Filter Template window appears.
    8. Enter the name of the template, a description, and the direction in which the rule match must be applied in the respective fields. Also, select the SDG or SDG pair for which the syslog needs to be defined for the service set.
    9. In the Create Policy and Filter page, click Associate Service Sets/Rule Sets. The Associate Service Sets/Rule Sets section is displayed. The SDGs and SDG groups that are part of the NAT policy filter rule term are shown in one column. Under the Association column, either the Configure or Edit icon appears. If you already created and mapped a service set with the particular SDG or group, the Edit icon shows.
    10. Click the Configure or Edit icon. The Configure Service Sets/Rule Sets dialog box is displayed.
    11. From the Type drop-down list, select Service Set to map a service set with the policy filter instance.
    12. If you selected Service Set from the Type list, select a service set previously configured in the Service Designer workspace from the Value list.
    13. Click the green plus sign next to the Value drop-down list. The Addition of Service Sets dialog box appears.

      Note: If a green plus sign mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red minus mark shows that you can delete that particular attribute for that component.

    14. In the Name field, specify a name for the rule set the router uses when applying this service.
    15. In the Rules section, select the rules that need to be added to the rule set from the Available column and click the right arrow to move these rules to the Selected column. All the rules that you previously configured during the creation or modification of the service instance are displayed.
    16. Click Save to save the rule set configuration. Else, click Close to discard the changes to the template.

    Creating Addresses

    To create an address:

    1. In the Source and Destination Address Selector dialog box, to create a new address. click the plus sign (+).

      The Create Address page appears.

    2. In the Object Type section, click the Address radio button to create an address.
    3. In the Name field, enter a name for the new address.
    4. In the Description field, enter a description for the new address.
    5. Direct Edge Services Director to resolve an IP address to a hostname or resolve a hostname to an IP address.
      • To specify an IP address as the address type, select Host from the drop-down menu and enter the IP address in the IP field.
      • To specify a hostname as the address type, select Host from the drop-down menu and enter the hostname in the Host Name field.
      • To specify an IP address range, select Range from the drop-down menu and enter the IP ranges in the Start IP and End IP fields.
      • To specify a network as an address type, select Network from the drop-down menu and enter the network address in the IP and Netmask fields.
      • To specify an IP address with a wildcard mask, select Wildcard from the drop-down menu and enter the IP address in the IP field and wildcard mask in the Wildcard Mask fields.
      • To specify a DNS name as an address type, select DNS Host from the drop-down menu and enter the DNS name in the DNS Name field.

      Note: You can resolve an IP address to a hostname and a hostname to an IP address using the green arrows next to the IP and Host Name fields.

      Note: The host and network address types support both IPv4 and IPv6 address types. These address types also supports multicast addresses. However, the range address type supports only IPv4 addresses. NAT and IPsec VPNs do not support IPv6 addressing and wildcard addresses.

      Note: Ensure that the first 8 bits of the address are not 0 and the highest bit of the mask is 1 when you are using the wildcard address type.

    6. Click Create to create an address.

      The new address appears in the Manage Address page.

    Creating Address Groups

    To create an address group:

    1. In the Source and Destination Address Selector dialog box, to create a new address group. click the plus sign (+).

      The Create Address Group page appears.

    2. Select the Object Type as Address Group.
    3. In the Name field, enter a name for the new address group.
    4. In the Description field, enter a description for the new address group.
    5. In the Addresses field, from the Available dialog box, select the address that you want to group, and click the right arrow to add to the Selected column.

      Click All to move all the addresses to the Selected column. The address you have selected appears in the Selected section of the dialog box.

    6. Click Create.

      The address group appears on the Address page.

    Address and Address Groups Overview

    You can use the Address Creation Wizard to create an address object that specifies an IP address or a hostname. You can specify a hostname and use the address resolution option to resolve it to an IP address. You can also resolve an IP address to the corresponding hostname.


    You can group address objects to form an address group using the Address Group Creation Wizard. Junos Space creates an object in the Junos Space database to represent an address or an address group.

    Creating an SFW Rule Term

    To add rules to an SFW policy:

    1. In the Create Policy and Filter window, the list of rule terms already added, if any, to the SFW policy are displayed.
    2. Next to the Terms field, click the + icon to add rules, and select the type of rule you want to add.
    3. In the Term Name field, specify the name of the rule.

      The list of SDGs with which you associated the SFW policy in the Create Policy window are displayed with the form and then sections or clauses. If you selected SDG groups to associate with the SFW policy, the SDG group names are displayed.

    4. In the From section, do the following to specify input conditions or match criteria for the SFW term :
      • In the Source Address field, click the down arrow in the list. The address selector dialog box appears. Select the source addresses that need to be added to the SFW policy from the Available column and click the right arrow to move these devices to the Selected column.

        Click OK to confirm the selection. Click Cancel to discard your changes and return to the Create Policy and Filter window.

        To create an address or address group from the address selector dialog box, see Creating Addresses and Creating Address Groups.

      • In the Destination Address field, click the down arrow in the list. The address selector dialog box appears. Select the destination addresses that need to be added to the SFW policy from the Available column and click the right arrow to move these devices to the Selected column.

        Click OK to confirm the selection. Click Cancel to discard your changes and return to the Create Policy and Filter window.

        To create an address or address group from the address selector dialog box, see Creating Addresses and Creating Address Groups.

      • Specify a destination port to match the rule in the Destination Port field. You can specify a range of ports by defining the upper limit and lower limit of the range in the Start Value and End Value fields.
      • In the Add Term page, in the Application or Application Set sections, the application set selector dialog box is displayed. Select the applications or application sets that need to be added to the SFW rule term from the Available column and click the right arrow to move these applications or application sets to the Selected column.

        To create a new application name or application set, see Creating Applications and Application Sets.

      • Click the Copy to All Hosts button to apply the defined term at the system or network level and not at a particular SDG or SDG group level.
      • When you create a rule or filter term, and define the name of the filter, for SDGs that are part of a high availability pair of devices, the names of the SDGs are displayed as tabs and check boxes beside the hostnames of the SDGs are displayed. If you want the policy or filter term definition to apply to both the SDGs, select the check boxes next to the SDG names.

        Otherwise, when the click the SDG name tab for the SDG for which you did not select the check box, a blue highlight overlays the entire dialog box to indicate the settings are not enabled for configuration for that specific SDG.

      • Select the name of the target application set from the Application Sets selector dialog box. Select the application sets that need to be added from the Available Column and click the right arrow to move the application sets to the Selected column.
      • In the Source Prefix field, click the down arrow in the list to specify the source prefix for rule matching traffic. The address selector dialog box appears. Select the source addresses that need to be added to the NAT policy from the Available column and click the right arrow to move these devices to the Selected column.

        Click OK to confirm the selection. Click Cancel to discard your changes and return to the Create Policy and Filter window.

        To create an address or address group from the address selector dialog box, see Creating Addresses and Creating Address Groups.

      • In the Destination Prefix field, click the down arrow in the list to specify the destination prefix for rule matching traffic. The address selector dialog box appears. Select the source addresses that need to be added to the NAT policy from the Available column and click the right arrow to move these devices to the Selected column.

        Click OK to confirm the selection. Click Cancel to discard your changes and return to the Create Policy and Filter window.

        To create an address or address group from the address selector dialog box, see Creating Addresses and Creating Address Groups.

    5. In the To section, do the following to specify actions or modifiers to be performed for the SFW term :
      • In the Actions field, click the down arrow in the list. Select one of the following options:

        accept—Accept the traffic and send it on to its destination.

        discard—Do not accept traffic or process it further.

        reject—Do not accept the traffic and return a rejection message. Rejected traffic can be logged or sampled.

      • Click the Copy to All Hosts button to apply the defined term at the system or network level and not at a particular SDG or SDG group level.
      • When you create a rule or filter term, and define the name of the filter, for SDGs that are part of a high availability pair of devices, the names of the SDGs are displayed as tabs and check boxes beside the hostnames of the SDGs are displayed. If you want the policy or filter term definition to apply to both the SDGs, select the check boxes next to the SDG names.

        Otherwise, when the click the SDG name tab for the SDG for which you did not select the check box, a blue highlight overlays the entire dialog box to indicate the settings are not enabled for configuration for that specific SDG.

      • Select the Syslog check box to enable system logging. The system log information from the Multiservices PIC is passed to the kernel for logging in the /var/log directory. This field is available only if you selected the Junos OS 14.1 version to create the service instance.
    6. A new rule is added in the last row depending on the type of rule you have added. The newly added rules blink with a different color for few seconds. The behavior is same if you add a new rule before or after a rule, clone a rule, or paste a rule.

      The rule is assigned a serial number based on the number of rules already added to the policy.

    7. Click Save to create the rule. Alternatively, click Validate in the Create Rule page to perform validation checks on the configuration planned to be deployed to examine and correct any syntax errors or incompatible settings.

    Creating an Application and Application Set

    To create an application and an application set for an SFW rule term:

    1. In the Add Term page, in the Application or Application Set sections, the application set selector dialog box is displayed. Select the applications or application sets that need to be added to the SFW rule term from the Available column and click the right arrow to move these applications or application sets to the Selected column.

    Associating Service Sets and Rule Sets With an SFW Rule

    To associate a service set and a rule set with an SFW policy filter rule term:

    1. In the Create Policy and Filter page, click Associate Service Sets/Rule Sets. The Associate Service Sets/Rule Sets section is displayed. The SDGs and SDG groups that are part of the SFW policy filter rule term are shown in one column. Under the Association column, either the Configure or Edit icon appears. If you already created and mapped a service set with the particular SDG or group, the Edit icon shows.
    2. Click the Configure or Edit icon. The Configure Service Sets/Rule Sets dialog box is displayed.
    3. From the Type drop-down list, do either of the following:
      • Select Service Set to map a service set with the policy filter instance.
      • Select Rule Set to map a rule set with the policy filter instance.

      Depending on the option selected in the Type list as service set or rule set for association with the policy filter instance, the options that are displayed in the Value list beneath the Type list varies.

    4. If you selected Service Set from the Type list, select a service set previously configured in the Service Designer workspace from the Value list. If you selected Rule Set from the Type list, select a rule set previously configured in the Service Designer workspace from the Value list. Click Add to map the service set or rule set with the SFW policy filter rule.
    5. Click Save to save the settings. Alternatively, click Cancel to abort the changes.
    6. Click Copy to All Hosts in the Associate Service Sets dialog box to apply the defined term at the system or network level and not at a particular SDG or SDG group level. You are returned to the Add Term window.

    Modifying SFW Policies

    Before you can edit the policy, you must lock it by clicking the lock icon, which is available in the policy tabular view. You can hold more than one policy lock at a given time. You can unlock the policy by clicking the unlock icon next to the lock icon in the policy tabular view. If you attempt to lock a policy that is already locked by another user, a message is displayed stating that the lock is acquired by another user.

    If the Edge Services Director administrator releases the lock, you will receive the a warning message stating that the lock has been released.

    The Manage Policy Locks page appears showing only those locks that can be managed by the current user. The page contains the following fields:

    • Instance or Rule name
    • User (IP Address)
    • Lock acquired time
    • Service Gateway

    The policy is locked and released for the following policy operations. Also, these operations are disabled for a policy, if the policy is locked by some other user.

    • Modify
    • Assign devices
    • Rollback
    • Delete

    Note:

    • You can unlock your policies even if they are not edited.
    • If the browser crashes when the policy is still locked, the policy is unlocked only after the timeout interval expires.
    • Policy lock is not released under the following scenario:
      • If you save or discard you changes to the locked policy.
      • if you do not make any changes to the locked policy and navigate to another policy.

    To modify an existing SFW policy or filter instance:

    1. From the View selector, select Gateway View. The workspaces that are applicable to this view are displayed. In Gateway view, the devices in the entire network are displayed, organized by the device types and the device models within each device type. In Service View, the different types of services are displayed in the View pane.
    2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director banner.
      The functionalities that you can configure in this mode are displayed in the task pane.
    3. From the View pane, select the All Network item in Gateway view. Click the plus sign (+) beside the All Network item in the View pane to expand the tree and select the device node you want.

      Alternatively, from the View pane, click the plus sign (+) beside All Services to expand the tree and select the type of service.

    4. From the task pane, select Service Edit. The Service Templates page is displayed.
    5. If you are in Gateway view, click the plus sign (+) next to Service Edit to expand the tree in the task pane and view the list of filter instances.
    6. From the task pane, select SFW Policy and Filter to open the SFW and Filter page on the right pane.
    7. In the Service Edit page, from the tree that lists the SDGs, select All Service Gateways, or the SDG or SDG pair for which you want to view the previously configured policy or filter instances. This step is applicable only if you selected Gateway View.

      The page is divided into two panes. The list of SDGs are displayed on the left pane. You can drill-down to the SDG or pair of SDGs for which you want to process policies or filters. The policy and filter rules are displayed in the right pane.

    8. Select a policy, and click the Lock icon above the table of listed policies.
    9. Click the Modify icon above the table of listed templates. The Modify Policy and Filter window is displayed.
    10. Modify the attributes that are needed and save the updated settings.

    Creating a Deployment Plan

    You must have previously defined service templates and policy or filter templates before you can create a deployment plan.

    To create a deployment plan and assigning devices to it:

    1. From the View selector, select Gateway View. The View pane displays the devices in the entire network organized by the device type and device models pertaining to each device type.
    2. From the View pane, select the All Network item. Expand the tree to select the SDG in an SDG group.
    3. From the Junos Space user interface, click the Deploy icon on the Edge Services Director banner.
      The functionalities that you can configure in this mode are displayed in the task pane.
    4. Select Service Edit from the task pane. The Service Edit page is displayed.
    5. Click the right arrow next to Service Edit to expand the tree in the task pane and view the list of filter instances.
    6. From the task pane, select SFW Policy and Filter to open the SFW Policy and Filter page on the right pane.
    7. In the Service Edit page, from the tree that lists the SDGs, select All Service Gateways, or the SDG or SDG pair for which you want to view the previously configured policy or filter instances. This step is applicable only if you selected Gateway View. You can drill-down to the SDG or pair of SDGs for which you want to process policies or filters.
    8. Select a rule corresponding to an SDG, and click the Lock icon above the table of listed policy filters.
    9. Click the down arrow in the Actions menu and select Send for Deployment to create a deployment plan for the particular service template and save the plan.

      The Deployment Plan Summary dialog box appears, with the service name, type, and status listed.

      Click Send to create a deployment plan.

      A deploy plan is created for the service template with the devices that are assigned to it when you view the Deployment Plans page.

    10. Alternatively, you can select Discard changes from the Actions menu to ignore the modifications done to a policy or filter template.
    11. From the Deployment plans page, you can select Reject or Approve from the Actions drop-down list to reject or approve the deployment plan and make it available for commissioning to the devices.

    Modified: 2015-09-18