Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Creating and Managing SFW Service Templates

 

Each stateful firewall rule consists of a set of terms, similar to a service filter. A term consists of the following:

from statement—Specifies the match conditions and applications that are included and excluded. The from statement is optional in stateful firewall rules.

then statement—Specifies the actions and action modifiers to be performed by the router software. The then statement is mandatory in stateful firewall rules.

You can perform the following tasks with the Service Designer page for SFW:

  • Create an SFW service template with attributes and settings for stateful firewall operations.

  • Modify an existing SFW template to meet the network needs and deployment scenarios.

  • Delete an existing template.

Creating an SFW Service Template

To configure a new SFW service template:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Build icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Templates.

    The Manage Service Templates page is displayed.

  4. Click the SFW button.

    The list of SFW service templates is displayed.

    The Service Designer page displays a bar graph in the top pane of the page. The count of service templates of each type is displayed on the vertical axis and the service type is shown on the horizontal axis. A color-coding format is used to represent the bars on the graph. Published service templates are shown in olive green color and unpublished service templates are shown in blue color. Mouse over each bar in the chart to highlight and display the number of templates published or unpublished for each type of service.

  5. Click the Add icon. The Select Version dialog box appears.
  6. Select Junos 12.1 if you want to create a template based on the Junos OS Release 12.1. Alternatively, select Junos 14.1 if you want to create a template based on the Junos OS Release 14.1. Note

    All the service template components described in this section can be created for templates that are based on both the Junos OS Releases 12.1 and 14.1. The service elements or components that are additionally available for configuration when you select the Junos OS 14.1 version are explicitly mentioned in the relevant steps of the procedure.

    The Create an SFW Planning Template window appears.

    Figure 1: Create SFW Service Template Window
    Create SFW Service Template Window
  7. In the Template Name field, enter a name for the service template or profile (limit of 63 alphanumeric characters without spaces).
  8. In the Description field, enter a meaningful, easily-identifiable name for the service instance (limit of 255 characters). Each service instance you define can be applied to a single or multiple SDGs.
  9. Instead of creating a new template entirely, you can import the parameters defined for a previous SFW service instance and customize only the settings that are necessary. Imported templates are created without any device assigned to them. To use these templates, you must associate a device with the policy. To clone an existing template by importing it, click the Import button.

    The Import Services dialog box is displayed. See Importing an SFW Service Template for step-wise details on importing an SFW service template.

  10. The Create an SFW Planning Template window displays the individual elements or components of the service with a graphical icon for each of the service elements and the corresponding names in separate boxes. You can add, edit, or delete these service elements in a template.Note

    The Property View tab and the Config View tab are displayed on the right pane of the template window. The Property View tab provides a tree-based structure of the parameters defined in a service template. You can expand the tree and view details of each component. A key value pair representation is shown. Each of the components can be treated as categories of the service template shown in the property view.

    The Config View tab displays the elements or components specified for a service template in the form of configuration stanzas and hierarchy levels. This display is similar to the show command that you can use at a certain [edit] hierarchy level to view the defined settings. Each level in the hierarchy is indented to indicate each statement's relative position in the hierarchy. Each level is generally set off with braces, with an open brace ({) at the beginning of each hierarchy level and a closing brace (}) at the end. If the statement at a hierarchy level is empty, the braces are not displayed. Each leaf statement ends with a semicolon (;), as does the last statement in the hierarchy.

    1. Click the green tick mark (✓) displayed at the top-right corner of each of the service element boxes to create a new element. If the green tick mark is not shown, it indicates that the user role does not have the permission to create an element.

    2. Click the red cross mark (x) displayed at the top-right corner of the icons of each element if you want to delete the existing configuration. The user with designer role has permissions to remove or edit elements.

    3. if the red cross mark is not displayed beside a particular icon, it signifies that the element cannot be deleted.

    4. The diamond icon that contains an orange tick mark within it at the top-right corner of the service component name denotes that the particular element can be modified. The absence of this icon denotes that the user does not have permissions to modify the attributes of the service component.

    5. Double-click each icon pertaining to a service element to view or edit its settings. If you do not possess the permission to modify the element, a view-only dialog box with the attributes of the selected element is shown. Otherwise, an editable dialog box enables you to modify the settings.

    6. Click Save to save the service template configuration. Else, click Close to discard the changes to the template.

    7. Click the Maximize icon displayed at the top-right corner of the rectangle or box that shows all of the values or entities of a particular component of a service template. The specified component or attribute is displayed as a separate dialog box, listing all of the values of the particular component. You can add, modify, or delete the listed values.

    8. While creating the new service template, the designer can add or modify service parameter values and also restrict the access level for each service parameter for the operator. The designer can set following access levels for each service parameters to operator in planning template. Click the new icon (cascading files icon) displayed at the top-left corner of each of the element boxes to open the shortcut menu. You can click one of the following radio buttons:

      • Read-only (the configuration parameter is read-only for operator as part of provisioning)

      • Editable (the configuration parameter is editable as part of provisioning)

      • Device-Specific (the configuration parameter value needs to be entered by the operator for each device during deployment)

    9. Click Save & Publish to save and publish the service template configuration. The designer must publish the service templates to the operator to use in the creation of deployment plans. After a filter or policy is published, it goes for peer review and approval. After approval, the filter or policy is deployed to device.

Modifying SFW Service Templates

On the Service Designer page, you can view the collection of service templates defined for several applications, such as stateful firewall or CGNAT.

To modify service template instances, such as ADC, SFW, CGNAT, or TLB templates:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Deploy Service > Service Edit.

    The Service Instances page is displayed in the right pane, listing all the previously defined service templates.

  4. From the View pane, perform one of the following tasks:
    • Click the ADC button.

      The list of ADC service templates is displayed. You need not click this button if you are launching the Service Designer page for the first time or are navigating to this page from another mode or a different page. You need to click this button only if you are viewing the other service templates, such as CGNAT or TLB.

    • Click the SFW button.

      The list of SFW templates is displayed.

    • Click the TLB button.

      The list of TLB templates is displayed.

    • Click the CGNAT button.

      The list of CGNAT templates is displayed.

  5. In the main window, click the plus sign (+) next to the SDG pairs to expand the tree and view the pair of devices in the SDG group or pair. Select the check box next to the SDG pair or individual SDG for which you want to modify settings. In an SDG pair, you can select a single SDG or both the SDGs in the in the redundancy pair of devices.Note

    Alternatively, you can also modify service templates from Service View in Build Mode by selecting the Service Templates > Manage Service Templates from the task pane, selecting a service instance, and clicking the Modify button.

  6. Click the Lock icon above the table of listed packet filters. The Select Reference Config dialog box is displayed.
    Figure 2: Select Reference Config Dialog Box
    Select Reference Config Dialog Box
  7. From the Service Gateway Name drop-down list, select the SDG group to which the packet filter must be applied.
  8. From the Host Name drop-down list, select the hostname of the SDG.
  9. In the Select Common Components section, select the check boxes beside the service modules or components, such as packet filters, SFW rules, or CGNAT rules, that are displayed. The displayed components depend on the attributes that are previously defined for that selected packet filter. For example, if the service policy is for stateful firewall, SFW rules and SFW rule sets are shown. Select the check box beside Config Category to select all the service components.
  10. Click Save to save the modified association.
  11. Select the check box beside the template you want to modify.
  12. Open the Modify menu above the list of templates to modify an existing template, and select the component or service attribute, such as application or rule, that you want to edit.
  13. Perform one of the following from the drop-down menu displayed for each component:
    • To retrieve the service component and import into the database of Edge Services Director, select Import Object. The Import Services dialog box appears. You can import the service templates assigned to SDGs or choose from a list of all of the predefined templates in the database. Also, you can either import all of the components of a service or specific components.

    • To create the component afresh, select Create New. The Create page corresponding to the service component appears. You can define the attributes for the service component in the same manner as you define the elements during the creation of a service template.

Creating a Deployment Plan

You must have previously defined service templates and policy or filter templates before you can create a deployment plan.

To create a deployment plan and assigning devices to it:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Deploy icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Edit.

    The Manage Service Templates page is displayed.

  4. Click the SFW button.

    The list of SFW service templates is displayed.

  5. Select the check boxes next to the SDGs or SDG groups that you want to assign to the plan. Based on your selection of a service or a policy template, the components or attributes are shown for the corresponding device.
  6. From the boxes that show the components of a service template, you can edit, delete, or add elements to it. If you do not have permissions to update a template, the corresponding icons are not shown.
  7. Click the down arrow in the Actions menu and select Send for Deployment to create a deployment plan for the particular service template and save the plan.

    If you create a deployment plan from Service view of Deploy mode, the Edit Service Instance page is displayed. You can modify the SDGs associated with the service instance and also modify the service instance attributes as necessary by either clicking the buttons corresponding to the various settings at the top of the wizard page to directly traverse to the page you want to modify or clicking the navigation buttons at the bottom of the wizard page to go to the different pages of the wizard. Click Finish to create a deployment plan.

    A deploy plan is created for the service template with the devices that are assigned to it when you view the Deployment Plans page.

  8. Alternatively, you can select Discard changes from the Actions menu to ignore the modifications done to a policy or filter template.
  9. From the Deployment plans page, you can select Reject or Approve from the Actions drop-down list to reject or approve the deployment plan and make it available for commissioning to the devices.

Importing an SFW Service Template

To create a clone of an existing SFW template by importing it:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Build icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Templates.

    The Manage Service Templates page is displayed.

  4. Click the SFW button.

    The list of SFW service templates is displayed.

    You need not click this button if you are launching the Service Designer page for the first time or are navigating to this page from another mode or a different page. You need to click this button only if you are viewing the other service templates, such as CGNAT or SFW.

  5. Click the Add icon.

    The Create an SFW Planning Template window appears.

  6. In the Template Name field, enter a name for the service template or profile (limit of 63 alphanumeric characters without spaces).
  7. In the Description field, enter a meaningful, easily-identifiable name for the service instance (limit of 255 characters). Each service instance you define can be applied to a single or multiple SDGs.
  8. Click the Import button.

    The Import Services dialog box appears.

    You can import the service templates assigned to SDGs or choose from a list of all of the predefined templates in the database. Also, you can either import all of the components of a service or specific components.

  9. Do one of the following for the Import section:
    • Select the From Existing Service Gateway radio button if you want to import the CGNAT rule from SDGs that are present in the Edge Services Director database.

    • Select the From XML radio button if you want to import the CGNAT rule from an XML configuration file on an external system.

  10. If you selected the option to import the object from SDGs, do the following:
    • Click the Normal View tab to view the list of SDGs. You can search for specific SDGs by entering a search item and clicking the Search icon.

      Alternatively, click the Group View tab to view the list of SDG groups. You can search for specific SDG groups by entering a search item and clicking the Search icon.

    • Click the plus sign (+) next to the All Service Gateways item to expand the tree structure that displays the list of SDGs or SDG groups. If the SDG pair is configured, you can select one of the devices, master or standby, from which you want to import the object.

      Alternatively, if you selected the Group View tab, you can select an SDG from the groups displayed from which you want to import the object.

    • Click Import. The object is added to the database and can be used during configuration of services or policies.

  11. If you selected the option to import from an XML file, do the following:
    • Click Browse beside the File Name field to navigate to the path where an XML file is available to be imported.

    • Click Upload. The service template is added to the database and can be used during configuration of services or policies.

  12. Do one of the following to import all components of a selected template or only a particular component of a template. For the components that are not imported, you need to specify the definitions of the components afresh.
    • Select the check boxes next to all of the service instances that are displayed for the selected SDG or SDG group, or for the XML file that you uploaded. In such a case, all of the elements or parameters of the selected template or instance are imported.

    • Alternatively, select the check box next to a particular or group of service instances to import only a specific component of the selected template

  13. Similarly, you can select other components and them to the template. Save the imported components to add them to the template you are creating by using the imported template as a base.

Creating a Service Set

A service set is a collection of services to be performed by an Adaptive Services (AS) or Multiservices PIC. To create a service set as a component for the SFW template:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Build icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Templates.

    The Manage Service Templates page is displayed.

  4. Click the SFW button.

    The list of SFW service templates is displayed.

  5. Click the Add icon.

    The Create an SFW Planning Template window appears.

  6. Enter the name of the template and the service instance in the respective fields.
  7. Click the green plus sign in the Service Set box.

    The Addition of Service Set dialog box appears.

    Note

    For the service elements that you can configure using the Object Builder workspace, such as applications and rules, when you click the green plus sign (+) at the top-right corner of each of the service element boxes, the shortcut menu is displayed. Click the Create New radio button to create the service component afresh. Alternatively, click the Import from Object Builder radio button to open a dialog box that enables you to select from the list of service elements that are present in the database of Edge Services Director and import them into the service template.

    If a green tick mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red cross mark shows that you can delete that particular attribute for that component.

  8. In the Name field, enter the name to identify the service set. Rules are combined into rule sets, and are associated with a service set for each application such as firewall or CGNAT.
  9. In the Sampling Service Choices section, do one of the following:
    • Click Interface Services to configure an interface-style service set. An interface service set is used as an action modifier across an entire interface

      • In the Service Interfaces field, specify the name for the adaptive services interface associated with an interface-wide service set.

        When you have defined and grouped the service rules by configuring the service-set definition, you can apply services to one or more interfaces installed on the router. When you apply the service set to an interface, it automatically ensures that packets are directed to the PIC.

      • From the Load Balancing Options section, configure the high availability (HA) options.

        The following hash keys can be configured in the egress direction: destination-ip (Use the destination IP address of the flow to compute the hash used in load balancing.) and source-ip (Use the source IP address of the flow to compute the hash used in load balancing.)

      • Click the green tick park beside the Egress Key element to configure the hash keys to be used in the egress flow direction. The configuration is mandatory if you are using AMS for Network Address Translation (NAT). This configuration is not mandatory if you are using AMS for stateful firewall; if the hash keys are not configured, then the defaults are chosen.

      • Click the green tick park beside the Ingress Key element to configure the hash keys to be used in the ingress flow direction. The configuration is mandatory if you are using AMS for Network Address Translation (NAT). This configuration is not mandatory if you are using AMS for stateful firewall; if the hash keys are not configured, then the defaults are chosen.

      Configure the hash keys used for load balancing in aggregated multiservices (AMS) for service applications (Network Address Translation [NAT], stateful firewall, application-level gateway [ALG], HTTP header enrichment, and mobility). The hash keys supported in the ingress and egress direction are the source IP address and destination IP address.

      Hash keys are used to define the load-balancing behavior among the various members in the AMS group. For example, if hash-keys is configured as source-ip, then the hashing would be performed based on the source IP address of the packet. Therefore, all packets with the same source IP address land on the same member. Hash keys must be configured with respect to the traffic direction: ingress or egress. For example, if hash-keys is configured as source-ip in the ingress direction, then it should be configured as destination-ip in the egress direction. This is required to ensure that the packets of the same flow reach the same member of the AMS group.

      The configuration of the ingress and egress hash keys is mandatory if you are using AMS for NAT. This configuration is not mandatory if you are using AMS for stateful firewall; if the hash keys are not configured, then the defaults are chosen. Refer to Table 1 for the supported hash keys.

      The resource-triggered option enables anchor session PICs to use the load or resource information from the anchor services PICs to select the AMS member will anchor the services for the subscriber for load balancing among AMS members. In addition, for mobile subscriber-aware services (such as HTTP header enrichment), you must configure the resource-triggered statement, which means that the load balancing is not done using the ingress and egress keys.

      Table 1: Hash Keys Supported for AMS for Service Applications

      Service Set at Ingress Interface

      Service Set at Egress Interface

      Hash Keys for NAT

      NAT Type

      Ingress hash key

      Egress hash key

      Ingress hash key

      Egress hash key

      source static

      Destination IP address

      Source IP address

      Source IP address

      Destination IP address

      source dynamic

      Source IP address

      Destination IP address

      Destination IP address

      Source IP address

      Network Address Port Translation (NAPT)

      Source IP address

      Destination IP address

      Destination IP address

      Source IP address

      destination static

      Source IP address

      Destination IP address

      Destination IP address

      Source IP address

      Hash Keys for Stateful Firewall

      Stateful Firewall

      Destination IP address

      Source IP address

      Destination IP address

      Source IP address

      Stateful Firewall

      Source IP address

      Destination IP address

      Source IP address

      Destination IP address

      Note

      If NAT is used in the service set (along with stateful firewall and ALG), then the hash keys should be based on the NAT type; otherwise, the hash keys of the stateful firewall should be used.

    • Click Next Hop Services to configure a next-hop style service set. A next-hop service set is a route-based method of applying a particular service. Only packets destined for a specific next hop are serviced by the creation of explicit static routes.

      • In the Inside Interface list, specify the interface type of the service interface associated with the service set applied inside the network. For inline IP reassembly, set the interface type to local. Also, specify the name and logical unit number of the service interface associated with the service set applied inside the network.

        When a next-hop service is configured, the AS or Multiservices PIC is considered to be a two-legged module with one leg configured to be the inside interface (inside the network) and the other configured as the outside interface (outside the network).

      • In the Outside Interface list, specify the interface type of the service interface associated with the service set applied outside the network. For inline IP reassembly, set the interface type to local. Also, specify the name and logical unit number of the service interface associated with the service set applied outside the network.

      • In the Service Interface Pool list, select the name of the pool of logical interfaces configured at the [edit services service-interface-pools pool pool-name] hierarchy level. You can configure a service interface pool only if the service set has a PGCP rule configured. The service set cannot contain any other type of rule.

    • Click Sampling Services to configure a sampling service set.

      • In the Service Interface field, specify the service interface, which is the interface the sampling is taken from. In the case of a sampling service set, the service interface must be a Multiservices PIC interface with a subunit number of 0 (zero). The subunit number defaults to 0. The reverse-flow statement is not mandatory. All sampled traffic is considered to be forward traffic. If you set the reverse-flow statement, it is ignored.

    • Select the Replication Service check box to configure the services replication options for inter-chassis high availability on MS-MIC and MS-MPC.

      • In the Replication Threshold field, specify the number of seconds for the replication threshold. When a flow has been active for more than the number of seconds specified as a threshold, flow state information is replicated to the backup device. Make sure that the replication-threshold value is than the open-timeout value(the timeout period for establishing a TCP connection). The default value of the replication threshold is 180 seconds. This value is also the minimum.

      • Select the Stateful Firewall check box to replicate stateful firewall state information.

      • Select the NAT check box to replicate NAPT44 information.

  10. In the SFW Rule Sets section, select the rule set you want to associate with the service set from the Available column and click the right arrow to move to the Selected column.
  11. In the SFW Rules section, select the rule you want to associate with the service set from the Available column and click the right arrow to move to the Selected column.
  12. In the SFW Syslogs section, select the syslog you want to associate with the service set from the Available column and click the right arrow to move to the Selected column.
  13. Click Save to save the service template configuration. Else, click Close to discard the changes to the template.

Creating an Application

You can define application protocols for the stateful firewall and Network Address Translation (NAT) services to use in match condition rules. An application protocol, or application layer gateway (ALG), defines application parameters using information from network Layer 3 and above. Examples of such applications are FTP and H.323.

To create an application for an SFW rule term:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Build icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Templates.

    The Manage Service Templates page is displayed.

  4. Click the SFW button.

    The list of SFW service templates is displayed.

  5. Click the Add icon.

    The Create a SFW Planning Template window appears.

  6. In the Name field, enter a name for the service template or profile (limit of 63 alphanumeric characters without spaces).
  7. In the Description field, enter a meaningful, easily-identifiable name for the service instance (limit of 255 alphanumeric characters). Each service instance you define can be applied to a single or multiple SDGs.
  8. Click the green plus sign in the Applications box.

    The Create an Application dialog box appears.

    Note

    For the service elements that you can configure using the Object Builder workspace, such as applications and rules, when you click the green plus sign (+) at the top-right corner of each of the service element boxes, the shortcut menu is displayed. Click the Create New radio button to create the service component afresh. Alternatively, click the Import from Object Builder radio button to open a dialog box that enables you to select from the list of service elements that are present in the database of Edge Services Director and import them into the service template.

    If a green tick mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red cross mark shows that you can delete that particular attribute for that component.

  9. In the Name field, enter the name to identify the application.
  10. From the Protocol drop-down list, specify the networking protocol type or number to match in an application definition. The following text values are supported: TCP, UDP, ICMP, and GRE. Based on the selection, the dialog box refreshes to display additional fields applicable for the protocol.
  11. From the Application Protocol drop-down list, specify the application protocol name. Application protocols are also called application layer gateways (ALGs). The application-protocol setting allows you to specify which of the supported application protocols (ALGs) to configure and include in an application set for service processing. Valid entries include the following:
    • dns—Domain Name Service

    • icmp—ICMP

    • rtsp—Real Time Streaming Protocol

    • tftp–Trivial File Transfer Protocol

    Based on the selection, the dialog box refreshes to display additional fields applicable for the application protocol.

  12. In the Inactivity Timeout (secs) field, specify the length of time, in seconds, for which the application is inactive before it times out. The default is 30 seconds.
  13. In the ICMP Type field, specify the Internet Control Message Protocol (ICMP) code type. The ICMP code and type provide additional specification, in conjunction with the network protocol, for packet matching in an application definition. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port.The only value available in this field is ECHO_REQUEST. Note

    From the Junos OS CLI, to configure ICMP settings, include the icmp-code and icmp-type statements at the [edit applications application application-name] hierarchy level:

    In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), or unreachable (3).

  14. From the Source Port type list, do one of the following:
    • Select RANGE to configure a range of source ports for the application, and enter the upper limit and lower limit of the range of ports in the Start Value and End Value fields. You can specify a value in the range of 1 through 65,535.

    • Select SINGLE to configure a single port number as the source port, and enter the number in the Port Value field.

    • Select NA if you do not want to specify a port number.

    The TCP or UDP source and destination port provide additional specification, in conjunction with the network protocol, for packet matching in an application definition. To configure ports, you must define one source or destination port. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port.

  15. From the Destination Port type list, do one of the following:
    • Select RANGE to configure a range of destination ports for the application, and enter the upper limit and lower limit of the range of ports in the Start Value and End Value fields. You can specify a value in the range of 1 through 65,535.

      Note

      If you specify a value of 0 as a destination port or beginning of a destination report range, you will receive the following error: application application-name' TCP Destination Port 0 Invalid error: configuration check-out failed

    • Select SINGLE to configure a single port number as the destination port, and enter the number in the Port Value field.

    • Select NA if you do not want to specify a port number.

  16. Click Save to save the application.

Creating an Application Set

You can group the applications you have defined into a named object as an application set.

To create an application set for an SFW rule term:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Build icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Templates.

    The Manage Service Templates page is displayed.

  4. Click the SFW button.

    The list of SFW service templates is displayed.

  5. Click the Add icon.

    The Create a SFW Planning Template window appears.

  6. In the Name field, enter a name for the service template or profile (limit of 63 alphanumeric characters without spaces).
  7. In the Description field, enter a meaningful, easily-identifiable name for the service instance (limit of 255 alphanumeric characters). Each service instance you define can be applied to a single or multiple SDGs.
  8. Click the green plus sign in the Applications box.

    The Create an Application dialog box appears.

    Note

    For the service elements that you can configure using the Object Builder workspace, such as applications and rules, when you click the green plus sign (+) at the top-right corner of each of the service element boxes, the shortcut menu is displayed. Click the Create New radio button to create the service component afresh. Alternatively, click the Import from Object Builder radio button to open a dialog box that enables you to select from the list of service elements that are present in the database of Edge Services Director and import them into the service template.

    If a green tick mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red cross mark shows that you can delete that particular attribute for that component.

  9. In the Name field, enter the name to identify the application set.
  10. In the Application section, the application set selector dialog box is displayed. Select the applications or application sets that need to be added to the rule term in the from the Available column and click the right arrow to move these applications or application sets to the Selected column.
  11. Click Save to save the application set.

Creating a Syslog

You can enable system logging. The system log information from the Adaptive Services or Multiservices PIC is passed to the kernel for logging in the /var/log directory. This setting overrides any syslog statement setting included in the service set or interface default configuration.

To create a syslog for the SFW template:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Build icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Templates.

    The Manage Service Templates page is displayed.

  4. Click the SFW button.

    The list of SFW service templates is displayed.

  5. Click the Add icon.

    The Create an SFW Planning Template window appears.

  6. In the Template Name field, enter a name for the service template or profile (limit of 63 alphanumeric characters without spaces).
  7. In the Description field, enter a meaningful, easily-identifiable name for the service instance (limit of 255 characters). Each service instance you define can be applied to a single or multiple SDGs.
  8. Click the green plus sign in the Server Groups box.

    The Addition of Group dialog box appears.

    Note

    If a green tick mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red cross mark shows that you can delete that particular attribute for that component.

  9. In the Name field, enter the name for the syslog component. Specify the fully qualified domain name or IP address for the syslog server.
  10. In the Services list, specify the system logging severity level. It assigns a severity level to the facility. Valid entries include:
    • alert—Conditions that should be corrected immediately.

    • any—Matches any level.

    • critical—Critical conditions.

    • emergency—Panic conditions.

    • error—Error conditions.

    • info—Informational messages.

    • notice—Conditions that require special handling.

    • warning—Warning messages.

  11. From the Facility Override list, select the override for the default facility for system log reporting. Valid values include:
    • authorization

    • daemon

    • ftp

    • kernel

    • local0 through local7

    • user

  12. In the Log Prefix field, set the system logging prefix value for all logging to the system log host.
  13. In the Port field, specify the port number to be used for connection with the remote syslog server.
  14. In the Class section, set the class of applications to be logged to the system log.
    • alg-logs—Log application-level gateway events.

    • ids-logs—Log intrusion detection system events.

    • nat-logs—Log Network Address Translation events.

    • packet-logs—Log general packet-related events.

    • session-logs—Log session open and close events.

    • session-logs open—Log session open events only.

    • session-logs close—Log session close events.

    • stateful-firewall-logs—Log stateful firewall events.

  15. Click Save to save the service template configuration. Else, click Close to discard the changes to the template.

Creating a Rule

To create a rule for the SFW template:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Build icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Templates.

    The Manage Service Templates page is displayed.

  4. Click the SFW button.

    The list of SFW service templates is displayed.

  5. Click the Add icon.

    The Create an SFW Planning Template window appears.

  6. In the Template Name field, enter a name for the service template or profile (limit of 63 alphanumeric characters without spaces).
  7. In the Description field, enter a meaningful, easily-identifiable name for the service instance (limit of 255 characters). Each service instance you define can be applied to a single or multiple SDGs.
  8. Click the green plus sign in the Server Groups box. The Addition of Group dialog box appears.Note

    If a green tick mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red cross mark shows that you can delete that particular attribute for that component.

  9. From the Rule list, select one of the previously configured rules. The rules that you configured in the Service Templates workspace for SFW, packet filter, or CGNAT are displayed.
  10. Click Save to save the service template configuration. Else, click Close to discard the changes to the template.

Creating a Rule Set

The rule-set statement defines a collection of stateful firewall rules that determine what actions the router software performs on packets in the data stream. You define each rule by specifying a rule name and configuring terms. Then, you specify the order of the rules by including the rule-set statement at the [edit services stateful-firewall] hierarchy level with a rule statement for each rule.

The router software processes the rules in the order in which you specify them in the configuration. If a term in a rule matches the packet, the router performs the corresponding action and the rule processing stops. If no term in a rule matches the packet, processing continues to the next rule in the rule set. If none of the rules matches the packet, the packet is dropped by default.

To create a rule set for the SFW template:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Build icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Templates.

    The Manage Service Templates page is displayed.

  4. Click the SFW button.

    The list of SFW service templates is displayed.

  5. Click the Add icon.

    The Create an SFW Planning Template window appears.

  6. In the Template Name field, enter a name for the service template or profile (limit of 63 alphanumeric characters without spaces).
  7. In the Description field, enter a meaningful, easily-identifiable name for the service instance (limit of 255 characters). Each service instance you define can be applied to a single or multiple SDGs.
  8. Click the green plus sign in the Rule Sets box.

    The Addition of Rule Sets dialog box appears.

    Note

    For the service elements that you can configure using the Object Builder workspace, such as applications and rules, when you click the green plus sign (+) at the top-right corner of each of the service element boxes, the shortcut menu is displayed. Click the Create New radio button to create the service component afresh. Alternatively, click the Import from Object Builder radio button to open a dialog box that enables you to select from the list of service elements that are present in the database of Edge Services Director and import them into the service template.

    If a green tick mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red cross mark shows that you can delete that particular attribute for that component.

  9. Specify the rule set name the router uses when applying this service.
  10. Select the rules that you want t ogroup into a rule set from the Available column and click the right arrow to move the rules to the Selected column.
  11. Click Save to save the service template configuration. Else, click Close to discard the changes to the template.

Creating a Services PIC for an SFW Service Template

Multiservices (ms-) interfaces are the physical multiservices interfaces of a device that are used to run the load-balancing instance application. The more multiservices interfaces used for a loadbalancing instance, the more capacity and processing power the instance has. At least one MS interface must be specified for each adc-instance, up to eight interfaces can run the same instance. A multiservices interface is associated exclusively to a single load-balancing instance (it cannot be shared between instances).

To assign a services interface to an SFW template:

  1. From the View selector, select Service View. The workspaces that are applicable to this view are displayed.
  2. From the Junos Space user interface, click the Build icon on the Edge Services Director banner.

    The functionalities that you can configure in this mode are displayed in the task pane.
  3. From the task pane, select Service Templates.

    The Manage Service Templates page is displayed.

  4. Click the SFW button.

    The list of SFW service templates is displayed.

  5. Click the Add icon.

    The Create an SFW Planning Template window appears.

  6. In the Template Name field, enter a name for the service template or profile (limit of 63 alphanumeric characters without spaces).
  7. In the Description field, enter a meaningful, easily-identifiable name for the service instance (limit of 255 characters). Each service instance you define can be applied to a single or multiple SDGs.
  8. Click the green plus sign in the Service Pic box.

    The Service Pic dialog box appears.

    Note

    If a green tick mark is shown beside a field in the dialog box, it denotes that you can add attributes for that component. A red cross mark shows that you can delete that particular attribute for that component.

  9. Select the check box next to the ms- interface of an SDG that must be assigned to the SFW template.
  10. Click OK to save the settings. Else, click Cancel to discard the configuration.