Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Examples: Configuring Stateful Firewall Rules


The following example show a stateful firewall configuration containing two rules, one for input matching on a specified application set and the other for output matching on a specified source address:

The following example has a single rule with two terms. The first term rejects all traffic in my-application-group that originates from the specified source address, and provides a detailed system log record of the rejected packets. The second term accepts Hypertext Transfer Protocol (HTTP) traffic from anyone to the specified destination address.

The following example shows use of source and destination prefix lists. This requires two separate configuration items.

You configure the prefix list at the [edit policy-options] hierarchy level:

You reference the configured prefix list in the stateful firewall rule:

This is equivalent to the following configuration:

You can use the except qualifier with the prefix lists, as in the following example. In this case, the except qualifier applies to all prefixes included in prefix list p2.

For additional examples that combine stateful firewall configuration with other services and with virtual private network (VPN) routing and forwarding (VRF) tables, see the configuration examples.


You can define the service-set and assign it either as interface style or next-hop style.