Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Stateful Firewalls for Next Gen Services

 

To configure stateful firewalls, you configure stateful firewall rules, and apply those rules to a service set. You can also configure stateful firewall rule sets, which contain a set of stateful firewall rules.

Configuring Stateful Firewall Rules for Next Gen Services

A stateful firewall rule specifies which traffic is processed and what action to apply to the traffic.

To configure a stateful firewall rule:

  1. Configure a name for the stateful firewall rule.
  2. Specify the traffic flow direction to which the stateful firewall rule applies.

    If you configure input-output, the rule is applied to sessions initiated from either direction.

    If this stateful firewall rule is applied to an interface-type service set, the direction is determined by whether a packet is entering or leaving the interface on which the service set is applied. If this stateful firewall rule is applied to a next-hop service set, the direction is input if the inside interface is used to route the packet, and the direction is output if the outside interface is used to route the package.

  3. Configure a name for a policy.

    You can configure multiple policies for a stateful firewall rule. Each policy identifies the matching conditions for a flow, and whether or not to allow the flow. Once a policy in the rule matches a packet, that policy is applied and no other policies in the rule are processed.

  4. Specify the destination address of the flows to which the policy applies.

    Alternatively, you can specify an address-book under the services configuration hierarchy to use in this step.

    The destination address can be IPv4 or IPv6.

  5. Specify the destination address of the flows to which the policy does not apply.

    The destination address can be IPv4 or IPv6.

  6. Specify the source address of the flows to which the policy applies.

    Alternatively, you can specify an address-book under the services configuration hierarchy to use in this step.

    The source address can be IPv4 or IPv6.

  7. Specify the source address of the flows to which the policy does not apply.

    The source address can be IPv4 or IPv6.

  8. Specify one or more application protocols to which the policy applies.

    Use an application protocol definition you have configured at the [edit applications] hierarchy level.

  9. Specify an action that the policy takes.

    where:

    count Enables a count, in bytes or kilobytes, of all network traffic the policy allows to pass.
    deny Drop the packets.
    permit Accept the packets and send them to their destination.
    reject Drop the packets. For TCP traffic, send a TCP reset (RST) segment to the source host. For UDP traffic, send an ICMP destination unreachable, port unreachable message (type 3, code 3) to the source host.

Configuring Stateful Firewall Rule Sets for Next Gen Services

A stateful firewall rule set lets you specify a set of stateful firewall rules, which are processed in the order in which they appear in the rule set configuration. Once a stateful firewall rule in the rule set matches a packet, that rule is applied and no other rules in the rule set are processed˙.

To configure a stateful firewall rule set:

  1. Configure a name for the stateful firewall rule set.
  2. Specify the stateful firewall rules that belong to the rule set.

Configuring the Service Set for Stateful Firewalls for Next Gen Services

Stateful firewall rules must be assigned to a service set before they can be applied to traffic.

To configure a service set to apply stateful firewall rules:

  1. Define the service set.
  2. Configure either an interface service set, which requires a single service interface, or a next-hop service set, which requires an inside and outside service interface.

    or

  3. Specify the stateful firewall rules to be used with the service set. You can specify either individual rules or rule sets but not both.

    To apply individual stateful firewall rules:

    To apply stateful firewall rule sets:

    The service set processes the stateful firewall rules or rule sets in the order in which they appear in the service set configuration.