Configuring Stateful Firewalls for Next Gen Services
To configure stateful firewalls, you configure stateful firewall rules, and apply those rules to a service set. You can also configure stateful firewall rule sets, which contain a set of stateful firewall rules.
Configuring Stateful Firewall Rules for Next Gen Services
A stateful firewall rule specifies which traffic is processed and what action to apply to the traffic.
To configure a stateful firewall rule:
- Configure a name for the stateful firewall rule.user@host# edit services policies stateful-firewall-rule rule-name
- Specify the traffic flow direction to which the stateful
firewall rule applies.[edit services policies stateful-firewall-rule rule-name]user@host# set match-direction (input | input-output | output)
If you configure input-output, the rule is applied to sessions initiated from either direction.
If this stateful firewall rule is applied to an interface-type service set, the direction is determined by whether a packet is entering or leaving the interface on which the service set is applied. If this stateful firewall rule is applied to a next-hop service set, the direction is input if the inside interface is used to route the packet, and the direction is output if the outside interface is used to route the package.
- Configure a name for a policy. [edit services policies stateful-firewall-rule rule-name]user@host# set policy policy-name
You can configure multiple policies for a stateful firewall rule. Each policy identifies the matching conditions for a flow, and whether or not to allow the flow. Once a policy in the rule matches a packet, that policy is applied and no other policies in the rule are processed.
- Specify the destination address of the flows to which
the policy applies.[edit services policies stateful-firewall-rule rule-name policy policy-name]user@host# set match destination-address (address | any | any-ipv4 | any-ipv6)
Alternatively, you can specify an address-book under the services configuration hierarchy to use in this step.
The destination address can be IPv4 or IPv6.
- Specify the destination address of the flows to which
the policy does not apply.[edit services policies stateful-firewall-rule rule-name policy policy-name]user@host# set match destination-address-excluded address
The destination address can be IPv4 or IPv6.
- Specify the source address of the flows to which the policy
applies.[edit services policies stateful-firewall-rule rule-name policy policy-name]user@host# set match source-address (address | any | any-ipv4 | any-ipv6)
Alternatively, you can specify an address-book under the services configuration hierarchy to use in this step.
The source address can be IPv4 or IPv6.
- Specify the source address of the flows to which the policy
does not apply.[edit services policies stateful-firewall-rule rule-name policy policy-name]user@host# set match source-address-excluded address
The source address can be IPv4 or IPv6.
- Specify one or more application protocols to which the
policy applies.[edit services policies stateful-firewall-rule rule-name policy policy-name]user@host# set match application [application-name]
Use an application protocol definition you have configured at the [edit applications] hierarchy level.
- Specify an action that the policy takes. [edit services policies stateful-firewall-rule rule-name policy policy-name]user@host# set then (count | deny | reject | permit)
where:
count— Enables a count, in bytes or kilobytes, of all network traffic the policy allows to pass.deny— Drop the packets.permit— Accept the packets and send them to their destination.reject— Drop the packets. For TCP traffic, send a TCP reset (RST) segment to the source host. For UDP traffic, send an ICMP destination unreachable, port unreachable message (type 3, code 3) to the source host.
Configuring Stateful Firewall Rule Sets for Next Gen Services
A stateful firewall rule set lets you specify a set of stateful firewall rules, which are processed in the order in which they appear in the rule set configuration. Once a stateful firewall rule in the rule set matches a packet, that rule is applied and no other rules in the rule set are processed˙.
To configure a stateful firewall rule set:
- Configure a name for the stateful firewall rule set.user@host# edit services policies stateful-firewall-rule-set rule-set-name
- Specify the stateful firewall rules that belong to the
rule set.[edit services policies stateful-firewall-rule-set rule-set-name]user@host# set stateful-firewall-rule [rule-name]
Configuring the Service Set for Stateful Firewalls for Next Gen Services
Stateful firewall rules must be assigned to a service set before they can be applied to traffic.
To configure a service set to apply stateful firewall rules:
- Define the service set.[edit services]user@host# edit service-set service-set-name
- Configure either an interface service set, which requires
a single service interface, or a next-hop service set, which requires
an inside and outside service interface.[edit services service-set service-set-name]user@host# set interface-service service-interface interface-name
or
[edit services service-set service-set-name]user@host# set next-hop-service inside-service-interface interface-name outside-service-interface interface-name - Specify the stateful firewall rules to be used with the
service set. You can specify either individual rules or rule sets
but not both.
To apply individual stateful firewall rules:
[edit services service-set service-set-name]user@host# set stateful-firewall-rules [rule-name]To apply stateful firewall rule sets:
[edit services service-set service-set-name]user@host# set stateful-firewall-rule-sets [rule-set-name]The service set processes the stateful firewall rules or rule sets in the order in which they appear in the service set configuration.