Example: Configuring Application Firewall Services for a Master Logical System
This example describes how to configure application firewall services on the master, or root, logical system by a master administrator. Only the master administrator can configure, manage, and view configuration of the master logical system, in addition to all user logical systems.
After configuring application firewall rule sets and rules, the master administrator adds the application firewall rule set information to the security policy on the master logical system.
For information about configuring an application firewall within
a security policy, see the Junos OS Security Configuration Guide 
.
Requirements
Before you begin:
- Verify that all interfaces, routing instances, and security
zones have been configured on the master logical system.
See Example: Configuring Security Features for the Master Logical System.
- Verify that application firewall resources (appfw-rule-set
and appfw-rule) have been allocated in a security profile and bound
to the master logical system through the [system security-profile] command. For application firewall resources, a security profile
configuration allows 0 to 10,000 rule sets and 0 to 10,000 rules.
Note: The master administrator allocates various global system resources through a security profile configuration which is then bound to the various logical systems on the device. The master administrator owns this function and configures the security profile for all user logical systems as well as the master logical system.
For more information, see Understanding Logical Systems Security Profiles.
- Log in to the master logical system as the master administrator.
For information about master administrator role functions, see Understanding the Master Logical System and the Master Administrator Role.
Overview
In this example you create application firewall services on the master logical system, called root-logical-system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.
This example creates the following application firewall configuration:
- Rule set, root-rs1, with rules r1 and r2. When r1 is matched, Telnet traffic is allowed through the firewall. When r2 is matched, web traffic is allowed through the firewall.
- Rule set, root-rs2, with rule r1. When r1 is matched, Facebook traffic is blocked by the firewall.
All rule sets require a default rule, which specifies whether to permit or deny traffic that is not specified in any rules of a rule set. The default-rule action (permit or deny) must be the opposite from the action that is specified for the other rule(s) in the rule set.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Step-by-Step Procedure
To configure application firewall for a master logical system:
- Log in to the master logical system as the master administrator.
See Example: Configuring a Root Password for the Device and enter configuration mode.admin@host> configureadmin@host#
- Configure an application firewall rule set for root-logical-system. [edit ]admin@host# set logical-systems security application-firewall rule-sets root-rs1
- Configure a rule for this rule set and specify which dynamic
applications and dynamic application groups the rule should match. [edit]admin@host# set logical-systems security application-firewall rule-sets root-rs1 rule r1 match dynamic-application telnet then permit
- Configure the default rule for this rule set and specify
the action to take when the identified dynamic application is not
specified in any rules of the rule set. [edit]admin@host# set logical-systems security application-firewall rule-sets root-rs1 default-rule deny
- Repeat these steps to configure another rule set, root-rs2, if desired.
Results
From configuration mode, confirm your configuration by entering the show security application-firewall rule-sets command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying Application Firewall Configuration
Purpose
View the application firewall configuration on the master logical system.
Action
From operational mode, enter the show security application-firewall rule-set logical-system root-logical-system rule-set all command.
admin@host> show security application-firewall
rule-set logical-system root-logical-system rule-set all
Rule-set: root-rs1
Logical system: root-logical-system
Rule: r1
Dynamic Applications: junos:TELNET
Action:permit
Number of sessions matched: 10
Default rule:deny
Number of sessions matched: 100
Number of sessions with appid pending: 2
Rule-set: root-rs1
Logical system: root-logical-system
Rule: r2
Dynamic Applications: junos:web
Action:permit
Number of sessions matched: 20
Default rule:deny
Number of sessions matched: 200
Number of sessions with appid pending: 4
Rule-set: root-rs2
Logical system: root-logical-system
Rule: r1
Dynamic Applications: junos:FACEBOOK
Action:deny
Number of sessions matched: 40
Default rule:permit
Number of sessions matched: 400
Number of sessions with appid pending: 10
