Related Documentation
Example: Configuring Application Firewall Services for a User Logical System
This example describes how to configure application firewall services on a user logical system by a user logical system administrator. User logical system administrators can manage and monitor their own system application firewall rule sets and rules and manage the dynamic applications allowed or blocked on their respective logical systems.
After configuring application firewall rule sets and rules, user logical system administrators add the application firewall rule set information to the security policy on their individual logical systems.
For information about configuring an application firewall within
a security policy, see the Junos OS Security Configuration Guide 
.
Requirements
Before you begin:
- Verify that the security zones are configured for the user logical system.
- Verify that the master administrator has allocated application
firewall resources (appfw-rule-set and appfw-rule) in the security
profile bound to the user logical system.
For more information, see Understanding Logical Systems Security Profiles.
- Log in to the logical system as the user logical system
administrator.
For information about user logical system administrator role functions, see Understanding User Logical Systems and the User Logical System Administrator Role.
Overview
In this example you configure application firewall services on the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.
This example creates the following application firewall configuration:
- Rule set, ls-product-design-rs1, with rules r1 and r2. When r1 is matched, Telnet traffic is allowed through the firewall. When r2 is matched, web traffic is allowed through the firewall.
- Rule set, ls-product-design-rs2, with rule r1. When r1 is matched, Facebook traffic is blocked by the firewall.
All rule sets require a default rule, which specifies whether to permit or deny traffic that is not specified in any rules of a rule set. The default-rule action (permit or deny) must be the opposite from the action that is specified for the other rule(s) in the rule set.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Step-by-Step Procedure
To configure application firewall for a user logical system:
- Log in to the user logical system as the user logical
system administrator and enter configuration mode.lsdesignadmin1@host:ls-product-design> configurelsdesignadmin1@host:ls-product-design#
- Configure an application firewall rule set for this logical
system. [edit]lsdesignadmin1@host:ls-product-design# set security application-firewall rule-sets ls-product-design-rs1
- Configure a rule for this rule set and specify which dynamic
applications and dynamic application groups the rule should match. [edit]lsdesignadmin1@host:ls-product-design# set security application-firewall rule-sets ls-product-design-rs1 rule r1 match dynamic-application telnet then permit
- Configure the default rule for this rule set and specify
the action to take when the identified dynamic application is not
specified in any rules of the rule set. [edit]lsdesignadmin1@host:ls-product-design# set security application-firewall rule-sets ls-product-design-rs1 default-rule deny
- Repeat these steps to configure another rule set, ls-product-design-rs2, if desired.
Results
From configuration mode, confirm your configuration by entering the show security application-firewall rule-set all command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying Application Firewall Configuration
Purpose
View the application firewall configuration on the user logical system.
Action
From operational mode, enter the show security application-firewall rule-set all command.
lsdesignadmin1@host:ls-product-design> show
security application-firewall rule-set all
Rule-set: ls-product-design-rs1
Logical system: ls-product-design
Rule: r1
Dynamic Applications: junos:TELNET
Action:permit
Number of sessions matched: 10
Default rule:deny
Number of sessions matched: 100
Number of sessions with appid pending: 2
Rule-set: ls-product-design-rs1
Logical system: ls-product-design
Rule: r2
Dynamic Applications: junos:web
Action:permit
Number of sessions matched: 20
Default rule:deny
Number of sessions matched: 200
Number of sessions with appid pending: 4
Rule-set: ls-product-design-rs2
Logical system: ls-product-design
Rule: r1
Dynamic Applications: junos:FACEBOOK
Action:deny
Number of sessions matched: 40
Default rule:permit
Number of sessions matched: 400
Number of sessions with appid pending: 10
