Configuring Juniper Service Framework – Stateful Firewall, Rules, and Services Set
Routers use firewalls to track and control the flow of traffic. Adaptive Services and Multiservices PICs employ a type of firewall called a stateful firewall. To use JSF to run Stateful Firewall, you must configure the jservices-sfw package at the hierarchy level. In addition, you must configure SFW rules and a services set with a Multiservice interface. This section includes the following tasks:
- Configuring the JSF Stateful Firewall Package
- Configuring the Stateful Firewall Rule
- Configuring the Services Set for Stateful Firewall
Configuring the JSF Stateful Firewall Package
To configure the JSF services:
- In configuration mode, go to the following hierarchy level:user@host# edit chassis
- In the hierarchy level, configure the FPC and PIC.[edit chassis]user@host# edit fpc slot pic slot
In this example, the FPC is in slot 1 and the PIC is in slot 0:
[edit chassis]user@host# edit fpc 1 pic 0 - Configure the number of cores dedicated to run control
functionality.[edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider control-cores control-cores
In this example, the number of control cores is 1.
[edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider control-cores 1 - Configure the number of processing cores dedicated to
data.[edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider data-cores data-cores
In this example, the number of data cores is 7.
[edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider data-cores 7 - Configure the size of the object cache in MB. Only values
in increments of 128 MB are allowed and the maximum value of object
cache can be 1280 MB. To configure the size of the cache:[edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider object-cache-size object-cache-size
In this example, the size of the object cache is 1280 MB.
[edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider object-cache-size 1280 - Configure the size of the policy database in MB.[edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider policy-db-size policy-db-size
In this example, the size of the policy database is 64 MB.
[edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider policy-db-size 64 - Configure the package.[edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider package package
In this example, the package is jservices-nat.
[edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider package jservices-nat - Configure the extension provider system log, to enable
PIC system logging to record or view system log messages:[edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider syslog syslog
In this example syslog is set to daemon any and external any:
[edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider syslog daemon any [edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider syslog external any - Verify the configuration.
[edit chassis] user@host# show chassis fpc 1 { pic 0 { adaptive-services { service-package { extension-provider { control-cores 1; data-cores 7; object-cache-size 1280; policy-db-size 64; package jservices-nat; syslog { daemon any; external any; } } } } } }
Configuring the Stateful Firewall Rule
To configure the stateful firewall rule:
- In configuration mode, go to the following hierarchy level:user@host# edit services
- Configure the Stateful Firewall rule.[edit services]user@host# set stateful-firewall rule rule
In this example, the SFW rule is rule1 match-direction input-output.
[edit services]user@host# set stateful-firewall rule rule1 match-direction input-output - Configure the rule input conditions for a rule to define
the stateful firewall term.[edit services]user@host# set stateful-firewall rule rule
In this example, the rule input conditions are rule1 term term1 from applications junos-tftp and rule1 term term1 from applications junos-rsh
[edit services]user@host# set stateful-firewall rule rule1 term term1 from applications junos-tftpuser@host# set stateful-firewall rule rule1 term term1 from applications junos-rsh - Configure the rule for the stateful firewall term actions.[edit services]user@host# set stateful-firewall rule rule
In this example, the rule is rule1 term term1 then accept.
[edit services]user@host# set stateful-firewall rule rule1 term term1 then accept - Verify the configuration.
[edit services] stateful-firewall { rule rule1 { match-direction input-output; term term1 { from { applications [ junos-tftp junos-rsh ]; } then { accept; } } } }
Configuring the Services Set for Stateful Firewall
To configure the services set for stateful firewall:
- In configuration mode, go to the following hierarchy level:user@host# edit services
- Configure the services set.[edit services]user@host# edit service-set service-set
In this example, the services set with a rule is sfw-ss.
[edit services]user@host# edit service-set sfw-ss - Configure the services set message rate limit.[edit services service-set sfw-ss]user@host# edit syslog syslog
In this example, the service set message rate limit is set to syslog, which is the maximum number of system log messages per second allowed from this interface.
[edit services service-set sfw-ss]user@host# edit syslog - Configure the host attributes.[edit services service-set sfw-ss syslog]user@host# edit host host
In this example, the host is host-local.
[edit services service-set sfw-ss syslog]user@host# edit host host-local - Configure the services with services attributes.[edit services service-set sfw-ss syslog host host-local]user@host# set services services
In this example, the services attribute is any.
[edit services service-set sfw-ss syslog host host-local]user@host# set services any - Configure the services set with SFW rules.[edit services service-set sfw-ss]user@host# edit stateful-firewall-rules stateful-firewall-rules
In this example, the SFW rule is rule1.
[edit services service-set sfw-ss]user@host# edit stateful-firewall-rules rule1 - Configure the interface.[edit services service-set sfw-ss]user@host# edit interface interface
In this example, the interface is interface-service.
[edit services service-set sfw-ss]user@host# edit interface interface-service - Configure the service interface.[edit services service-set sfw-ss interface-service]user@host# set service-interface service-interface
In this example, the interface is ms-1/0/0.
[edit services service-set sfw-ss interface-service]user@host# set service-interface ms-1/0/0 - Verify the configuration.
[edit services] user@host# show services service-set sfw-ss { syslog { host local { services any; } } stateful-firewall-rules rule1; interface-service { service-interface ms-1/0/0; } }
