[Contents] [Prev] [Next] [Index] [Report an Error]

Examples: Configuring Stateful Firewall Properties

The following example show a stateful firewall configuration containing two rules, one for input matching on a specified application set and the other for output matching on a specified source address:



[edit services]
stateful-firewall {


rule Rule1 {
match-direction input;


term 1 {


from {
application-sets Applications;
}




then {
accept;
}


}




term accept {


then {
accept;
}


}


}




rule Rule2 {
match-direction output;


term Local {


from {


source-address {
10.1.3.2/32;
}


}




then {
accept;
}


}


}


}

The following example has a single rule with two terms. The first term rejects all traffic in my-application-group that originates from the specified source address, and provides a detailed system log record of the rejected packets. The second term accepts Hypertext Transfer Protocol (HTTP) traffic from anyone to the specified destination address.



[edit services stateful-firewall]
rule my-firewall-rule {
match-direction input-output;


term term1 {


from {
source-address 10.1.3.2/32;
application-sets my-application-group;
}




then {
reject;
syslog;
}


}




term term2 {


from {
destination-address 10.2.3.2;
applications http;
}




then {
accept;
}


}


}

The following example shows use of source and destination prefix lists. This requires two separate configuration items.

You configure the prefix list content at the [edit policy-options] hierarchy level:



policy-options {


prefix-list p1 {
1.1.1.1/32;
2.2.2.0/24;
}




prefix-list p2 {
3.3.3.3/32;
4.4.4.0/24;
}


}

You reference the configured prefix list in the stateful firewall rule:



services {


stateful-firewall {


rule r1 {
match-direction input;


term t1 {


from {


source-prefix-list {
p1;
}




destination-prefix-list {
p2;
}


}




then {
accept;
}


}


}


}


}

This is equivalent to the following configuration:



services {


stateful-firewall {


rule r1 {
match-direction input;


term t1 {


from {


source-address {
1.1.1.1/32;
2.2.2.0/24;
}




destination-address {
3.3.3.3/32;
4.4.4.0/24; 
}


}




then {
accept;
}


}


}


}


}

You can use the except qualifier with the prefix lists, as in the following example. In this case, the except qualifier applies to all prefixes included in prefix list p2.



services {


stateful-firewall {


rule r1 {
match-direction input;


term t1 {


from {


source-prefix-list {
p1;
}




destination-prefix-list {
p2 except;
}


}




then {
accept;
}


}


}


}


}

For additional examples that combine stateful firewall configuration with other services and with virtual private network (VPN) routing and forwarding (VRF) tables, see Examples: Services Interfaces Configuration.

[Contents] [Prev] [Next] [Index] [Report an Error]