The following example is a preset statement from the JUNOS default groups that is available for FTP in a stateful firewall:
- [edit]
- groups {
-
- junos-defaults {
-
- applications {
- application junos-ftp { # Use FTP default configuration
- application-protocol ftp;
- protocol tcp;
- destination-port 21;
- }
- }
- }
To reference a preset JUNOS default statement from the JUNOS default groups, include the junos-default-name statement at the applicable hierarchy level. For example, to reference the JUNOS default statement for FTP in a stateful firewall, include the junos-ftp statement at the [edit services stateful-firewall rule rule-name term term-name from applications] hierarchy level.
- [edit]
- services {
-
- stateful-firewall {
-
- rule my-rule {
-
- term my-term {
-
- from {
- applications junos-ftp; #Reference predefined statement,
junos-ftp,
- }
- }
- }
- }
- }
The following example shows configuration of the default JUNOS IP ALG:
- services {
-
- stateful-firewall {
-
- rule r1 {
- match-direction input;
-
- term t1 {
-
- from {
- applications junos-ip;
- }
-
- then {
- accept;
- syslog;
- }
- }
- }
- }
- }
If you configure the IP ALG in the stateful firewall rule, it is matched by any IP traffic, but if there is any other more specific application that matches the same traffic, the IP ALG will not be matched. For example, in the following configuration, both the ICMP ALG and the IP ALG are configured, but traffic is matched for ICMP packets, because it is the more specific match.
- services {
-
- stateful-firewall {
-
- rule r1 {
- match-direction input;
-
- term t1 {
-
- from {
- applications [ junos-ip junos-icmp-all ];
- }
-
- then {
- accept;
- syslog;
- }
- }
- }
- }
- }