Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Firewall Policies and Services for Enterprise Manager Portal

 

Before you configure firewall policies and services in Enterprise Manager Portal, you review and update the configuration from the Policies, Services, and Subscribers CLI or the Policies, Services, and Subscribers subtasks in the C-Web interface. Topics in this section include:

Types of Firewall Services

The SRC software represents a Junos OS firewall as two types of SRC services:

  • Basic firewall service—Defines the action that the firewall takes and specifies the types of traffic that the firewall affects.

  • Services to provide firewall exceptions—Defines exception rules to block traffic that otherwise would be permitted to traverse the firewall, or to admit traffic that would otherwise be blocked. Exceptions specify criteria against which packets and application flows are inspected.

For example, to configure an access only to accept e-mail from a specific IP address, you can use a basic firewall service that blocks all incoming and outgoing traffic; then you can use a firewall exception that allows incoming e-mail traffic from that IP address.

The SRC software supports the following types of firewalls on devices running Junos OS:

  • Stateless firewalls—Inspect each packet in isolation; do not evaluate the traffic flow.

  • Stateful firewalls—Inspect track traffic flows and conversations between applications, and evaluate this information when applying exception rules to the traffic.

    An application is typically associated with a stateful firewall rule. After a flow or conversation meets firewall criteria, packets in that flow can pass through the firewall. For example, when an FTP control connection requests a file download, the stateful firewall knows to expect and allows a TCP data connection to start.

    The same criteria may not be applied to each packet. For example for a TCP application, the criteria changes when a new TCP session is initiated to allow subsequent packets in the flow.

You can make either stateless firewalls or stateful firewalls available from Enterprise Manager Portal.

Basic Firewall Services and Policies Overview

You can create as many basic firewall services in the directory as you want. Table 8 shows the names of the services and policies associated with the basic firewall services in the sample data.

Table 8: Basic Firewall Services and Policies

Name of Service

Name of Policy Group

Function of Firewall

BrickWall

brickwall

Blocks all incoming and outgoing traffic

EmailAndWeb

emailweb

Blocks all incoming traffic and allows only outgoing e-mail and HTTP traffic

Multiservice

multiservice

Blocks all incoming traffic and allows outgoing e-mail, HTTP, FTP, telnet, and Real-Time Streaming Protocol (RTSP) traffic

The services are located under l=entJunos, o=Scopes, o=umc in the sample data.

The policies are located under ou=entJunos, o=Policies, o=umc in the sample data.

You can use these services and their associated policies as a starting point for developing your own basic firewall services.

Tasks to Configure Firewall Policies and Services

The tasks to configure policies and services for firewalls are:

  1.  Configuring Basic Firewall Policies

  2.  Configuring Basic Firewall Services

  3. For stateful firewalls:

    1.  Reviewing the fwrule Policy Group for Exceptions to Stateful Firewalls

    2.  Reviewing Services for Exceptions to Stateless Firewalls

  4. For stateless firewalls:

    1.  Reviewing Services for Exceptions to Stateless Firewalls

    2.  Parameter Values Used by Services for Exceptions to Stateless Firewalls

    3.  Planning Services for Custom Firewall Exceptions

    4.  Configuring Policies for Custom Firewall Exceptions

    5.  Configuring Services for Custom Firewall Exceptions

Configuring Basic Firewall Policies

You can create policies with the Policies, Services, and Subscribers CLI or the Policies, Services, and Subscribers subtasks in the C-Web interface.

To create a basic firewall policy:

  1. Create a policy group and associated policy rules in ou=entjunos, o=Policies, o=umc.

  2. Specify a precedence for the policy rules.

    All basic firewall services should have a similar value that is higher than the range of precedences you configure for firewall exceptions. In the sample data, we use precedences of 600 and 601 for basic firewall policies.

    Ensure that the precedence for basic firewall policies integrate with other policies that affect the same traffic. See Configuring Priorities for Stateless or Stateful Firewall Services.

For a sample basic firewall policy, see policyGroupName=brickwall, ou=entjunos, o=Policies, o=umc in the sample data.

Configuring Basic Firewall Services

You can create services with the Policies, Services, and Subscribers CLI or the Policies, Services, and Subscribers subtasks in the C-Web interface.

To create a basic firewall service:

  1. Create a service.

  2. Specify the following values for the service:

    • Category—Text string basicFirewall (service’s LDAP attribute sspCategory)

    • Description—Summary of what the firewall service does (service’s LDAP attribute description)

      This description will appear on the portal, and subscribers will use the description to select a firewall service. Although there is no upper limit for the length of this attribute, the portal will display the text in one paragraph.

    • Policy Group—Policy group configured for use with this service

For a sample firewall service, see serviceName=BrickWall, l=entJunos, o=Scopes, o=umc in the sample data.

Reviewing the fwrule Policy Group for Exceptions to Stateful Firewalls

The policy group policyGroupName=fwrule, ou=entJunos, o=Policies, o=umc is predefined in the sample data. Do not modify any settings or substitutions for this service.

Reviewing the Firewall Rule Service for Exceptions to Stateful Firewalls

The SRC sample data provides one service for firewall exceptions, serviceName=FirewallRule, l=entJunos, o=Scopes, o=umc, that is designed to work with Enterprise Manager Portal. Do not modify the definition for this service or its associated policy.

You can modify the allowed priority ranges for the service. See Configuring Priorities for Stateless or Stateful Firewall Services.

Each subscription to this service adds a rule to the stateful firewall. The FirewallRule service and its associated policy are general and contain many parameters, such as the priority of the firewall exception and the action that the firewall should take. IT managers supply actual values for these parameters through Enterprise Manager Portal.

You can modify the priority ranges for this policy group if necessary; do not modify any other settings. The values for these parameters must be lower than the precedence settings for the policy rules in the basic firewall policy groups. This distinction allows the firewall exception to take priority over the basic firewalls. In the sample data, the FirewallRule service has priorities in the range 500–579.

Reviewing Services for Exceptions to Stateless Firewalls

Review the services that Enterprise Manager Portal requires to ensure that configuration of these services works in your environment. These services are firewall exceptions—services that define the types of traffic that a firewall admits or blocks.

Enterprise Manager Portal requires that specific services be configured to cover each of the following traffic actions:

  • Allow

  • Reject

  • Discard

These actions are required for each traffic direction; that is, traffic:

  • Entering the network

  • Exiting the network

  • Entering and exiting the network

Table 9 lists the names of services required by Enterprise Manager Portal. The naming convention for the services specifies both action and direction; for example, for the FWR_Fwd_Out service:

  • Action—allow (forward)

  • Direction—Outgoing (from the enterprise)

Services configured to reject traffic return a “network-unreachable” ICMP message.

Table 9: Stateless Firewall Services in Sample Data

 

Traffic Entering the Enterprise

Traffic Exiting from the Enterprise

Traffic Entering and Exiting the Enterprise

Traffic Allowed

FWR_Fwd_In

FWR_Fwd_Out

FWR_Fwd_Both

Traffic to Be Discarded

FWR_Filter_In

FWR_Filter_Out

FWR_Filter_Both

Traffic Rejected

FWR_Rej_In

FWR_Rej_Out

FWR_Rej_Both

The services are located under l=entJunosStatelessFW, o=Scopes, o=umc in the sample data. These services and the associated policies configured in the sample data are designed for a subscriber–facing interface on a provider edge device.

In most cases you can use the services as configured. If needed—for example, for a service provider–facing interface in a customer edge device—you can customize the services listed in Table 9, but do not change the names.

To customize services for an enterprise-facing interface, change the configuration for:

  • Source IP addresses and ports

  • Destination IP addresses and ports

You can also create services that provide custom exceptions to a firewall. Portal users can select custom exceptions under Firewall actions on the Firewall page in Enterprise Manager Portal.

Parameter Values Used by Services for Exceptions to Stateless Firewalls

Table 10 lists the parameters for which Enterprise Manager Portal provides values. The parameter names start with “fw” (service’s LDAP attribute parameterSubstitution). The services listed in Before You Configure Services for Enterprise Manager Portal use these parameters.

Table 10: Parameters for Stateless Firewall Services for Enterprise Manager Portal

To Specify This Value

Use This Parameter

Protocol

fwProtocol

Source network

fwSrcIp

Source port

fwSrcPort

Destination network

fwDestIp

Destination port

fwDestPort

TOS byte

fwTosByte

TOS byte mask

fwTosByteMask

TCP flags

fwTcpFlags

TCP flags mask

fwTcpFlagsMask

IP flags

fwIpFlags

IP flags mask

fwIpFlagsMask

Fragmentation offset

fwIpFragOffset

ICMP type

fwIcmpType

ICMP code

fwIcmpCode

Packet length

fwPacketLength

Planning Services for Custom Firewall Exceptions

Typically, you use custom exceptions to provide bandwidth management as well as firewall exceptions. Using custom exceptions that do both simplifies the way you integrate BoD and firewall services. For example, you can create custom exceptions to police traffic or to assign a traffic class to the traffic and to specify firewall behavior.

See examples of services for custom exceptions in the sample data:

  • l=Limit1Mbs, l=entJunosStatelessFW, o=Scopes, o=umc

  • l=Limit2Mbs, l=entJunosStatelessFW, o=Scopes, o=umc

  • l=Limit5kbs, l=entJunosStatelessFW, o=Scopes, o=umc

The sample services and the associated policies are designed for a subscriber–facing interface on a provider edge device. When you create policies, policy direction (input or output) can map to incoming or outgoing traffic depending on whether the SRC-managed interface is a subscriber–facing interface on a service provider edge device, or a service–provider facing interface on the customer edge device in an enterprise. When you configure policies for services designed for use through the Enterprise Management Portal, you typically assume that:

  • Source IP addresses and ports are inside an enterprise

  • Destination IP addresses and ports are outside an enterprise

Configuring Policies for Custom Firewall Exceptions

You can create policies with the Policies, Services, and Subscribers CLI or the Policies, Services, and Subscribers subtasks in the C-Web interface.

To configure a policy for a custom firewall exception:

  1. Create a stateless firewall policy group and associated policy rules.

  2. Specify parameters for the following properties for each policy rule:

    • IP protocol

    • TOS byte in the IP header

    • Source IP addresses

    • Source TCP/UDP ports

    • Destination IP addresses

    • Destination TCP/UDP ports

    • TCP flags

    • IP flags (fragmentation flags)

    • Fragmentation offset

    • Packet length

    • ICMP type

    • ICMP code

For a sample policy, see policyGroupName=custom_policer, ou=entjunos_statelessfw, o=Policies, o=umc in the sample data.

Configuring Services for Custom Firewall Exceptions

You can create services with the Policies, Services, and Subscribers CLI or the Policies, Services, and Subscribers subtasks in the C-Web interface. You can create services that take actions such as those listed in table Stateless Firewall Services in Sample Data in Reviewing Services for Exceptions to Stateless Firewalls.

To configure a service for a custom firewall exception:

  1. Create a service for each traffic action listed in table Stateless Firewall Services in Sample Data in Reviewing Services for Exceptions to Stateless Firewalls. Specify a name that provides meaningful information to a user, including information about the forwarding treatment for traffic. The name appears in the Firewall Action field on the Firewall tab in Enterprise Manager Portal.

  2. Specify the following values for the service:

    • Category—customFWRule (the service’s LDAP attribute sspCategory)

    • Policy Group—Policy group that supports custom firewall exceptions

  3. Specify substitutions for the service.

Configuring Priorities for Stateless or Stateful Firewall Services

If you design services to be accessed from Enterprise Manager Portal, you can configure ranges of priority values that are enterprise specific and ranges that are available to a number of enterprises. Setting the two ranges makes it possible for a service provider to specify firewall exceptions that an IT manager in an enterprise cannot override.

Configuring Priorities to Have Enterprise Services Work Together

You can configure the parameters in the following list as global parameters that apply to all subscribers, and as subscriber-specific parameters. If you configure both, the global range takes precedence over a subscriber-specific limit.

  • fwMinPriority—Specifies the lower limit of the range of precedences available for subscriptions to firewall exceptions.

  • fwMaxPriority—Specifies the upper limit of the range of precedences available for subscriptions to firewall exceptions.

  • fwEnterpriseMinPriority—Specifies the lower limit of the range of precedences that an enterprise-specific manager can make available for subscriptions to firewall exceptions.

  • fwEnterpriseMaxPriority—Specifies the upper limit of the range of precedences that an enterprise-specific manager can make available for subscriptions to firewall exceptions.

Ensure that:

  • fwMaxPriority is greater than or equal to fwEnterpriseMaxPriority

  • fwEnterpriseMaxPriority is greater than fwEnterpriseMinPriority

  • fwEnterpriseMinPriority is greater than or equal to fwMinPriority

Configuring Priorities for Individual Scopes by Defining Them in Services

You can use parameters to limit priority ranges for services within a scope. For stateful firewall services, you set parameters to limit priority ranges in the FirewallRule service. For stateless firewall services, you set parameters to limit priority ranges in the FRW_Filter_Both service.

You can use parameters to limit priority ranges for services within a scope in addition to using global ranges. For example, you can define a global range, and then define a different range that overrides the global range for specified subscribers.

To allow priority values for services in one scope to override the priority values for services in another scope:

  1. In a service that resides in a service scope that has a low precedence (indicated by a higher number), define default values for parameters that limits a priority range.

  2. Attach this scope to an entry at a high level in the subscriber folder; for example, to a retailer.

  3. Create a second scope that has a higher precedence.

  4. Create a service that uses parameters to limit priority ranges in the second scope.

  5. Attach the second scope (which has a higher precedence) to the enterprise.

The services with the higher precedence override the services with a lower precedence.

Using Stateless Firewall and BoD Applications Together

In most cases, you can use the services listed in table Stateless Firewall Services in Sample Data in Reviewing Services for Exceptions to Stateless Firewalls to provide bandwidth management and firewall support. However, if you want to design special services to have firewalls work with BoD services, use the following guidelines to design your services:

  • Specify a higher priority in the BoD policies.

  • Specify next–rule actions for the BoD policies.

After all the BoD policy rules are applied, the stateless firewall policy rules are applied. Packets are forwarded or dropped as appropriate.