Configuring Firewall Policies and Services for Enterprise Manager Portal
Before you configure firewall policies and services in Enterprise Manager Portal, you review and update the configuration from the Policies, Services, and Subscribers CLI or the Policies, Services, and Subscribers subtasks in the C-Web interface. Topics in this section include:
Types of Firewall Services
The SRC software represents a Junos OS firewall as two types of SRC services:
Basic firewall service—Defines the action that the firewall takes and specifies the types of traffic that the firewall affects.
Services to provide firewall exceptions—Defines exception rules to block traffic that otherwise would be permitted to traverse the firewall, or to admit traffic that would otherwise be blocked. Exceptions specify criteria against which packets and application flows are inspected.
For example, to configure an access only to accept e-mail from a specific IP address, you can use a basic firewall service that blocks all incoming and outgoing traffic; then you can use a firewall exception that allows incoming e-mail traffic from that IP address.
The SRC software supports the following types of firewalls on devices running Junos OS:
Stateless firewalls—Inspect each packet in isolation; do not evaluate the traffic flow.
Stateful firewalls—Inspect track traffic flows and conversations between applications, and evaluate this information when applying exception rules to the traffic.
An application is typically associated with a stateful firewall rule. After a flow or conversation meets firewall criteria, packets in that flow can pass through the firewall. For example, when an FTP control connection requests a file download, the stateful firewall knows to expect and allows a TCP data connection to start.
The same criteria may not be applied to each packet. For example for a TCP application, the criteria changes when a new TCP session is initiated to allow subsequent packets in the flow.
You can make either stateless firewalls or stateful firewalls available from Enterprise Manager Portal.
Basic Firewall Services and Policies Overview
You can create as many basic firewall services in the directory as you want. Table 8 shows the names of the services and policies associated with the basic firewall services in the sample data.
Table 8: Basic Firewall Services and Policies
Name of Service | Name of Policy Group | Function of Firewall |
|---|---|---|
BrickWall | brickwall | Blocks all incoming and outgoing traffic |
EmailAndWeb | emailweb | Blocks all incoming traffic and allows only outgoing e-mail and HTTP traffic |
Multiservice | multiservice | Blocks all incoming traffic and allows outgoing e-mail, HTTP, FTP, telnet, and Real-Time Streaming Protocol (RTSP) traffic |
The services are located under l=entJunos, o=Scopes, o=umc in the sample data.
The policies are located under ou=entJunos, o=Policies, o=umc in the sample data.
You can use these services and their associated policies as a starting point for developing your own basic firewall services.
Tasks to Configure Firewall Policies and Services
The tasks to configure policies and services for firewalls are:
For stateful firewalls:
For stateless firewalls:
Configuring Basic Firewall Policies
You can create policies with the Policies, Services, and Subscribers CLI or the Policies, Services, and Subscribers subtasks in the C-Web interface.
To create a basic firewall policy:
Create a policy group and associated policy rules in ou=entjunos, o=Policies, o=umc.
Specify a precedence for the policy rules.
All basic firewall services should have a similar value that is higher than the range of precedences you configure for firewall exceptions. In the sample data, we use precedences of 600 and 601 for basic firewall policies.
Ensure that the precedence for basic firewall policies integrate with other policies that affect the same traffic. See Configuring Priorities for Stateless or Stateful Firewall Services.
For a sample basic firewall policy, see policyGroupName=brickwall, ou=entjunos, o=Policies, o=umc in the sample data.
Configuring Basic Firewall Services
You can create services with the Policies, Services, and Subscribers CLI or the Policies, Services, and Subscribers subtasks in the C-Web interface.
To create a basic firewall service:
Create a service.
Specify the following values for the service:
Category—Text string basicFirewall (service’s LDAP attribute sspCategory)
Description—Summary of what the firewall service does (service’s LDAP attribute description)
This description will appear on the portal, and subscribers will use the description to select a firewall service. Although there is no upper limit for the length of this attribute, the portal will display the text in one paragraph.
Policy Group—Policy group configured for use with this service
For a sample firewall service, see serviceName=BrickWall, l=entJunos, o=Scopes, o=umc in the sample data.
Reviewing the fwrule Policy Group for Exceptions to Stateful Firewalls
The policy group policyGroupName=fwrule, ou=entJunos, o=Policies, o=umc is predefined in the sample data. Do not modify any settings or substitutions for this service.
Reviewing the Firewall Rule Service for Exceptions to Stateful Firewalls
The SRC sample data provides one service for firewall exceptions, serviceName=FirewallRule, l=entJunos, o=Scopes, o=umc, that is designed to work with Enterprise Manager Portal. Do not modify the definition for this service or its associated policy.
You can modify the allowed priority ranges for the service. See Configuring Priorities for Stateless or Stateful Firewall Services.
Each subscription to this service adds a rule to the stateful firewall. The FirewallRule service and its associated policy are general and contain many parameters, such as the priority of the firewall exception and the action that the firewall should take. IT managers supply actual values for these parameters through Enterprise Manager Portal.
You can modify the priority ranges for this policy group if necessary; do not modify any other settings. The values for these parameters must be lower than the precedence settings for the policy rules in the basic firewall policy groups. This distinction allows the firewall exception to take priority over the basic firewalls. In the sample data, the FirewallRule service has priorities in the range 500–579.
Reviewing Services for Exceptions to Stateless Firewalls
Review the services that Enterprise Manager Portal requires to ensure that configuration of these services works in your environment. These services are firewall exceptions—services that define the types of traffic that a firewall admits or blocks.
Enterprise Manager Portal requires that specific services be configured to cover each of the following traffic actions:
Allow
Reject
Discard
These actions are required for each traffic direction; that is, traffic:
Entering the network
Exiting the network
Entering and exiting the network
Table 9 lists the names of services required by Enterprise Manager Portal. The naming convention for the services specifies both action and direction; for example, for the FWR_Fwd_Out service:
Action—allow (forward)
Direction—Outgoing (from the enterprise)
Services configured to reject traffic return a “network-unreachable” ICMP message.
Table 9: Stateless Firewall Services in Sample Data
| Traffic Entering the Enterprise | Traffic Exiting from the Enterprise | Traffic Entering and Exiting the Enterprise |
|---|---|---|---|
Traffic Allowed | FWR_Fwd_In | FWR_Fwd_Out | FWR_Fwd_Both |
Traffic to Be Discarded | FWR_Filter_In | FWR_Filter_Out | FWR_Filter_Both |
Traffic Rejected | FWR_Rej_In | FWR_Rej_Out | FWR_Rej_Both |
The services are located under l=entJunosStatelessFW, o=Scopes, o=umc in the sample data. These services and the associated policies configured in the sample data are designed for a subscriber–facing interface on a provider edge device.
In most cases you can use the services as configured. If needed—for example, for a service provider–facing interface in a customer edge device—you can customize the services listed in Table 9, but do not change the names.
To customize services for an enterprise-facing interface, change the configuration for:
Source IP addresses and ports
Destination IP addresses and ports
You can also create services that provide custom exceptions to a firewall. Portal users can select custom exceptions under Firewall actions on the Firewall page in Enterprise Manager Portal.
Parameter Values Used by Services for Exceptions to Stateless Firewalls
Table 10 lists the parameters for which Enterprise Manager Portal provides values. The parameter names start with “fw” (service’s LDAP attribute parameterSubstitution). The services listed in Before You Configure Services for Enterprise Manager Portal use these parameters.
Table 10: Parameters for Stateless Firewall Services for Enterprise Manager Portal
To Specify This Value | Use This Parameter |
|---|---|
Protocol | fwProtocol |
Source network | fwSrcIp |
Source port | fwSrcPort |
Destination network | fwDestIp |
Destination port | fwDestPort |
TOS byte | fwTosByte |
TOS byte mask | fwTosByteMask |
TCP flags | fwTcpFlags |
TCP flags mask | fwTcpFlagsMask |
IP flags | fwIpFlags |
IP flags mask | fwIpFlagsMask |
Fragmentation offset | fwIpFragOffset |
ICMP type | fwIcmpType |
ICMP code | fwIcmpCode |
Packet length | fwPacketLength |
Planning Services for Custom Firewall Exceptions
Typically, you use custom exceptions to provide bandwidth management as well as firewall exceptions. Using custom exceptions that do both simplifies the way you integrate BoD and firewall services. For example, you can create custom exceptions to police traffic or to assign a traffic class to the traffic and to specify firewall behavior.
See examples of services for custom exceptions in the sample data:
l=Limit1Mbs, l=entJunosStatelessFW, o=Scopes, o=umc
l=Limit2Mbs, l=entJunosStatelessFW, o=Scopes, o=umc
l=Limit5kbs, l=entJunosStatelessFW, o=Scopes, o=umc
The sample services and the associated policies are designed for a subscriber–facing interface on a provider edge device. When you create policies, policy direction (input or output) can map to incoming or outgoing traffic depending on whether the SRC-managed interface is a subscriber–facing interface on a service provider edge device, or a service–provider facing interface on the customer edge device in an enterprise. When you configure policies for services designed for use through the Enterprise Management Portal, you typically assume that:
Source IP addresses and ports are inside an enterprise
Destination IP addresses and ports are outside an enterprise
Configuring Policies for Custom Firewall Exceptions
You can create policies with the Policies, Services, and Subscribers CLI or the Policies, Services, and Subscribers subtasks in the C-Web interface.
To configure a policy for a custom firewall exception:
Create a stateless firewall policy group and associated policy rules.
Specify parameters for the following properties for each policy rule:
IP protocol
TOS byte in the IP header
Source IP addresses
Source TCP/UDP ports
Destination IP addresses
Destination TCP/UDP ports
TCP flags
IP flags (fragmentation flags)
Fragmentation offset
Packet length
ICMP type
ICMP code
For a sample policy, see policyGroupName=custom_policer, ou=entjunos_statelessfw, o=Policies, o=umc in the sample data.
Configuring Services for Custom Firewall Exceptions
You can create services with the Policies, Services, and Subscribers CLI or the Policies, Services, and Subscribers subtasks in the C-Web interface. You can create services that take actions such as those listed in table Stateless Firewall Services in Sample Data in Reviewing Services for Exceptions to Stateless Firewalls.
To configure a service for a custom firewall exception:
Create a service for each traffic action listed in table Stateless Firewall Services in Sample Data in Reviewing Services for Exceptions to Stateless Firewalls. Specify a name that provides meaningful information to a user, including information about the forwarding treatment for traffic. The name appears in the Firewall Action field on the Firewall tab in Enterprise Manager Portal.
Specify the following values for the service:
Category—customFWRule (the service’s LDAP attribute sspCategory)
Policy Group—Policy group that supports custom firewall exceptions
Specify substitutions for the service.
Configuring Priorities for Stateless or Stateful Firewall Services
If you design services to be accessed from Enterprise Manager Portal, you can configure ranges of priority values that are enterprise specific and ranges that are available to a number of enterprises. Setting the two ranges makes it possible for a service provider to specify firewall exceptions that an IT manager in an enterprise cannot override.
Configuring Priorities to Have Enterprise Services Work Together
You can configure the parameters in the following list as global parameters that apply to all subscribers, and as subscriber-specific parameters. If you configure both, the global range takes precedence over a subscriber-specific limit.
fwMinPriority—Specifies the lower limit of the range of precedences available for subscriptions to firewall exceptions.
fwMaxPriority—Specifies the upper limit of the range of precedences available for subscriptions to firewall exceptions.
fwEnterpriseMinPriority—Specifies the lower limit of the range of precedences that an enterprise-specific manager can make available for subscriptions to firewall exceptions.
fwEnterpriseMaxPriority—Specifies the upper limit of the range of precedences that an enterprise-specific manager can make available for subscriptions to firewall exceptions.
Ensure that:
fwMaxPriority is greater than or equal to fwEnterpriseMaxPriority
fwEnterpriseMaxPriority is greater than fwEnterpriseMinPriority
fwEnterpriseMinPriority is greater than or equal to fwMinPriority
Configuring Priorities for Individual Scopes by Defining Them in Services
You can use parameters to limit priority ranges for services within a scope. For stateful firewall services, you set parameters to limit priority ranges in the FirewallRule service. For stateless firewall services, you set parameters to limit priority ranges in the FRW_Filter_Both service.
You can use parameters to limit priority ranges for services within a scope in addition to using global ranges. For example, you can define a global range, and then define a different range that overrides the global range for specified subscribers.
To allow priority values for services in one scope to override the priority values for services in another scope:
In a service that resides in a service scope that has a low precedence (indicated by a higher number), define default values for parameters that limits a priority range.
Attach this scope to an entry at a high level in the subscriber folder; for example, to a retailer.
Create a second scope that has a higher precedence.
Create a service that uses parameters to limit priority ranges in the second scope.
Attach the second scope (which has a higher precedence) to the enterprise.
The services with the higher precedence override the services with a lower precedence.
Using Stateless Firewall and BoD Applications Together
In most cases, you can use the services listed in table Stateless Firewall Services in Sample Data in Reviewing Services for Exceptions to Stateless Firewalls to provide bandwidth management and firewall support. However, if you want to design special services to have firewalls work with BoD services, use the following guidelines to design your services:
Specify a higher priority in the BoD policies.
Specify next–rule actions for the BoD policies.
After all the BoD policy rules are applied, the stateless firewall policy rules are applied. Packets are forwarded or dropped as appropriate.