Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Subscribing to Firewall Services Through Enterprise Manager Portal

 

You can configure subscriptions to firewall services through Enterprise manager Portal. Topics include:

Firewall Services in Enterprise Manager Portal Overview

The basic firewall that you configure will be enforced on all Internet access links subordinate to the subscriber you select in the navigation pane. When you have configured a basic firewall, you can create firewall exceptions—variances from the basic firewall—for specific categories of traffic.

Firewall exception rules block traffic that otherwise would be permitted to traverse the firewall, or to admit traffic that would otherwise be blocked. Exceptions specify criteria against which each packet is inspected.

How you configure firewall exceptions depends on which type of firewall service the ISP enabled. Enterprise Manager Portal can support one of the following:

  • Stateless firewalls—Inspect each packet in isolation; they do not evaluate the traffic flow.

    With stateless firewalls, you can configure exceptions to take customized actions, such as policing specified traffic at a specified rate, or setting the ToS byte. By using customized actions, you can allow traffic from a specified IP address or for a specified IP protocol to traverse the firewall. In addition, you can specify quality of service (QoS) properties such as values for the type of service (ToS) byte.

  • Stateful firewalls—Track traffic flows and conversations between applications and evaluate this information when applying exception rules.

    An application is typically associated with a stateful firewall rule. After a flow or conversation meets firewall criteria, packets in that flow can pass through the firewall. For example for an FTP connection, when an FTP control connection requests a file download, the stateful firewall knows to expect and allows a TCP data connection to start. You can also create firewall exceptions for traffic associated with a particular application protocol, such as FTP, that originates at a particular address in the enterprise.

Before You Configure Firewall Exception Rules

Before you configure firewall exception rules, make sure that you understand which types of packets you want to pass through a firewall.

Enterprise Manager Portal must be set to Advanced configuration mode to configure some of the properties for a firewall. If the portal is not in Advanced mode, some of the settings appear as read-only fields. For information about setting the portal mode, see Setting the Configuration Level for Enterprise Manager Portal.

Creating Subscriptions to Firewall Services

To create a subscription to a basic firewall service:

  1. In the navigation pane of Enterprise Manager Portal, click the subscriber for whom you want to create a subscription to a basic firewall service.

  2. Click the Firewall tab.

    The Firewall page appears.

  3. Click the help icon above the firewall service to review information about the available firewalls.

    See Firewall Service Field in Enterprise Manager Portal.

  4. Select a firewall service from the menu, and click Apply.

    The Firewall page changes to allow you to create firewall exceptions.

Firewall Service Field in Enterprise Manager Portal

Use the field in this topic to specify a firewall service in Enterprise manager Portal.

Firewall Service

  • Name of the firewall service.

  • Value—Menu of firewall services in the directory available for this subscriber

  • Default—No Firewall

  • Example—BasicFW1

Creating Firewall Exceptions for Stateless Firewalls

To create a firewall exception for a subscriber:

  1. Access the subscriber’s Firewall page.

  2. In the Firewall page, click Create Firewall Exception.

    The Create Exception dialog box appears. Figure 7 shows the appearance of the dialog box when Enterprise Manager Portal is set to Advanced mode.

    Figure 7: Create Exception Dialog Box for Stateless Firewalls
    Create Exception Dialog Box for Stateless
Firewalls
  3. Enter field values to configure the values for the firewall exception.

    See Fields for Exceptions to Stateless Firewalls in Enterprise Manager Portal.

    Which protocols you select determines which associated protocol fields are available for editing.

    Note

    If a user changes the value for a protocol when the configuration level for the portal is set to Normal mode, values for the following fields may be deleted: TCP Flags, Fragmentation Flags, Fragmentation Offset, Packet Length, ICMP Type, and ICMP Code.

    If the value of a protocol is changed to the original setting, the portal restores the associated field values that were previously removed.

  4. Click Create.

    The Firewall page shows the exception configured. Figure 8 shows three exceptions configured for a brickwall firewall service. The exceptions appear in priority order.

    Figure 8: Firewall Page with Firewall Service Applied and Exceptions Configured
    Firewall Page with Firewall Service Applied
and Exceptions Configured

Fields for Exceptions to Stateless Firewalls in Enterprise Manager Portal

Use the fields in this topic to configure rules for exceptions to stateless firewalls.

Rule Name

  • Name of the subscription to the firewall service.

  • Value—Alphanumeric string

  • Guidelines—You must specify a name for the rule. Do not use spaces, dots, or punctuation characters in the name.

  • Default—No value

  • Example—WebAccess

IP Protocols

  • IP protocol associated with this rule.

  • Value—Type of IP protocols separated by commas, with the protocol specified by:

    • Number of IP protocol in the range 0–255

    • The following abbreviations:

    • ah—authentication header

    • egp—exterior gateway protocol

    • esp—Encapsulating Security Payload

    • gre—generic routing encapsulation

    • icmp—Internet Control Message Protocol

    • igmp—Internet Group Management Protocol

    • ipip—IP over IP

    • ospf—Open Shortest Path First

    • pim—Protocol Independent Multicast

    • rsvp—Resource Reservation Protocol

    • sctp—Stream Control Transmission Protocol

    • tcp—Transmission Control Protocol

    • udp—User Datagram Protocol

    • Blank—Any IP protocol

  • Default—No value

  • Example—tcp

ToS Byte

  • ToS byte in the header of the IP datagram associated with traffic affected by this rule.

  • Value

    • DiffServ—DiffServ is used to classify packets by the selected value.

    • Precedence—Value for the drop precedence.

    • Free Format—ToS byte in binary format.

Use an x to indicate a bit to be ignored.

  • Guidelines—You can configure the ToS byte only if the configuration level is set to Advanced.

    Specify the ToS byte in this field if you want to specify a specific type of service. If you want to specify all types of service, leave this field empty.

  • Default—No value

  • Example—Free Format 000010xx

Source IP Addresses

  • IP addresses (as contained in the IP packets) of traffic to which the rule applies.

  • Value—[ not ]<networkAddress>/<networkMask>

    • not—All addresses except the listed addresses

    • <networkAddress>—IP address of the network

    • <networkMask>—Subnet mask

  • Guidelines—To specify traffic with a particular source IP address, enter an IP address. To specify all traffic except that with a particular source IP address, precede the IP address with the keyword not. To specify traffic with any source IP address, leave the field empty. To specify multiple source IP addresses, enter multiple addresses on different lines. You can specify multiple source IP addresses only if the configuration level is set to Advanced.

  • Default—No value

  • Example—192.0.2.0/24

Source Ports

  • Source TCP/UDP port(s) (contained in the IP packets) of traffic affected by this rule.

  • Values

    • Port number

    • Comma-separated list of port numbers and ranges of port numbers (devices running Junos OS)

    • Ranges of port numbers separated by two dots (..)

  • Guidelines— To specify all ports, leave this field empty. If you specify an IP protocol other than TCP or UDP for this subscription, the port field will dim, and you will not be able to specify port numbers in this field.

  • Default—No value

  • Example

    • 2

    • 2, 3, 45..55

Destination IP Addresses

  • Destination IP addresse(es) (contained in the IP packets) of traffic affected by this rule.

  • Value—[ not ]<networkAddress>/<networkMask>

    • not—Address, or set of IP addresses as expressed by the netmask, for which the firewall service is not available

    • <networkAddress>—IP address of the network

    • <networkMask>—Netmask expressed as an integer 0–32, which specifies how many of the first bits in the address specify the network

  • Guidelines—To specify a netmask for a destination IP address or a set of IP addresses that should not be included, precede the IP address with the keyword not. The order in which you list prefixes, identified by the IP address–netmask pair, is not significant. They are all evaluated to determine whether a match occurs. If prefixes overlap, longest-match rules are used to determine whether a match occurs. For an address to be considered a match, it must match one of the rules in the list.

    For information about how devices running Junos OS evaluate prefixes, see the Junos OS Policy Framework Configuration Guide.

  • Default—No value

  • Example—192.0.2.0/24

Destination Ports

  • Destination TCP/UDP port(s) (contained in the IP packets) of traffic affected by this rule.

  • Value

    • Port number

    • Comma-separated list of port numbers and ranges of port numbers (devices running Junos OS)

    • Ranges of port numbers separated by two dots (..)

  • Guidelines—To specify all ports, leave this field empty. If you specify an IP protocol other than TCP or UDP for this subscription, the port field will dim, and you will not be able to specify port numbers in this field.

  • Default—No value

  • Example

    • 2

    • 2, 3, 45..55

TCP Flags

  • Conditions in the TCP flags in the TCP message header. This field is enabled when the TCP protocol is selected.

  • Value—Expression or text synonym that identifies the TCP flags

  • Guidelines—You can enter a value for TCP flags only if you select TCP as the IP protocol.

    You can enter a logical expression that contains the symbols for the six TCP flags: urgent, ack, push, rst, syn, and fin. You can use the following logical operators in the list of flags:

    • &—And. Separates flag settings in the list.

    • !—Not. Flags preceded by ! are cleared; flags not preceded by ! are set.

    You can use the following expression instead of the entire expression:

    • tcp-initial—syn & !ack

    The interface displays text synonyms for expressions if stored data matches the expression.

    This field appears enabled only if the configuration level is set to Advanced. Although the value can be changed when the configuration level is set to Normal, we recommend that the value of this field not be changed if the field appears disabled.

  • Default—No value

  • Example

    • syn

    • tcp-initial

Fragmentation Flags

  • Logical expression using the dont-fragment, more-fragments, and reserved IP fragmentation flags.

  • Value—Flags expression

  • Guidelines—The expression can also contain the following logical operators:

    • &—And. Separates flag settings in the list.

    • !—Not. Flags preceded by ! are cleared; flags not preceded by ! are set.

  • Default—No value

  • Example

    • more-fragments

    • ! dont-fragment

Fragment Offset

  • IP fragment offset—a value that defines the order in which to assemble fragments for an IP datagram.

  • Value—One of the following:

    • Number in the range 0–8191

    • Range of numbers separated by two dots (..) within the range 0–8191

  • Default—No value

  • Example

    • 50

    • 50 .. 76

Packet Length

  • Length of packets.

  • Value—One of the following:

    • Number in the range 0–65536

    • Range of numbers separated by two dots (..) within the range 0–65536

  • Default—No value

  • Example

    • 15000

    • 15000 .. 30000

ICMP Type

  • Type of message for Internet Control Management Protocol (ICMP).

  • Value—Type of ICMP message in the following formats:

    • Number of the ICMP message type in the range 0–255

    • Symbolic name for an ICMP message type

    • Comma-separated list of ICMP types and ranges of ICMP types

    • Ranges of ICMP types separated by two dots (..) within the range 0–255

    • Blank—Any ICMP type

  • Guidelines—You can enter a value for this field only if you select the icmp protocol (protocol number 1).

The following list shows the symbolic name and associated numbers for ICMP types. The ICMP types are the same as those on devices running Junos OS with the addition of traceroute.

  • 0—echo-reply

  • 8—echo-request

  • 16—info-reply

  • 15—info-request

  • 18—mask-reply

  • 17—mask-request

  • 12—parameter-problem

  • 5—redirect

  • 9—router-advertisement

  • 10—router-solicit

  • 4—source-quench

  • 11—time-exceeded

  • 13—timestamp

  • 14—timestamp-reply

  • 30—traceroute

  • 3—unreachable

    This field appears enabled only if the configuration level is set to Advanced. Although the value can be changed when the configuration level is set to Normal, we recommend that the value of this field not be changed if the field appears disabled.

  • Default—Any

  • Example—10 .. 25, 27

ICMP Code

  • Code for ICMP.

  • Value—Type of ICMP code in the following formats:

    • Number of ICMP code in the range 0–255

    • Comma-separated list of code numbers and ranges of code numbers

    • Ranges of code numbers separated by two dots (..) within the range 0–255

    • Blank—Any ICMP code

  • Guidelines—You can enter a value for this field only if you select particular protocols.

    This field appears enabled only if the configuration level is set to Advanced. Although the value can be changed when the configuration level is set to Normal, we recommend that the value of this field not be changed if the field appears disabled.

  • Default—Any

  • Example—75

Priority

  • Numeric value that indicates which firewall exception takes precedence if a subscriber has multiple exceptions for a firewall service.

  • Value—Integer in the range specified by the online help for this field

  • Guidelines—You must specify a priority for the firewall exception. A lower number indicates a higher priority. Use a unique priority for each firewall exception that relates to the same traffic. If two rules have the same priority, they will be applied to traffic in an unpredictable order.

  • Default—No value

  • Example—5

Direction

  • Direction, with respect to the enterprise, of the traffic.

  • Value

    • Incoming—Applies to traffic that starts outside the enterprise

    • Outgoing—Applies to traffic that starts inside the enterprise

    • Both—Applies to traffic flows that start inside or outside the enterprise

    • Guidelines—If you select a custom firewall rule, you cannot specify a direction. Custom firewall rules should have names that reflect what the rule does.

  • Default—Incoming

  • Example—Both

Action

  • Way in which the firewall should handle the incoming or outgoing traffic.

  • Value

    • Allow—Let the traffic through the firewall.

    • Reject—Send an ICMP reply that explains why the firewall blocked the traffic.

    • Discard—Drop the traffic without sending any reply.

    • A custom value configured by the service provider.

  • Guidelines—Other actions may be available—one for each custom firewall rule.

  • Default—Allow

  • Example—Discard

Enabled

  • Status of the rule.

  • Value

    • Gray box—Rule is inherited from a parent subscriber or the rule is scheduled

    • White box—Rule is configured for this subscriber

    • Box with check mark—Rule is enabled

    • Empty box—Rule is disabled

  • Guidelines—Click box to enable or disable a rule.

  • Default—Rule is disabled

Creating Firewall Exceptions for Stateful Firewalls

To create a firewall exception for a subscriber:

  1. If you want to create a firewall exception for a particular application object, first create that object.

  2. Access the subscriber’s Firewall page.

    Figure 9: Firewall Page with Firewall Service Applied
    Firewall Page with Firewall Service Applied
  3. Enter field values to configure the values for the firewall exception.

    See Fields for Exceptions to Stateful Firewalls in Enterprise Manager Portal.

  4. Click Create.

Fields for Exceptions to Stateful Firewalls in Enterprise Manager Portal

Use the fields in this topic to specify exceptions to stateful firewalls.

Priority

  • Numeric value to indicate which firewall exception takes precedence if a subscriber has multiple exceptions for a firewall service.

  • Value—Integer in the range specified by the online help for this field

  • Guidelines—You must specify a priority for the firewall exception. A lower number indicates a higher priority. Use a unique priority for each firewall exception that relates to the same traffic. If two rules have the same priority, they will be applied to traffic in an unpredictable order.

  • Default—No value

  • Example—5

Name

  • Name of the subscription to the firewall service.

  • Value—Text string

  • Guidelines—You must specify a name for the firewall exception.

  • Default—No value

  • Example—videoConference

Direction

  • Direction, with respect to the enterprise, of the initial traffic flow in a conversation.

  • Value

    • Incoming—Applies to an initial traffic flow that starts outside the enterprise

    • Outgoing—Applies to an initial traffic flow that starts inside the enterprise

    • Both—Applies to initial traffic flows that start inside or outside the enterprise

  • Default—Incoming

  • Example—Both

Source IPs

  • Source IP addresses (as contained in the IP packets) of traffic to which the firewall exception applies.

  • Value—[ not ]<networkAddress>/<networkMask>

    • not—All addresses except the listed addresses

    • <networkAddress>—IP address of the network

    • <networkMask>—Subnet mask

  • Guidelines—To specify traffic with a particular source IP address, enter an IP address. To specify all traffic except that with a particular source IP address, precede the IP address with the keyword not. To specify traffic with any source IP address, leave the field empty. To specify multiple source IP addresses, set the configuration level of the portal to Advanced (see Setting the Configuration Level for Enterprise Manager Portal), and enter multiple addresses on different lines.

  • Default—No value

  • Example—192.0.2.0/24

Destination IPs

  • Destination TCP/UDP ports (as contained in the IP packets) of traffic to which this firewall exception applies.

  • Value—[ not ]<networkAddress>/<networkMask>

    • not—All addresses except the listed addresses

    • <networkAddress>—IP address of the network

    • <networkMask>—Subnet mask

  • Guidelines—To specify traffic with a particular destination IP address, enter an IP address. To specify all traffic except that with a particular destination IP address, precede the IP address with the keyword not. To specify multiple destination IP addresses, set the configuration level of the portal to Advanced (see Setting the Configuration Level for Enterprise Manager Portal), and enter multiple addresses on different lines.

  • Default—No value

  • Example—192.0.2.0/24

Application

  • Application object to which the firewall applies.

  • Value—Application object you defined

  • Guidelines—Select an application object from the menu.

  • Default—Any

  • Example—ftp

Firewall Action

  • The way in which the firewall should handle the incoming or outgoing traffic.

  • Value

    • Allow—Let the traffic through the firewall

    • Reject—Send an ICMP reply that explains why the firewall blocked the traffic

    • Discard—Drop the traffic without sending any reply

  • Default—Allow

  • Example—Discard

Schedule

  • Configured schedule to use.

  • Name of the schedule

  • Guidelines—This field appears if scheduling is enabled for the portal.

  • Default—No value

Enabled

  • Status of the firewall exception.

  • Value

    • Gray box—Firewall exception is inherited from a parent subscriber

    • White box—Firewall exception is configured for this subscriber

    • Box with check mark—Firewall exception is enabled

    • Empty box—Firewall exception is disabled

  • Guidelines—Click box to enable or disable a firewall exception.

  • Default—Firewall exception is disabled

Adding a Schedule to a Firewall Exception

A schedule must be configured before you can apply one to a firewall exception.

To add a schedule to a firewall exception:

  1. Access the subscriber’s Firewall page.

  2. In the Firewall page, select a schedule from the Schedule menu for the exception. See the following field description for details.

Schedule Field for a Firewall Exception

Schedule

  • Configured schedule to use.

  • Name of the schedule

  • Guidelines—This field appears if scheduling is enabled for the portal.

  • Default—No value

Modifying Firewall Exceptions

To modify a firewall exception:

  1. Start at the Firewall page for the subscriber.

  2. Change the values in the fields for this firewall exception.

  3. For stateless firewalls, to change the values for affected traffic, click Edit under Affected Traffic, make changes in the Edit Exception dialog box, and click Apply.

    or

    For stateful firewalls, click Apply for the application protocol.

Deleting Firewall Exceptions

To delete a firewall exception:

  1. Start at the Firewall page for the subscriber.

  2. Click Delete for the firewall exception.

Deleting Basic Firewalls

To delete a basic firewall:

  1. Disable all firewall exceptions and NAT rules configured for this subscriber.

    For information about disabling these values, see the field descriptions in Creating Firewall Exceptions for Stateful Firewalls and Applying NAT Rules to Traffic.

  2. Disable all firewall exceptions and NAT rules that this subscriber inherits from parent subscribers.

  3. Disable all firewall exceptions and NAT rules defined for this subscriber’s subordinate subscribers.

  4. Access the Firewall page for the subscriber for which you configured the firewall.

  5. Select No Firewall from the Firewall Service menu.

  6. Click Apply.

Monitoring the Use of Subscriptions to Firewall Services

Purpose

Monitor the use of firewall subscriptions.

Action

  1. Access the subscriber’s Firewall page.

  2. In the Firewall page, click the Usage Data link in the last column.

    or

    Click the Usage Data link under Firewall Service.

    The Service Usage Data page appears.