Reviewing Services for Exceptions to Stateless Firewalls
Review the services that Enterprise Manager Portal requires to ensure that configuration of these services works in your environment. These services are firewall exceptions—services that define the types of traffic that a firewall admits or blocks.
Enterprise Manager Portal requires that specific services be configured to cover each of the following traffic actions:
- Allow
- Reject
- Discard
These actions are required for each traffic direction; that is, traffic:
- Entering the network
- Exiting the network
- Entering and exiting the network
Table 1 lists the names of services required by Enterprise Manager Portal. The naming convention for the services specifies both action and direction; for example, for the FWR_Fwd_Out service:
- Action—allow (forward)
- Direction—Outgoing (from the enterprise)
Services configured to reject traffic return a “network-unreachable” ICMP message.
Table 1: Stateless Firewall Services in Sample Data
| Traffic Entering the Enterprise | Traffic Exiting from the Enterprise | Traffic Entering and Exiting the Enterprise |
|---|---|---|---|
Traffic Allowed | FWR_Fwd_In | FWR_Fwd_Out | FWR_Fwd_Both |
Traffic to Be Discarded | FWR_Filter_In | FWR_Filter_Out | FWR_Filter_Both |
Traffic Rejected | FWR_Rej_In | FWR_Rej_Out | FWR_Rej_Both |
The services are located under l=entJunosStatelessFW, o=Scopes, o=umc in the sample data. These services and the associated policies configured in the sample data are designed for a subscriber–facing interface on a provider edge device.
In most cases you can use the services as configured. If needed—for example, for a service provider–facing interface in a customer edge device—you can customize the services listed in Table 1, but do not change the names.
To customize services for an enterprise-facing interface, change the configuration for:
- Source IP addresses and ports
- Destination IP addresses and ports
You can also create services that provide custom exceptions to a firewall. Portal users can select custom exceptions under Firewall actions on the Firewall page in Enterprise Manager Portal.
