Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Reviewing Services for Exceptions to Stateless Firewalls

    Review the services that Enterprise Manager Portal requires to ensure that configuration of these services works in your environment. These services are firewall exceptions—services that define the types of traffic that a firewall admits or blocks.

    Enterprise Manager Portal requires that specific services be configured to cover each of the following traffic actions:

    • Allow
    • Reject
    • Discard

    These actions are required for each traffic direction; that is, traffic:

    • Entering the network
    • Exiting the network
    • Entering and exiting the network

    Table 1 lists the names of services required by Enterprise Manager Portal. The naming convention for the services specifies both action and direction; for example, for the FWR_Fwd_Out service:

    • Action—allow (forward)
    • Direction—Outgoing (from the enterprise)

    Services configured to reject traffic return a “network-unreachable” ICMP message.

    Table 1: Stateless Firewall Services in Sample Data

     

    Traffic Entering the Enterprise

    Traffic Exiting from the Enterprise

    Traffic Entering and Exiting the Enterprise

    Traffic Allowed

    FWR_Fwd_In

    FWR_Fwd_Out

    FWR_Fwd_Both

    Traffic to Be Discarded

    FWR_Filter_In

    FWR_Filter_Out

    FWR_Filter_Both

    Traffic Rejected

    FWR_Rej_In

    FWR_Rej_Out

    FWR_Rej_Both

    The services are located under l=entJunosStatelessFW, o=Scopes, o=umc in the sample data. These services and the associated policies configured in the sample data are designed for a subscriber–facing interface on a provider edge device.

    In most cases you can use the services as configured. If needed—for example, for a service provider–facing interface in a customer edge device—you can customize the services listed in Table 1, but do not change the names.

    To customize services for an enterprise-facing interface, change the configuration for:

    • Source IP addresses and ports
    • Destination IP addresses and ports

    You can also create services that provide custom exceptions to a firewall. Portal users can select custom exceptions under Firewall actions on the Firewall page in Enterprise Manager Portal.

    Published: 2014-06-19