[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring an IPSec Stateful Firewall Filter

Configure stateful firewall filter rules to ensure that only desired traffic is permitted. This firewall is applied to all inbound traffic from the WAN. For this IPSec tunnel, desired traffic must be from the remote tunnel endpoint, destined for the local tunnel endpoint, and using either IPSec or IKE as an application protocol.

For more information about firewall filters, see Configuring Firewall Filters and NAT.

To configure an IPSec stateful firewall filter:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 78.
  3. If you are finished configuring the network, commit the configuration.
  4. Go on to Configuring a NAT Pool.

Table 78: Configuring an IPSec Stateful Firewall Filter

Task

J-Web Configuration Editor

CLI Configuration Editor

Create the stateful firewall rule and apply it to inbound traffic.
  1. From the top of the configuration hierarchy, click Services>Stateful firewall.
  2. In the rule field, click Add new entry.
  3. In the Rule name box, type the name of the rule. It can be any unique string.
  4. In the Match direction field, select Input from the drop-down menu.
  1. From the top of the configuration hierarchy, enter

    edit services stateful-firewall

  2. Create the firewall rule and apply it to input traffic:

    set rule rule-name match-direction input

Create the firewall term to match only desired traffic.
  1. In the Term field, click Add new entry.
  2. In the Term name box, type the name of the term. It can be any unique string.
  3. Click From.
  4. In the Destination address field, click Add new entry.
  5. In the address field, select Enter specific value from the drop-down menu.
  6. In the Address box, type the IP address of the local tunnel endpoint, in dotted decimal notation, and click OK.
  7. In the Source address field, click Add new entry.
  8. In the address field, select Enter specific value from the drop-down menu.
  9. In the Address box, type the IP address of the remote tunnel endpoint, in dotted decimal notation, and click OK.
  10. In the Applications field, click Add new entry.
  11. In the Application name field, type junos-ipsec-esp, and click OK.
  12. In the Applications field, click Add new entry.
  13. In the Application name field, type junos-ike, and click OK.
  1. Create the firewall term and match all packets with a destination address that matches the local tunnel endpoint:

    set term term-name from destination-address local-tunnel-end-point-address

  2. Match all packets with a source address that matches the remote tunnel endpoint:

    set term term-name from source-address remote-tunnel-end-point-address

  3. Match all packets using IPSec as an application protocol:

    set term term-name from applications junos-ipsec-esp

  4. Match all packets using IKE as an application protocol:

    set term term-name from applications junos-ike

Configure the firewall term to accept only desired traffic.
  1. Click OK to return to the Term name page, and click Then.
  2. In the Designation field, select Accept from the drop-down menu, select the Yes box.
  3. Click OK.

Set the match action to accept:

set term term-name then accept

Create the firewall term to reject all other traffic.
  1. From the top of the configuration hierarchy, click Services>Stateful firewall>Rule>rule-name
  2. In the Term field, click Add new entry.
  3. In the Term name field, type the name of the term. The name can be any unique string.
  4. Click Then.
  5. In the Designation field, select Discard from the drop-down menu.
  1. From the top of the configuration hierarchy, enter

    edit services stateful-firewall rule rule-name

  2. Configure a term to discard all traffic:

    set term term-name then discard

[Contents] [Prev] [Next] [Index] [Report an Error]

[an error occurred while processing this directive]