Process for Configuring a Stateful Firewall Filter and NAT

To configure a stateful firewall filter and NAT, perform the following tasks:

• Define the stateful firewall filter output and input rules. You must define an output rule that allows all traffic (application and nonapplication) to flow from the trusted network to the untrusted network.

  To define the match condition in the term that allows application traffic to flow from the trusted network to the untrusted network, we recommend you specify the JUNOS default group junos-algs-outbound as the application set. To view the configuration of this group, enter the show groups junos-defaults applications application-set junos-algs-outbound configuration mode command. For more information about JUNOS default groups, see the JUNOS System Basics Configuration Guide.

  You also must define an input rule to discard all traffic from the untrusted network that is not a response to a session originated by the trusted network.

• Define the NAT address and port pool.
• Define the NAT output and input rules.
• Define a service set that includes all stateful firewall filter and NAT rules and the service interface. You must specify the service interface as sp-0/0/0. This service interface is a virtual interface that must be included at the [edit interfaces] hierarchy level to support stateful firewall filter and NAT services.
• Apply the service set to the interfaces that make up the untrusted network.

Do not apply the service set to the sp-0/0/0 interface.

For more information about match conditions and actions, see Summary of Stateful Firewall Filter and NAT Match Conditions and Actions.