[Contents] [Prev] [Next] [Index] [Report an Error]

Verifying Stateful Firewall Filter Configuration

To verify a stateful firewall filter configuration, perform these tasks:

Displaying Stateful Firewall Filter Configurations

Purpose

Verify the configuration of the stateful firewall filter. You can analyze the flow of the firewall filter terms by displaying the entire configuration.

Action

From the J-Web interface, select Configuration>View and Edit>View Configuration Text. Alternatively, from configuration mode in the CLI, enter the show services or show firewall command for stateful firewall filters.

The sample output in this section displays the stateful firewall filter and NAT configured in Configuring a Stateful Firewall Filter with a Configuration Editor.

Sample Output




[edit]

user@host# show services



stateful-firewall {




rule to-wan-rule {

match-direction output;




term app-term {




from {

application-sets junos-algs-outbound;

}







then {

accept;

}




}







term accept-all-term {




then {

accept;

}




}




}







rule from-wan-rule {

match-direction input;




term wan-src-addr-term {




from {




source-address {

192.168.33.0/24;

}




}







then {

accept;

}




}







term discard-all-term {




then {

discard;

}




}




}




}



nat {




pool public-pool {

address-range low 10.148.2.1 high 10.148.2.32;

port automatic;

}







rule nat-to-wan-rule {

match-direction output;




term private-public-term {




then {




translated {

source-pool public-pool;

translation-type source dynamic;

}




}




}




}




}



service-set wan-service-set {

stateful-firewall-rules to-wan-rule;

stateful-firewall-rules from-wan-rule;

nat-rules nat-to-wan-rule;




interface-service {

service-interface sp-0/0/0;

}




}

What it Means

Verify that the output shows the intended configuration of the stateful firewall filter. For more information about the format of a configuration file, see the J-series Services Router Basic LAN and WAN Access Configuration Guide.

Verify that the terms are listed in the order in which you want the packets to be tested. You can move terms within a firewall filter by using the insert CLI command. For more information, see the J-series Services Router Basic LAN and WAN Access Configuration Guide.

Verifying a Stateful Firewall Filter

Purpose

Verify the firewall filter configured in Configuring a Stateful Firewall Filter with a Configuration Editor.

Action

To verify that the actions of the firewall filter terms are taken, send packets to and from the untrusted network that match the terms. In addition, verify that actions are not taken for packets that do not match.

Send packets—associated with the junos-algs-outbound application set—from a host in the trusted network to a host in the untrusted network. Verify that packets received from the host in the untrusted network are responses only to the session originated by the host in the trusted network. To ensure that packets from the host are not accepted because of rule from-wan-rule, do not send packets to the host in the untrusted network with an IP address that matches 192.168.33.0/24.
For example, send a ping request from host trusted-nw-trusted-host to host untrusted-nw-untrusted-host, and verify that a ping response is returned. Ping requests and responses use ICMP, which belongs to the junos-algs-outbound application set.

To view the configuration of junos-algs-outbound, enter the show groups junos-defaults applications application-set junos-algs-outbound configuration mode command.
Send packets from a host in the untrusted network to a host in the trusted network. Verify that the host in the trusted network receives packets only from the host in the untrusted network with an IP address that matches 192.168.33.0/24.
For example, send a ping request from host untrusted-nw-trusted-host with an IP address that matches 192.168.33.0/24 to host trusted-nw-trusted-host, and verify that a ping response is returned.

Verify that the ping response displays an IP address from the configured NAT pool.

Sample Output

user@trusted-nw-trusted-host> ping untrusted-nw-untrusted-host

PING untrusted-nw-untrusted-host.acme.net (172.69.13.5): 56 data bytes
64 bytes from 192.169.13.5: icmp_seq=0 ttl=22 time=8.238 ms
64 bytes from 192.169.13.5: icmp_seq=1 ttl=22 time=9.116 ms
64 bytes from 192.169.13.5: icmp_seq=2 ttl=22 time=10.875 ms
...

user@untrusted-nw-trusted-host> ping trusted-nw-trusted-host

PING trusted-nw-trusted-host-fe-000.acme.net (112.148.2.3): 56 data bytes
64 bytes from 10.148.2.3: icmp_seq=0 ttl=253 time=18.248 ms
64 bytes from 10.148.2.3: icmp_seq=1 ttl=253 time=10.906 ms
64 bytes from 10.148.2.3: icmp_seq=2 ttl=253 time=12.845 ms
...

What it Means

Verify the following information:

A ping request from Host trusted-nw-trusted-host returns a ping response from Host untrusted-nw-untrusted-host.
A ping request from Host untrusted-nw-trusted-host returns a ping response from Host trusted-nw-trusted-host. Verify that the ping response displays an IP address from the configured NAT pool of 10.148.2.1 through 10.148.2.32.

For information about using the J-Web interface to ping a host, see the J-series Services Router Administration Guide.

For more information about the ping command, see the J-series Services Router Administration Guide or the JUNOS System Basics and Services Command Reference.

[Contents] [Prev] [Next] [Index] [Report an Error]