 |
A firewall filter with a large number of terms can adversely affect both the configuration commit time and the performance of the Routing Engine. |
In a stateful firewall filter, all packets flowing from a trusted network to an untrusted network are allowed. Packets flowing from an untrusted network to a trusted network are allowed only if they are responses to a session originated by the trusted network, or if they are explicitly accepted by a term in the stateful firewall filter rule.
When Network Address Translation (NAT) is enabled, the source address of a packet flowing from a trusted network to an untrusted network is replaced with an address chosen from a specified range, or pool, of addresses. In addition, you can configure the Services Router to dynamically translate the source port of the packet—a process called Network Address Port Translation (NAPT). For more information about NAT, see Network Address Translation.
All stateful firewall filters contain one or more terms, and each term consists of two components—match conditions and actions. The match conditions define the values or fields that the packet must contain to be considered a match. If a packet is a match, the corresponding action is taken. By default, a packet that does not match a firewall filter is discarded.
|
A firewall filter with a large number of terms can adversely affect both the configuration commit time and the performance of the Routing Engine. |
For more information about stateful firewall filters, see the JUNOS Services Interfaces Configuration Guide.