[
Contents]
[
Prev]
[
Next]
[
Index]
[
Report an Error]
Verifying Stateful Firewall Filter Configuration
To verify a stateful firewall filter configuration, perform these tasks:
Displaying
Stateful Firewall Filter Configurations
Purpose
Verify the configuration of the stateful firewall filter. You can analyze
the flow of the firewall filter terms by displaying the entire configuration.
Action
From the J-Web interface, select Configuration>View and Edit>View Configuration Text.
Alternatively, from configuration mode in the CLI, enter the show services or show firewall command
for stateful firewall filters.
The sample output in this section displays the
stateful firewall filter and NAT configured in Configuring a Stateful Firewall Filter with a Configuration Editor.
[edit]
user@host# show services
stateful-firewall {
rule to-wan-rule {
match-direction output;
term app-term {
from {
application-sets junos-algs-outbound;
}
then {
accept;
}
}
term accept-all-term {
then {
accept;
}
}
}
rule from-wan-rule {
match-direction input;
term wan-src-addr-term {
from {
source-address {
192.168.33.0/24;
}
}
then {
accept;
}
}
term discard-all-term {
then {
discard;
}
}
}
}
nat {
pool public-pool {
address-range low 10.148.2.1 high 10.148.2.32;
port automatic;
}
rule nat-to-wan-rule {
match-direction output;
term private-public-term {
then {
translated {
source-pool public-pool;
translation-type source dynamic;
}
}
}
}
}
service-set wan-service-set {
stateful-firewall-rules to-wan-rule;
stateful-firewall-rules from-wan-rule;
nat-rules nat-to-wan-rule;
interface-service {
service-interface sp-0/0/0;
}
}
What it Means
Verify that the output shows the intended configuration of the stateful
firewall filter. For more information about the format of a configuration
file, see the J-series Services Router Basic LAN and WAN Access Configuration Guide.
Verify that the terms are listed in the order in which you want the
packets to be tested. You can move terms within a firewall filter by using
the insert CLI command. For more information, see the J-series Services Router Basic LAN and WAN Access Configuration Guide.
Verifying a Stateful Firewall Filter
Purpose
Verify the firewall filter configured in Configuring a Stateful Firewall Filter with a Configuration Editor.
Action
To verify that the actions of the firewall filter terms are taken, send packets
to and from the untrusted network that match the terms. In addition, verify
that actions are not taken for packets that do not match.
- Send packets—associated with the junos-algs-outbound application
set—from a host in the trusted network to a host in the untrusted network.
Verify that packets received from the host in the untrusted network are responses
only to the session originated by the host in the trusted network. To ensure
that packets from the host are not accepted because of rule from-wan-rule,
do not send packets to the host in the untrusted network with an IP address
that matches 192.168.33.0/24.
For example, send a ping request from host trusted-nw-trusted-host to
host untrusted-nw-untrusted-host, and verify that a ping response
is returned. Ping requests and responses use ICMP, which belongs to the junos-algs-outbound application
set.
 |
To view the configuration of junos-algs-outbound, enter the show
groups junos-defaults applications application-set junos-algs-outbound configuration
mode command.
|
- Send packets from a host in the untrusted network to a host in
the trusted network. Verify that the host in the trusted network receives
packets only from the host in the untrusted network with an IP address that
matches 192.168.33.0/24.
For example, send a ping request from host untrusted-nw-trusted-host with
an IP address that matches 192.168.33.0/24 to host trusted-nw-trusted-host,
and verify that a ping response is returned.
Verify that the ping response displays an IP address from the configured
NAT pool.
| |
user@trusted-nw-trusted-host> ping untrusted-nw-untrusted-host
PING untrusted-nw-untrusted-host.acme.net (172.69.13.5): 56 data bytes
64 bytes from 192.169.13.5: icmp_seq=0 ttl=22 time=8.238 ms
64 bytes from 192.169.13.5: icmp_seq=1 ttl=22 time=9.116 ms
64 bytes from 192.169.13.5: icmp_seq=2 ttl=22 time=10.875 ms
...
|
| |
user@untrusted-nw-trusted-host> ping trusted-nw-trusted-host
PING trusted-nw-trusted-host-ge-000.acme.net (112.148.2.3): 56 data bytes
64 bytes from 10.148.2.3: icmp_seq=0 ttl=253 time=18.248 ms
64 bytes from 10.148.2.3: icmp_seq=1 ttl=253 time=10.906 ms
64 bytes from 10.148.2.3: icmp_seq=2 ttl=253 time=12.845 ms
...
|
What it Means
Verify the following information:
- A ping request from Host trusted-nw-trusted-host returns
a ping response from Host untrusted-nw-untrusted-host.
- A ping request from Host untrusted-nw-trusted-host returns
a ping response from Host trusted-nw-trusted-host. Verify that the
ping response displays an IP address from the configured NAT pool of 10.148.2.1 through 10.148.2.32.
For information about using the J-Web interface to ping
a host, see the J-series Services Router Administration Guide.
For more information about the ping command, see the J-series Services Router Administration Guide or
the JUNOS System Basics and Services Command Reference.
[
Contents]
[
Prev]
[
Next]
[
Index]
[
Report an Error]