[
Contents]
[
Prev]
[
Next]
[
Index]
[
Report an Error]
Verifying Stateful Firewall Filter Configuration
To verify a stateful firewall filter configuration, perform
these tasks:
Displaying Stateful Firewall Filter Configurations
Purpose
Verify the configuration of the stateful firewall filter. You
can analyze the flow of the firewall filter terms by displaying the
entire configuration.
Action
From the J-Web interface, select Configuration>View and Edit>View Configuration Text. Alternatively, from configuration mode in the CLI, enter the show services or show firewall command for
stateful firewall filters.
The sample output in this section displays the stateful firewall
filter and NAT configured in Configuring a Stateful Firewall Filter with a Configuration
Editor.
- [edit]
- user@host# show services
- stateful-firewall {
-
- rule to-wan-rule {
- match-direction output;
-
- term app-term {
-
- from {
- application-sets junos-algs-outbound;
- }
-
- then {
- accept;
- }
- }
-
- term accept-all-term {
-
- then {
- accept;
- }
- }
- }
-
- rule from-wan-rule {
- match-direction input;
-
- term wan-src-addr-term {
-
- from {
-
- source-address {
- 192.168.33.0/24;
- }
- }
-
- then {
- accept;
- }
- }
-
- term discard-all-term {
-
- then {
- discard;
- }
- }
- }
- }
- nat {
-
- pool public-pool {
- address-range low 10.148.2.1 high 10.148.2.32;
- port automatic;
- }
-
- rule nat-to-wan-rule {
- match-direction output;
-
- term private-public-term {
-
- then {
-
- translated {
- source-pool public-pool;
- translation-type source dynamic;
- }
- }
- }
- }
- }
- service-set wan-service-set {
- stateful-firewall-rules to-wan-rule;
- stateful-firewall-rules from-wan-rule;
- nat-rules nat-to-wan-rule;
-
- interface-service {
- service-interface sp-0/0/0;
- }
- }
What it Means
Verify that the output shows the intended configuration of the
stateful firewall filter.
Verify that the terms are listed in the order in which you want
the packets to be tested. You can move terms within a firewall filter
by using the insert CLI command.
See Also
For more information about the format of a configuration file,
see the J-series Services Router Basic LAN and WAN Access Configuration Guide.
For information about the insert command, see the J-series Services Router Basic LAN and WAN Access Configuration Guide.
Verifying a Stateful
Firewall Filter
Purpose
Verify the firewall filter configured in Configuring a Stateful Firewall Filter with a Configuration
Editor.
Action
To verify that the actions of the firewall filter terms are
taken, send packets to and from the untrusted network that match the
terms. In addition, verify that actions are not taken for packets that do not match.
- Send packets—associated with the junos-algs-outbound application set—from a host in the trusted network to a host
in the untrusted network. Verify that packets received from the host
in the untrusted network are responses only to the session originated
by the host in the trusted network. To ensure that packets from the
host are not accepted because of rule from-wan-rule, do not
send packets to the host in the untrusted network with an IP address
that matches 192.168.33.0/24.
For example, send a ping request from host trusted-nw-trusted-host to host untrusted-nw-untrusted-host, and verify that a
ping response is returned. Ping requests and responses use ICMP, which
belongs to the junos-algs-outbound application set.
 |
Note: To view the configuration of junos-algs-outbound, enter
the show groups junos-defaults applications application-set junos-algs-outbound configuration mode command.
|
- Send packets from a host in the untrusted network to a
host in the trusted network. Verify that the host in the trusted network
receives packets only from the host in the untrusted network with
an IP address that matches 192.168.33.0/24.
For example, send a ping request from host untrusted-nw-trusted-host with an IP address that matches 192.168.33.0/24 to host trusted-nw-trusted-host, and verify that a ping response is
returned.
Verify that the ping response displays an IP address from the
configured NAT pool.
user@trusted-nw-trusted-host> ping untrusted-nw-untrusted-host
PING untrusted-nw-untrusted-host.acme.net (172.69.13.5): 56 data bytes
64 bytes from 192.169.13.5: icmp_seq=0 ttl=22 time=8.238 ms
64 bytes from 192.169.13.5: icmp_seq=1 ttl=22 time=9.116 ms
64 bytes from 192.169.13.5: icmp_seq=2 ttl=22 time=10.875 ms
...
user@untrusted-nw-trusted-host> ping
trusted-nw-trusted-host
PING trusted-nw-trusted-host-ge-000.acme.net (112.148.2.3): 56 data bytes
64 bytes from 10.148.2.3: icmp_seq=0 ttl=253 time=18.248 ms
64 bytes from 10.148.2.3: icmp_seq=1 ttl=253 time=10.906 ms
64 bytes from 10.148.2.3: icmp_seq=2 ttl=253 time=12.845 ms
...
What it Means
Verify the following information:
- A ping request from Host trusted-nw-trusted-host returns a ping response from Host untrusted-nw-untrusted-host.
- A ping request from Host untrusted-nw-trusted-host returns a ping response from Host trusted-nw-trusted-host. Verify that the ping response displays an IP address from the configured
NAT pool of 10.148.2.1 through 10.148.2.32.
See Also
For information about using the J-Web interface
to ping a host, see the J-series Services Router Administration Guide.
For more information about the ping command, see the J-series Services Router Administration Guide or
the JUNOS System Basics and Services Command Reference.
[
Contents]
[
Prev]
[
Next]
[
Index]
[
Report an Error]