[
Contents]
[
Prev]
[
Next]
[
Index]
[
Report an Error]
Verifying a Stateful
Firewall Filter
Purpose
Verify the firewall filter configured in Configuring a Stateful Firewall Filter with a Configuration
Editor.
Action
To verify that the actions of the firewall filter terms are
taken, send packets to and from the untrusted network that match the
terms. In addition, verify that actions are not taken for packets that do not match.
- Send packets—associated with the junos-algs-outbound application set—from a host in the trusted network to a host
in the untrusted network. Verify that packets received from the host
in the untrusted network are responses only to the session originated
by the host in the trusted network. To ensure that packets from the
host are not accepted because of rule from-wan-rule, do not
send packets to the host in the untrusted network with an IP address
that matches 192.168.33.0/24.
For example, send a ping request from host trusted-nw-trusted-host to host untrusted-nw-untrusted-host, and verify that a
ping response is returned. Ping requests and responses use ICMP, which
belongs to the junos-algs-outbound application set.
 |
Note:
To view the configuration of junos-algs-outbound, enter
the show groups junos-defaults applications application-set junos-algs-outbound configuration mode command.
|
- Send packets from a host in the untrusted network to a
host in the trusted network. Verify that the host in the trusted network
receives packets only from the host in the untrusted network with
an IP address that matches 192.168.33.0/24.
For example, send a ping request from host untrusted-nw-trusted-host with an IP address that matches 192.168.33.0/24 to host trusted-nw-trusted-host, and verify that a ping response is
returned.
Verify that the ping response displays an IP address from the
configured NAT pool.
user@trusted-nw-trusted-host> ping untrusted-nw-untrusted-host
PING untrusted-nw-untrusted-host.acme.net (172.69.13.5): 56 data bytes
64 bytes from 192.169.13.5: icmp_seq=0 ttl=22 time=8.238 ms
64 bytes from 192.169.13.5: icmp_seq=1 ttl=22 time=9.116 ms
64 bytes from 192.169.13.5: icmp_seq=2 ttl=22 time=10.875 ms
...
user@untrusted-nw-trusted-host> ping
trusted-nw-trusted-host
PING trusted-nw-trusted-host-ge-000.acme.net (112.148.2.3): 56 data bytes
64 bytes from 10.148.2.3: icmp_seq=0 ttl=253 time=18.248 ms
64 bytes from 10.148.2.3: icmp_seq=1 ttl=253 time=10.906 ms
64 bytes from 10.148.2.3: icmp_seq=2 ttl=253 time=12.845 ms
...
Meaning
Verify the following information:
- A ping request from Host trusted-nw-trusted-host returns a ping response from Host untrusted-nw-untrusted-host.
- A ping request from Host untrusted-nw-trusted-host returns a ping response from Host trusted-nw-trusted-host. Verify that the ping response displays an IP address from the configured
NAT pool of 10.148.2.1 through 10.148.2.32.
Related Topics
For information about using the J-Web interface
to ping a host, see the J-series Services Router Administration Guide.
For more information about the ping command, see the J-series Services Router Administration Guide or
the JUNOS System Basics and Services Command Reference.
[
Contents]
[
Prev]
[
Next]
[
Index]
[
Report an Error]