Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding Protocol Support

The administrator can configure the devices running Junos OS to perform stateful network traffic filtering on network packets using network traffic protocols and network fields as described in Table 1.

Table 1: Network Traffic Protocols and Fields

Protocol or RFC

Fields

ICMPv4 - RFC 792, Internet Control Message Protocol version 4

  • Type

  • Code

ICMPv6 - RFC 2463, Internet Control Message Protocol version 6

  • Type

  • Code

IPv4 - RFC 791, Internet Protocol

  • Source address

  • Destination address

  • Transport Layer Protocol

IPv6 - RFC 8200, Internet Protocol

Note:

IPv6 Protocols 43, 44, and 60 are not supported by the TOE, so packets are dropped without logging.

  • Source address

  • Destination address

  • Transport Layer Protocol

TCP - RFC 793, Transmission Control Protocol

  • Source port

  • Destination port

UDP - RFC 768, User Datagram Protocol

  • Source port

  • Destination port

The following protocols are also supported on devices running Junos OS and are a part of this evaluation.

  • IPsec

  • IKE

  • SSH

The following protocols are supported on devices running Junos OS but are not included in the scope of this evaluation.

  • OSPF

  • BGP

  • RIP

Configuration Examples

The firewall filters can be used to define rules for all the mentioned protocols and fields.

Statefull packet filter firewall rules can be created that permit, drop, and log packets for each of the following attributes:

ICMPv4 - Configure a filter on the TOE to accept and drop ICMPv4 packets according to its type.

ICMPv4 - Configure a filter on the TOE to accept and drop ICMPv4 packets according to its code.

ICMPv6 - Configure a filter on the TOE to accept and drop ICMPv6 packets according to its type.

ICMPv6 - Configure a filter on the TOE to accept and drop ICMPv6 packets according to its code.

IPV4 Source Address - Configure a filter on the TOE to drop and accept traffic with specified IPv4 source addresses.

IPV4 Destination Address - Configure a filter on the TOE to drop and accept traffic with specified IPv4 destination addresses.

IPv4 Transport Layer Protocol - Configure a filter on the TOE to drop and accept traffic with a specified IPv4 transport layer protocol.

IPv6 Source address - Configure a filter on the TOE to drop and accept traffic with specified IPv6 source addresses.

IPv6 Destination Address - Configure a filter on the TOE to drop and accept traffic with specified IPv6 destination addresses.

IPv6 Transport Layer Protocol - Configure a filter on the TOE to drop and accept traffic with a specified IPv6 transport layer protocol.

TCP Source Port - Configure a filter on the TOE to drop and accept traffic according to specified TCP source ports

TCP Destination Port - Configure a filter on the TOE to drop and accept traffic according to specified TCP destination ports.

UDP Source Port - Configure a filter on the TOE to drop and accept traffic according to specified UDP source ports.

UDP Destination Port - Configure a filter on the TOE to drop and accept traffic according to specified UDP destination ports.

The TOE enforces the first rule for both IPv4 and IPv6 when two equal stateful traffic filtering rules with conflicting operations (permit and drop) are configured and deployed in two distinct orders.

IPv4 - Configure a filter to allow and drop packets to a specific destination with the allow rule being first.

IPv4 - Configure a filter to allow and drop packets to a specific destination with the deny rule being first.

IPv6 - Configure a filter to allow and drop packets to a specific destination with the allow rule being first.

IPv6 - Configure a filter to drop and allow packets to a specific destination with the drop rule being first.

Regardless of the specificity of the rule, the TOE enforces the first rule for both IPv4 and IPv6 when two rules are devised where one is a subset of the other (e.g., a specific address vs. a network segment).

IPv4 - Configure the firewall rule so that the first rule allows packets to a specific destination address and the second rule denies packets to its network segment with the allow rule being first.

IPv4 - Configure the firewall rule so that the first rule denies packets to a network segment and the second rule allows packets to a specific destination address of the network segment with the deny rule being first.

IPv6 - Configure the firewall rule so that the first rule allows packets to a specific destination address and the second rule denies packets to its network segment with the allow rule being first.

IPv6 - Configure the firewall rule so that the first rule denies packets to a network segment and the second rule allows packets to a specific destination address of the network segment with the deny rule being first.

Related Documentation