Dynamic Session
The TOE supports FTP (RFC 959) to dynamically establish sessions allowing network traffic according to Administrator rules. Stateful filtering policies are configured with port ranges to handle dynamic FTP sessions. Since FTP utilizes TCP at the transport layer, the same behavior applies in terms of session establishment and removal. Session events will be logged in accordance with ‘log’ operations defined in the rules. Source and destination addresses, source and destination ports, transport layer protocol, and TOE Interface are recorded in each log record.
To configure stateful traffic filtering rules to permit and log traffic for each of the supported protocols and drop and log TCP and UDP ports above 1024:
set interfaces ge-1/0/1 vlan-tagging set interfaces ge-1/0/1 unit 0 vlan-id 900 set interfaces ge-1/0/1 unit 0 family inet filter input tcp-port set interfaces ge-1/0/1 unit 0 family inet address 10.1.9.29/24 set interfaces ge-1/0/1 unit 0 family inet6 address 2001:10:1:9::29/64 set firewall filter tcp-port term allow from protocol tcp set firewall filter tcp-port term allow from port 0-1024 set firewall filter tcp-port term allow then log set firewall filter tcp-port term allow then accept set firewall filter tcp-port term deny from protocol tcp set firewall filter tcp-port term deny from port 1025-65535 set firewall filter tcp-port term deny then log set firewall filter tcp-port term deny then discard