To configure stateful firewalls, you configure statefulfirewall rules, and apply those rules to a service set. You can alsoconfigure stateful firewall rule sets, which contain a set of statefulfirewall rules.
Configuring Stateful Firewall Rules for Next Gen Services
A stateful firewall rule specifies which traffic is processedand what action to apply to the traffic.
To configure a stateful firewall rule:
- Configure a name for the stateful firewall rule.
user@host# edit services policies stateful-firewall-rule rule-name
- Specify the traffic flow direction to which the statefulfirewall rule applies.
[edit services policies stateful-firewall-rule rule-name]user@host# set match-direction (input | input-output | output)
If you configure
input-output
, the rule is appliedto sessions initiated from either direction.If this stateful firewall rule is applied to an interface-typeservice set, the direction is determined by whether a packet is enteringor leaving the interface on which the service set is applied. If thisstateful firewall rule is applied to a next-hop service set, the directionis input if the inside interface is used to route the packet, andthe direction is output if the outside interface is used to routethe package.
- Configure a name for a policy.
[edit services policies stateful-firewall-rule rule-name]user@host# set policy policy-name
You can configure multiple policies for a stateful firewallrule. Each policy identifies the matching conditions for a flow, andwhether or not to allow the flow. Once a policy in the rule matchesa packet, that policy is applied and no other policies in the ruleare processed.
- Specify the destination address of the flows to whichthe policy applies.
[edit services policies stateful-firewall-rule rule-name policy policy-name]user@host# set match destination-address (address | any | any-ipv4 | any-ipv6)
Alternatively, you can specify an
address-book
undertheservices
configuration hierarchy to use in this step.The destination address can be IPv4 or IPv6.
- Specify the destination address of the flows to whichthe policy does not apply.
[edit services policies stateful-firewall-rule rule-name policy policy-name]user@host# set match destination-address-excluded address
The destination address can be IPv4 or IPv6.
- Specify the source address of the flows to which the policyapplies.
[edit services policies stateful-firewall-rule rule-name policy policy-name]user@host# set match source-address (address | any | any-ipv4 | any-ipv6)
Alternatively, you can specify an
address-book
undertheservices
configuration hierarchy to use in this step.The source address can be IPv4 or IPv6.
- Specify the source address of the flows to which the policydoes not apply.
[edit services policies stateful-firewall-rule rule-name policy policy-name]user@host# set match source-address-excluded address
The source address can be IPv4 or IPv6.
- Specify one or more application protocols to which thepolicy applies.
[edit services policies stateful-firewall-rule rule-name policy policy-name]user@host# set match application [application-name]
Use an application protocol definition you have configured atthe
[edit applications]
hierarchy level. - Specify an action that the policy takes.
[edit services policies stateful-firewall-rule rule-name policy policy-name]user@host# set then (count | deny | reject | permit)
where:
count Enables a count,in bytes or kilobytes, of all network traffic the policy allows topass.
deny Drop the packets.
permit Accept thepackets and send them to their destination.
reject Drop the packets.For TCP traffic, send a TCP reset (RST) segment to the source host.For UDP traffic, send an ICMP
destination unreachable,port unreachable
message (type 3, code 3) to the sourcehost.
Configuring Stateful Firewall Rule Sets for Next Gen Services
A stateful firewall rule set lets you specify a set of statefulfirewall rules, which are processed in the order in which they appearin the rule set configuration. Once a stateful firewall rule in therule set matches a packet, that rule is applied and no other rulesin the rule set are processed˙.
To configure a stateful firewall rule set:
- Configure a name for the stateful firewall rule set.
user@host# edit services policies stateful-firewall-rule-set rule-set-name
- Specify the stateful firewall rules that belong to therule set.
[edit services policies stateful-firewall-rule-set rule-set-name]user@host# set stateful-firewall-rule [rule-name]
Configuring the Service Set for Stateful Firewalls for NextGen Services
Stateful firewall rules must be assigned to a service set beforethey can be applied to traffic.
To configure a service set to apply stateful firewallrules:
- Define the service set.
[edit services]user@host# edit service-set service-set-name
- Configure either an interface service set, which requiresa single service interface, or a next-hop service set, which requiresan inside and outside service interface.
[edit services service-set service-set-name]user@host# set interface-service service-interface interface-name
or
[edit services service-set service-set-name]user@host# set next-hop-service inside-service-interface interface-name outside-service-interface interface-name
- Specify the stateful firewall rules to be used with theservice set. You can specify either individual rules or rule setsbut not both.
To apply individual stateful firewall rules:
[edit services service-set service-set-name]user@host# set stateful-firewall-rules [rule-name]
To apply stateful firewall rule sets:
[edit services service-set service-set-name]user@host# set stateful-firewall-rule-sets [rule-set-name]
The service set processes the stateful firewall rules or rulesets in the order in which they appear in the service set configuration.