Configuring Actions In Stateful Firewall Rules - Juniper ACX1000 Configuration Manual

ACX Series Universal Access Router Configuration Guide

Configuring Actions in Stateful Firewall Rules

1026
the or the
destination-prefix-list
For an example, see Examples: Configuring Stateful Firewall Rules.
If you omit the from term, the stateful firewall accepts all traffic and the default protocol
handlers take effect:
User Datagram Protocol (UDP), Transmission Control Protocol (TCP), and Internet
Control Message Protocol (ICMP) create a bidirectional flow with a predicted reverse
flow.
IP creates a unidirectional flow.
You can also include application protocol definitions you have configured at the
hierarchy level; for more information, see Configuring Application Properties.
applications]
To apply one or more specific application protocol definitions, include the
statement at the [edit services stateful-firewall rule rule-name term term-name from]
hierarchy level.
To apply one or more sets of application protocol definitions you have defined, include
the statement at the
application-sets
term-name from] hierarchy level.
NOTE: If you include one of the statements that specifies application
protocols, the router derives port and protocol information from the
corresponding configuration at the
cannot specify these properties as match conditions.
To configure stateful firewall actions, include the
stateful-firewall rule rule-name term term-name]
[edit services stateful-firewall rule rule-name term term-name]
then {
(accept | discard | reject);
allow-ip-options [ values ];
syslog;
}
You must include one of the following actions:
—The packet is accepted and sent on to its destination.
accept
—The packet is accepted and sent on to its destination, but IDS rule
accept skip-ids
processing configured on an MS-MPC is skipped.
—The packet is not accepted and is not processed further.
discard
—The packet is not accepted and a rejection message is returned; UDP sends an
reject
ICMP unreachable code and TCP sends RST. Rejected packets can be logged or
sampled.
statement in the stateful firewall rule.
source-prefix-list
[edit services stateful-firewall rule rule-name term
[edit applications]
statement at the
then
hierarchy level:
Copyright © 2017, Juniper Networks, Inc.
[edit
applications
hierarchy level; you
[edit services