Stateful Firewall Support For Application Protocols; Stateful Firewall Anomaly Checking - Juniper ACX1000 Configuration Manual

Stateful Firewall Support for Application Protocols

Stateful Firewall Anomaly Checking

Copyright © 2017, Juniper Networks, Inc.
Chapter 31: Configuring Network Address Translation (NAT) and Stateful Firewall Services
Firewall rules are ordered. The software checks the rules in the order in which you include
them in the configuration. The first time the firewall discovers a match, the router
implements the action specified by that rule. Rules still unchecked are ignored.
NOTE: Starting in Junos OS Release 14.2, MS-MPC and MS-MIC interface
cards support IPv6 traffic for Junos Network Secure Stateful Firewall.
For more information, see
By inspecting the application protocol data, the AS or MultiServices PIC firewall can
intelligently enforce security policies and allow only the minimal required packet traffic
to flow through the firewall.
The firewall rules are configured in relation to an interface. By default, the stateful firewall
allows all sessions initiated from the hosts behind the interface to pass through the
router.
NOTE: Stateful firewall ALGs are not supported on ACX500 routers.
The stateful firewall recognizes the following events as anomalies and sends them to
the IDS software for processing:
IP anomalies:
IP version is not correct.
IP header length field is too small.
IP header length is set larger than the entire packet.
Bad header checksum.
IP total length field is shorter than header length.
Packet has incorrect IP options.
Internet Control Message Protocol (ICMP) packet length error.
Time-to-live (TTL) equals 0.
IP address anomalies:
IP packet source is a broadcast or multicast.
Land attack (source IP equals destination IP).
IP fragmentation anomalies:
"Configuring Stateful Firewall Rules" on page 1023.
1021