Configuring Stateful Firewall Rules - Juniper ACX1000 Configuration Manual

Release History Table

Configuring Stateful Firewall Rules

Copyright © 2017, Juniper Networks, Inc.
Chapter 31: Configuring Network Address Translation (NAT) and Stateful Firewall Services
Release Description
14.2 Starting in Junos OS Release 14.2, MS-MPC and MS-MIC interface cards
support IPv6 traffic for Junos Network Secure Stateful Firewall.
To configure a stateful firewall rule, include the
hierarchy level:
services stateful-firewall]
[edit services stateful-firewall]
rule rule-name {
match-direction (input | output | input-output);
term term-name {
from {
application-sets set-name;
applications [ application-names ];
destination-address (address | any-ipv4 | any-ipv6 | any-unicast) <except>;
destination-address-range low minimum-value high maximum-value <except>;
destination-prefix-list list-name <except>;
source-address (address | any-ipv4 | any-ipv6 | any-unicast) <except>;
source-address-range low minimum-value high maximum-value <except>;
source-prefix-list list-name <except>;
}
then {
(accept <skip-ids>| discard | reject);
allow-ip-options [ values ];
syslog;
}
}
}
NOTE: ACX500 routers do not support applications and application-sets at
the [ edit services stateful-firewall rule rule-name term term-name from
hierarchy level.
NOTE: On ACX500 routers, to enable syslog, include the
CLI statement at the [
local class ] hierarchy level.
Each stateful firewall rule consists of a set of terms, similar to a filter configured at the
[edit firewall] hierarchy level. A term consists of the following:
statement—Specifies the match conditions and applications that are included
from
and excluded. The
from
statement—Specifies the actions and action modifiers to be performed by the
then
router software. The
then
rule rule-name
edit services service-set service-set-name syslog host
statement is optional in stateful firewall rules.
statement is mandatory in stateful firewall rules.
statement at the
[edit
]
stateful-firewall-logs
1023