Configuring Match Conditions In Stateful Firewall Rules - Juniper ACX1000 Configuration Manual

Configuring Match Conditions in Stateful Firewall Rules

Copyright © 2017, Juniper Networks, Inc.
Chapter 31: Configuring Network Address Translation (NAT) and Stateful Firewall Services
The match direction is used with respect to the traffic flow through the AS or Multiservices
PIC. When a packet is sent to the PIC, direction information is carried along with it.
With an interface service set, packet direction is determined by whether a packet is
entering or leaving the interface on which the service set is applied.
With a next-hop service set, packet direction is determined by the interface used to route
the packet to the AS or Multiservices PIC. If the inside interface is used to route the packet,
the packet direction is input. If the outside interface is used to direct the packet to the
PIC, the packet direction is output. For more information on inside and outside interfaces,
see Configuring Service Sets to be Applied to Services Interfaces.
On the PIC, a flow lookup is performed. If no flow is found, rule processing is performed.
Rules in this service set are considered in sequence until a match is found. During rule
processing, the packet direction is compared against rule directions. Only rules with
direction information that matches the packet direction are considered. Most packets
result in the creation of bidirectional flows.
To configure stateful firewall match conditions, include the
services stateful-firewall rule rule-name term term-name]
[edit services stateful-firewall rule rule-name term term-name]
from {
application-sets set-name;
applications [ application-names ];
destination-address (address | any-ipv4 | any-ipv6 | any-unicast) <except>;
destination-address-range low minimum-value high maximum-value <except>;
destination-prefix-list list-name <except>;
source-address (address | any-ipv4 | any-ipv6 | any-unicast) <except>;
source-address-range low minimum-value high maximum-value <except>;
source-prefix-list list-name <except>;
}
NOTE: ACX500 routers do not support applications and application-sets at
the [
edit services stateful-firewall rule rule-name term term-name from
hierarchy level.
The source address and destination address can be either IPv4 or IPv6.
You can use either the source address or the destination address as a match condition,
in the same way that you would configure a firewall filter; for more information, see the
Routing Policies, Firewall Filters, and Traffic Policers Feature Guide. You can use the wildcard
values , which denotes matching all unicast addresses,
any-unicast
denotes matching all IPv4 addresses, or
addresses.
Alternatively, you can specify a list of source or destination prefixes by configuring the
prefix-list statement at the
any-ipv6 , which denotes matching all IPv6
[edit policy-options] hierarchy level and then including either
statement at the
from [edit
hierarchy level:
]
, which
any-ipv4
1025