Release History Table DescriptionRelease
Starting in Junos OS Release 14.2, MS-MPC and MS-MIC interface cards
support IPv6 traffic for Junos Network Secure Stateful Firewall.
14.2
Configuring Stateful Firewall Rules
To configure a stateful firewall rule, include the rule rule-name statement at the [edit
services stateful-firewall] hierarchy level:
[edit services stateful-firewall]
rule rule-name {
match-direction (input | output | input-output);
term term-name {
from {
application-sets set-name;
applications [ application-names ];
destination-address (address | any-ipv4 | any-ipv6 | any-unicast) <except>;
destination-address-range low minimum-value high maximum-value <except>;
destination-prefix-list list-name <except>;
source-address (address | any-ipv4 | any-ipv6 | any-unicast) <except>;
source-address-range low minimum-value high maximum-value <except>;
source-prefix-list list-name <except>;
}
then {
(accept <skip-ids>| discard | reject);
allow-ip-options [ values ];
syslog;
}
}
}
NOTE: ACX500 routers do not support applications and application-sets at
the [edit services stateful-firewall rule rule-name term term-name from]
hierarchy level.
NOTE: On ACX500 routers, to enable syslog, include the stateful-firewall-logs
CLI statement at the [edit services service-set service-set-name syslog host
local class] hierarchy level.
Each stateful firewall rule consists of a set of terms, similar to a filter configured at the
[edit firewall] hierarchy level. A term consists of the following:
•
from statement—Specifies the match conditions and applications that are included
and excluded. The from statement is optional in stateful firewall rules.
•
then statement—Specifies the actions and action modifiers to be performed by the
router software. The then statement is mandatory in stateful firewall rules.
1023Copyright © 2017, Juniper Networks, Inc.
Chapter 31: Configuring Network Address Translation (NAT) and Stateful Firewall Services
To Next Page
Loading...
Need help?
General
