The match direction is used with respect to the traffic flow through the AS or Multiservices
PIC. When a packet is sent to the PIC, direction information is carried along with it.
With an interface service set, packet direction is determined by whether a packet is
entering or leaving the interface on which the service set is applied.
With a next-hop service set, packet direction is determined by the interface used to route
the packet to the AS or Multiservices PIC. If the inside interface is used to route the packet,
the packet direction is input. If the outside interface is used to direct the packet to the
PIC, the packet direction is output. For more information on inside and outside interfaces,
see Configuring Service Sets to be Applied to Services Interfaces.
On the PIC, a flow lookup is performed. If no flow is found, rule processing is performed.
Rules in this service set are considered in sequence until a match is found. During rule
processing, the packet direction is compared against rule directions. Only rules with
direction information that matches the packet direction are considered. Most packets
result in the creation of bidirectional flows.
Configuring Match Conditions in Stateful Firewall Rules
To configure stateful firewall match conditions, include the from statement at the [edit
services stateful-firewall rule rule-name term term-name] hierarchy level:
[edit services stateful-firewall rule rule-name term term-name]
from {
application-sets set-name;
applications [ application-names ];
destination-address (address | any-ipv4 | any-ipv6 | any-unicast) <except>;
destination-address-range low minimum-value high maximum-value <except>;
destination-prefix-list list-name <except>;
source-address (address | any-ipv4 | any-ipv6 | any-unicast) <except>;
source-address-range low minimum-value high maximum-value <except>;
source-prefix-list list-name <except>;
}
NOTE: ACX500 routers do not support applications and application-sets at
the [edit services stateful-firewall rule rule-name term term-name from]
hierarchy level.
The source address and destination address can be either IPv4 or IPv6.
You can use either the source address or the destination address as a match condition,
in the same way that you would configure a firewall filter; for more information, see the
Routing Policies, Firewall Filters, and Traffic Policers Feature Guide. You can use the wildcard
values any-unicast, which denotes matching all unicast addresses, any-ipv4, which
denotes matching all IPv4 addresses, or any-ipv6, which denotes matching all IPv6
addresses.
Alternatively, you can specify a list of source or destination prefixes by configuring the
prefix-list statement at the [edit policy-options] hierarchy level and then including either
1025Copyright © 2017, Juniper Networks, Inc.
Chapter 31: Configuring Network Address Translation (NAT) and Stateful Firewall Services
To Next Page
Loading...
Need help?
General
