the destination-prefix-list or the source-prefix-list statement in the stateful firewall rule.
For an example, see Examples: Configuring Stateful Firewall Rules.
If you omit the from term, the stateful firewall accepts all traffic and the default protocol
handlers take effect:
•
User Datagram Protocol (UDP), Transmission Control Protocol (TCP), and Internet
Control Message Protocol (ICMP) create a bidirectional flow with a predicted reverse
flow.
•
IP creates a unidirectional flow.
You can also include application protocol definitions you have configured at the [edit
applications] hierarchy level; for more information, see Configuring Application Properties.
•
To apply one or more specific application protocol definitions, include the applications
statement at the [edit services stateful-firewall rule rule-name term term-name from]
hierarchy level.
•
To apply one or more sets of application protocol definitions you have defined, include
the application-sets statement at the [edit services stateful-firewall rule rule-name term
term-name from] hierarchy level.
NOTE: If you include one of the statements that specifies application
protocols, the router derives port and protocol information from the
corresponding configuration at the [edit applications] hierarchy level; you
cannot specify these properties as match conditions.
Configuring Actions in Stateful Firewall Rules
To configure stateful firewall actions, include the then statement at the [edit services
stateful-firewall rule rule-name term term-name] hierarchy level:
[edit services stateful-firewall rule rule-name term term-name]
then {
(accept | discard | reject);
allow-ip-options [ values ];
syslog;
}
You must include one of the following actions:
•
accept—The packet is accepted and sent on to its destination.
•
accept skip-ids—The packet is accepted and sent on to its destination, but IDS rule
processing configured on an MS-MPC is skipped.
•
discard—The packet is not accepted and is not processed further.
•
reject—The packet is not accepted and a rejection message is returned; UDP sends an
ICMP unreachable code and TCP sends RST. Rejected packets can be logged or
sampled.
Copyright © 2017, Juniper Networks, Inc.1026
ACX Series Universal Access Router Configuration Guide
To Next Page
Loading...
