NOTE: The ACX500 indoor routers do not support the action accept skip-ids.
You can optionally configure the firewall to record information in the system logging
facility by including the syslog statement at the [edit services stateful-firewall rule
rule-name term term-name then] hierarchy level. This statement overrides any syslog
setting included in the service set or interface default configuration.
Configuring IP Option Handling
You can optionally configure the firewall to inspect IP header information by including
the allow-ip-options statement at the [edit services stateful-firewall rule rule-name term
term-name then] hierarchy level. When you configure this statement, all packets that
match the criteria specified in the from statement are subjected to additional matching
criteria. A packet is accepted only when all of its IP option types are configured as values
in the allow-ip-options statement. If you do not configure allow-ip-options, only packets
without IP header options are accepted.
NOTE: ACX500 indoor routers do not support the configuration of
allow-ip-options statement.
The additional IP header option inspection applies only to the accept and reject stateful
firewall actions. This configuration has no effect on the discard action. When the IP header
inspection fails, reject frames are not sent; in this case, the reject action has the same
effect as discard.
If an IP option packet is accepted by the stateful firewall, Network Address Translation
(NAT) and intrusion detection service (IDS) are applied in the same way as to packets
without IP option headers. The IP option configuration appears only in the stateful firewall
rules; NAT applies to packets with or without IP options.
When a packet is dropped because it fails the IP option inspection, this exception event
generates both IDS event and system log messages. The event type depends on the first
IP option field rejected.
Table 64 on page 1027 lists the possible values for the allow-ip-options statement. You
can include a range or set of numeric values, or one or more of the predefined IP option
settings. You can enter either the option name or its numeric equivalent. For more
information, refer to http://www.iana.org/assignments/ip-parameters.
Table 64: IP Option Values
Comment
Numeric
ValueIP Option Name
Any IP option0any
–130ip-security
1027Copyright © 2017, Juniper Networks, Inc.
Chapter 31: Configuring Network Address Translation (NAT) and Stateful Firewall Services
To Next Page
Loading...
Need help?
General
