Juniper® JNCIA Exam Cram Notes : Firewall Filter Concepts

7. Routing Policy and Firewall Filters

7.2 Firewall Filter Concepts

Firewall filter policy: Allows you to control packets transiting the router to a network destination and packets destined for and sent by the router.

In junos devices, a firewall filter in router is implemented using Internet Processor ASIC. The Internet Processor builds on the fundamental performance and reliability by adding enhanced security functions, increased visibility into network operations. Each firewall filter in the JUNOS software contains a hidden term that causes a single final action for all filters. This final action is to discard all packets.

Firewall filters enables to control packets transiting the device to a network destination as well as packets destined for and sent by the device. You can configure a firewall filter to perform specified actions on packets of a particular protocol family, including fragmented packets, that match specified conditions based on Layer3 or Layer4 packet header fields.

Stateless and Stateful Firewall Filters

A stateless firewall filter, also known as an access control list (ACL), does not statefully inspect traffic. Instead, it evaluates packet contents statically and does not keep track of the state of network connections. Stateless firewalls watch network traffic, and restrict or block packets based on source and destination addresses or other static values. They are not 'aware' of traffic patterns or data flows.

In contrast, a stateful firewall filter uses connection state information derived from other applications and past communications in the data flow to make dynamic control decisions. tateful firewalls can watch traffic streams from end to end. They are are aware of communication paths and can implement various IP Security (IPsec) functions such as tunnels and encryption. In technical terms, this means that stateful firewalls can tell what stage a TCP connection is in (open, open sent, synchronized, synchronization acknowledge or established), it can tell if the MTU has changed, whether packets have fragmented etc.

Stateless firewalls are typically faster and perform better under heavier traffic

Stateful firewalls are better at identifying unauthorized and forged communications.

Firewall Filter Components

In a firewall filter, you first define the family address type (ethernet-switching, inet (for IPv4), inet6 (for IPv6), circuit cross-connect (CCC), or MPLS), and then define one or more terms that specify the filtering criteria and the action to take if a match occurs.

Each term consists of the following components:

  • Match conditions - Specify values that a packet must contain to be considered a match. You can specify values for most fields in the IP, TCP, UDP, or ICMP headers. You can also match on interface names.
  • Action- Specifies what to do if a packet matches the match conditions. A filter can accept, discard, or reject a matching packet and then perform additional actions, such as counting, classifying, and policing. If no action is specified for a term, the default is to accept the matching packet.

Firewall Filter Processing: If there are multiple terms in a filter, the order of the terms is important. If a packet matches the first term, the switch executes the action defined by that term, and no other terms are evaluated. If the switch does not find a match between the packet and the first term, it compares the packet to the next term. If no match occurs between the packet and the second term, the system continues to compare the packet to each successive term in the filter until a match is found. If the packet does not match any terms in the filter, the switch discards the packet by default.

The command to configure a firewall filter is made at the [edit firewall family inet] hierarchy level

filter filter-name {
  term term-name {
    from {
    then {

where filter-name is the name of the filter, term-name is the name of the filter term, match-conditions is the condition that the incoming packets must match for the action to be applied, and action is the steps to take for packets that match the filter condition.

The 'show firewall' command displays counter and policer statistics for all firewall filters. We can also specify the name of specific filter using 'show firewall filter <filter-name>' command.

Count, log and sample are the action modifiers used in firewall filters. This modifiers help us in gathering additional information about the contents of packets.

You use the clear firewall counter-name command to reset the counters associated with your firewall filters. You can clear an individual counter, an individual filter, or all filters on the router.

Example: To clear the counter and policier statistics of MY-FILTER firewall filter, we use 'clear firewall filter MY-FILTER' command. Whereas the 'clear firewall filter' command clears all the counter and policier statistics of all the firewall filters applied on our device.

'icmp-code number','dscp number' and 'destination-port number' are the numeric range firewall filter match condition. Destination-port number denotes the TCP or UDP destination port field.

The JUNOS software uses firewalls filters not only to drop or accept data packets but also to rate - limit those packets. Rate policing enables you to limit the amount of traffic that passes into or out of a particular interface.

We use 'show' command to display our configuration that we have configured. In order to modify our configuration we use rename and insert commands. Rename command renames the filter configuration with other configuration.

Previous   Contents   

JNCIA Junos Cram Notes Contents ad