Knowledge Search


×
 

SRX Getting Started - Stateless Firewall Filters (ACLs) Use Case

  [KB16685] Show Article Properties


Summary:

This article describes why you would configure stateless firewall filters (ACLs) on SRX Series devices.

Symptoms:

Determine why you would configure stateless firewall filters (ACLs).

Cause:

Solution:

A stateless firewall filter, also known as an access control list (ACL), is a long-standing Junos feature used to define stateless packet filtering and quality of service (QoS). A stateless firewall filter statically evaluates packet contents. A stateful firewall filter uses connection state information derived from past communications and other applications to make dynamic control decisions.

You can configure stateless firewall filters on SRX Series devices to do the following:

  • Filter, mark, or count traffic that matches specific definitions
  • Enforce policing
NOTE: Firewall filters are not supported in Transparent/bridge mode

Firewall filters (ACLs) are applied before the Flow services module, as depicted in the following diagram.


The Policer and Input filter modules represent firewall filters (ACLs), and the Flow Services Module includes security policies.

As you can see from the diagram, packet processing using the firewall filters (ACLs) is performed, and then the packet is processed by security policies in the Flow Services Module. If a packet gets blocked by firewall filters, it will never make it to the Flow Services Module. Depending on the objective of the firewall filters, a security policy may or may not be needed. For example firewall filters can be configured and applied on the loopback interface which would apply to traffic ingress to the router via all interfaces and hence no security policy is needed. For a more detailed explanation of the Stateful and Stateless Data Processing, refer to Understanding Stateful and Stateless Data Processing for J Series Services Routers.


Example of the firewall filter implementing policer

The following is an example for a firewall filter which police PIM traffic, counts the number of packets hitting this term and queues this packet in the forwarding-class called network-control.   Note that a security policy is also needed for the stateful session to be created.
user@host# show interfaces 
ge-0/0/0 {
    unit 0 {
        family inet {
            filter {
                input pim-traffic-filter;
                output pim-traffic-filter;
            }
            address 10.1.1.1/24;
        }
    }
}


user@host# show firewall 
family inet {
    filter pim-traffic-filter {
        term pim {
            from {
                source-address {
                    10.10.0.0/16;
                }
                destination-address {
                    224.0.0.13/32;
                }
                protocol pim;
            }
            then {
                policer network-control-5m;
                count pim-pkts;
                loss-priority low;
                forwarding-class network-control;
                accept;
            }
        }
    }
}
policer network-control-5m {
    if-exceeding {  
        bandwidth-limit 5m;
        burst-size-limit 1m;
    }
    then discard;
}



Technical Documentation

For information about stateless firewall filters, see:
Stateless Firewall Filter Types


Related Links: