Junos OS

last person joined: yesterday 

Ask questions and share experiences about Junos OS.

  • 1.  Firewall vs Policies

    Posted 06-05-2015 19:59

    After what feels like a lot of studying and a lot of lab practice. I still don't get one basic concept that is currently on my mind. I have a client situation that I am configuring that this question pertains to, so that's why I am motivated to get to the bottom of it.

     

    I still don't get the basic difference or application between a filrewall filter and a policy. It seems that you can put basically the same configuration in either place and they can both be applied to interfaces, ingress and egress.  I know this is probably not right, but: WHAT IS THE BASIC CONCEPTUAL DIFFERENCE BETWEEN FIREWALL AND POLICY? I hope it is something beyond, 'well, that just were your supposed to put that kind of thing".

     

    I completely watched and studied and applied the two JNCIA CBTNuggets videos courses (over 45 videos total) I have configured every example in these courses in my lab.  But I have a vague vacumm in my mind when I grasp for a distinction that stands clear between firewall filters and policies beyond that these are two places to put stuff in the configuration. I mean you can filter stuff under both parts of the configuration, right?

     

    Can someone give me a good analogy that might stick in my mind. They seem to wash together in some kind of ambivalent confusion.

     

    MUCH APPRECIATED

     

    robin hood



  • 2.  RE: Firewall vs Policies
    Best Answer

     
    Posted 06-05-2015 20:22

    Hi robinhood,

     

    The simplest way to differentiate between firewall filter and policies is, firewall filters works outside flow module and policy works inside flow module.

     

    If there is packet matching the firewall filter, it will be dropped at interface level itself. It wont hit flow module for processing (https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110 can explain flow module and processing).

     

    This way we can save a lot of resources and stop unwanted packets hitting/attacking firewalls. Basically an ACL on routers.

     

    Policies allows you to control traffic between security zones. Check the above mentioed KB to understand where policy lookup happens in flow module.

     

    I hope this helps a bit.

     

     

     



  • 3.  RE: Firewall vs Policies

    Posted 06-05-2015 23:06

    Thank you. I really appreciate your help rsuraj.

     

    This gives me something to chew on.

     

    Clarification Please: You said firewall filter works at Interface level, and then this way we can stop unwanted packets hitting/attacking firewalls. But aren't the packets hitting the firewall when the firewall filter stops the packet at the Interface? Did you mean we can stop packets from hitting/attacking the Routing Engine? Or is the firewall and the firewall filter applied on the Interface two different things?

     

    And if so, does this mean that the policy is handled by the RE? And the firewall filter is handled by the PFE?

     

    Also, does this mean that the policy cannot be applied on the Interface?

     

    THANKS MUCH!!

     

    robin hood