Junos
Highlighted
Junos

Time-based firewall filter on MX

‎10-07-2019 12:41 AM

Hello,

 

I would like to seek for idea if anyone experienced doing time-based firewall filter on Juniper MX series?

 

Any input would be apreciated.

Seyma
JNCIP-ENT, SEC, SP
7 REPLIES 7
Highlighted
Junos

Re: Time-based firewall filter on MX

‎10-07-2019 12:52 AM

Hello Seyma,

 

I believe it can be achieved by using event options. You can create time based events and change the firewall filter configuration accordingly.

 

Best regards,

Sergii

-------------------------------------------------------------------

Please accept the solution if your problem is resolved Smiley Happy

-------------------------------------------------------------------

Highlighted
Junos

Re: Time-based firewall filter on MX

‎10-07-2019 12:57 AM

Dear Sergii,

 

Thanks for your input. Would you mind share an example configuration about that?

 

Regards,

Seyma
JNCIP-ENT, SEC, SP
Highlighted
Junos

Re: Time-based firewall filter on MX

‎10-07-2019 01:02 AM

Hello,

You have 2 options here:

1/ using SLAX scripts https://www.juniper.net/us/en/local/pdf/script-library/config-time-based-filters-en.pdf

2/ using "when" knob in groups http://kijush.com.np/2015/05/mx-time-based-firewall-filter/

More information/discussion here

https://forums.juniper.net/t5/Routing/Can-we-do-Internet-access-list-time-duration-on-MX-withou-scri...

HTH

Thx

Alex

 

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Junos

Re: Time-based firewall filter on MX

‎10-07-2019 01:04 AM

Hello Seyma,

 

Please check the following links out:

https://www.juniper.net/us/en/local/pdf/script-library/config-time-based-filters-en.pdf 

https://github.com/Juniper/junoscriptorium/blob/master/library/juniper/event/filters/time-based-filt... 

 

Also there is a chapter "Time-based configuration change" in "This Week Mastering Junos Automation" book, which may be helpful.

 

Best regards,

Sergii

-------------------------------------------------------------------

Please accept the solution if your problem is resolved Smiley Happy

-------------------------------------------------------------------

Highlighted
Junos

Re: Time-based firewall filter on MX

‎10-07-2019 01:55 AM

Dear Alex and Sergii,

 

Thanks for your input. I will test using SLAX script later and will feedback the result. 

 

For now, I have just tested using apply-groups with "when" option. But not sure if this is correct.

time-based-filter {
    when {
        time 16:32 to 16:35;
    }
    interfaces {
        xe-0/1/6 {
            unit 0 {
                family inet {
                    filter {
                        input FF-CUST01-DOUBLE-IN;
                        output FF-CUST01-DOUBLE-OUT;
                    }
                }
            }
        }                               
    }
}

I have two questions:

1. Does above config is the correct combine condtions to activate filer of one specific interface (xe-0/1/6) at 16:32 to 16:35?

2. Without including "interface" within the group, does that mean it apply to every interfaces?

 

Regards,

 

Seyma
JNCIP-ENT, SEC, SP
Highlighted
Junos
Solution
Accepted by topic author Seyma
‎10-08-2019 08:45 PM

Re: Time-based firewall filter on MX

‎10-07-2019 05:25 AM

Hello,

 


@Seyma wrote:

 

1. Does above config is the correct combine condtions to activate filer of one specific interface (xe-0/1/6) at 16:32 to 16:35?

 


You forgot to apply the group:

 

set interfaces apply-groups time-based-filter

 


@Seyma wrote:

 

2. Without including "interface" within the group, does that mean it apply to every interfaces?

 

 


 

Not sure what You actually meant. The "interfaces {" the top-level stanza, You cannot skip top-level stanzas in the groups.

If You mean specifying interface as wildcard - like below:

 

set groups BLAH interfaces <*> <blah-blah-whatever>

- then it depends on the group application point. If You do:

 

set interfaces apply-groups BLAH

- then it will be applied to EVERY interface defined in the config. 

If You apply this group like below:

 

set interfaces xe-0/0/0 apply-groups BLAH

- then it will apply only to xe-0/0/0 even though the group BLAH has a wildcard.

 

HTH

Thx

Alex

 

 

 

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Junos

Re: Time-based firewall filter on MX

‎10-17-2019 02:28 AM

Dear Seyma, 

 

This is working for me. Here is the example
set groups CUST-TIME-RANGE when time 6:00PM
set groups CUST-TIME-RANGE when time to 11:59PM
set groups CUST-TIME-RANGE interfaces xe-0/1/4 unit 10 family inet filter input POLICE-20M-TEST
set groups CUST-TIME-RANGE interfaces xe-0/1/4 unit 10 family inet filter output POLICE-20M-TEST
set groups CUST-TIME-RANGE-1 when time 00:00
set groups CUST-TIME-RANGE-1 when time to 6:00
set groups CUST-TIME-RANGE-1 interfaces xe-0/1/4 unit 10 family inet filter input POLICE-20M-TEST
set groups CUST-TIME-RANGE-1 interfaces xe-0/1/4 unit 10 family inet filter output POLICE-20M-TEST
set groups CUST-TIME-RANGE-DAY when time 6:00AM
set groups CUST-TIME-RANGE-DAY when time to 6:00PM
set groups CUST-TIME-RANGE-DAY interfaces xe-0/1/4 unit 10 family inet filter input POLICE-30M
set groups CUST-TIME-RANGE-DAY interfaces xe-0/1/4 unit 10 family inet filter output POLICE-30M
set interfaces xe-0/1/4 unit 10 vlan-id 10
set interfaces xe-0/1/4 unit 10 family inet address x.x.x.x/xx

set apply-groups CUST-TIME-RANGE
set apply-groups CUST-TIME-RANGE-1
set apply-groups CUST-TIME-RANGE-DAY

 

Cheers,

Try Chhay

 

Feedback