SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Firewall filter precedence

    Posted 05-08-2017 05:27
    I'm trying to understand the precedence of firewall filters. First, are the items within a term processed as AND or OR? So if I have a source-address and destination-address both defined, do both have to be true for the THEN clause to be executed? If not, what is the logic to determine if the term is true or false. Same question for ports. Second: how does the above change when instead of source-address/destination-address you use prefix-list - NOT source-prefix-list or destination-prefix-list? Last - for now as I reserve the right to ask further questions: Is there a way other than inserting syslog or counts to tell that a term was actually "hit" and acted upon? I'll reserve the question of putting filter-lists on an interface until later unless that would be better explained here as well. Thanks guys!!!!


  • 2.  RE: Firewall filter precedence

    Posted 05-08-2017 05:46

    Hi,

     

    So if I have a source-address and destination-address both defined, do both have to be true for the THEN clause to be executed?

    ANS - If you have a source and destination defined, they will use the AND logic and both have to be true for the "then" action to be executed.

     

    Second: how does the above change when instead of source-address/destination-address you use prefix-list - NOT source-prefix-list or destination-prefix-list?

    -What exactly do you mean by a prefix list here ?

     

    Last - for now as I reserve the right to ask further questions: Is there a way other than inserting syslog or counts to tell that a term was actually "hit" and acted upon?

    - This can be checked in the security flow traceoptions. It will be easier to put a counter in the filter though.

     

    I'll reserve the question of putting filter-lists on an interface until later unless that would be better explained here as well.

    -The device evaluates a packet against the filters in a list sequentially, beginning with the first filter in the list until either a terminating action occurs or the packet is implicitly discarded.

    More details on filter listst at :- https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-option-multiple-listed-overview.html

     

    Regards,

    Sahil Sharma

    Please mark my response as Solution if it Helps, Kudos are Appreciated as well



  • 3.  RE: Firewall filter precedence

    Posted 05-08-2017 05:51

    Hi Alfonso,

     

     

    Thanks for posting your queries here.

     

    Please find below the answers in which i have tried to answer your queries-

     

    1. When you define source-address and destination-address both defined then both of them have to be true at the same for the THEN clause/action to take place. The case is same when you specfiy source-port and destination-port. To summarize it is an AND operation which takes place with the attrributes that you specify in the match condition.
    2. The above changes when you use prefix-list (not source/destination prefix-list but a general prefix-list) in a way that if any of the IP addresses you specify in the prefix list are matched with either source or destination of a packet the THEN clause/action takes effect. Hence OR operation takes place within the prefix list but AND operation is still happpening if you have specfied any other condition to match the traffic.
    3. No, There is no way to tell if a filter was hit other than enabling syslogs or counts.

    Hope above answers your queries. 🙂

     

    Thanks,
    Pulkit Bhandari
    Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. Smiley Happy

     



  • 4.  RE: Firewall filter precedence
    Best Answer

    Posted 05-09-2017 04:11

    Thanks for the reply guys. Exactly what I was looking for! That explains some of the behavior I've been seeing with my lab setup.

     

    So the simple explanation is that if one wants full granular control, always use source- and destination- functions and put in as many terms as possible to ensure the packet is what you were looking for.

     

    For some of the more lenient rules, a simple port and protocol may suffice - for example allowing 80/443 traffic to leave the network. By extenstion of your explanations, putting just tcp-80 and tcp-443 in the filter without any addresses should accomplish this.

     

    Thanks again for not only the quick response but a complete response. You both get credit for the correct sollution - not sure how to mark that though.



  • 5.  RE: Firewall filter precedence

    Posted 05-09-2017 20:17

    Mark one so we don't keep checking to see if question has been answered. Generally guest will read most if not all the comments. Just to  mud this up a little bit more:)

    If you specify "port" only it will match in either direction and may not accomplish exactly what you want. Better to specify destination-port or source-port if you need that granularity.

    "Second: how does the above change when instead of source-address/destination-address you use prefix-list - NOT source-prefix-list or destination-prefix-list? "

    Similar thing here it will match source or destination address using the prefix-list.

    Additionally, if there is a non-terminating action without a discard or reject, the packet will be accepted.