Junos OS

Expand all | Collapse all

Time-based firewall filter on MX

Jump to Best Answer
  • 1.  Time-based firewall filter on MX

    Posted 10-07-2019 00:41

    Hello,

     

    I would like to seek for idea if anyone experienced doing time-based firewall filter on Juniper MX series?

     

    Any input would be apreciated.



  • 2.  RE: Time-based firewall filter on MX

     
    Posted 10-07-2019 00:52

    Hello Seyma,

     

    I believe it can be achieved by using event options. You can create time based events and change the firewall filter configuration accordingly.

     

    Best regards,

    Sergii

    -------------------------------------------------------------------

    Please accept the solution if your problem is resolved Smiley Happy

    -------------------------------------------------------------------



  • 3.  RE: Time-based firewall filter on MX

    Posted 10-07-2019 00:58

    Dear Sergii,

     

    Thanks for your input. Would you mind share an example configuration about that?

     

    Regards,



  • 4.  RE: Time-based firewall filter on MX

     
    Posted 10-07-2019 01:05

    Hello Seyma,

     

    Please check the following links out:

    https://www.juniper.net/us/en/local/pdf/script-library/config-time-based-filters-en.pdf 

    https://github.com/Juniper/junoscriptorium/blob/master/library/juniper/event/filters/time-based-filters/time-based-filters.slax 

     

    Also there is a chapter "Time-based configuration change" in "This Week Mastering Junos Automation" book, which may be helpful.

     

    Best regards,

    Sergii

    -------------------------------------------------------------------

    Please accept the solution if your problem is resolved Smiley Happy

    -------------------------------------------------------------------



  • 5.  RE: Time-based firewall filter on MX

    Posted 10-07-2019 01:55

    Dear Alex and Sergii,

     

    Thanks for your input. I will test using SLAX script later and will feedback the result. 

     

    For now, I have just tested using apply-groups with "when" option. But not sure if this is correct.

    time-based-filter {
        when {
            time 16:32 to 16:35;
        }
        interfaces {
            xe-0/1/6 {
                unit 0 {
                    family inet {
                        filter {
                            input FF-CUST01-DOUBLE-IN;
                            output FF-CUST01-DOUBLE-OUT;
                        }
                    }
                }
            }                               
        }
    }

    I have two questions:

    1. Does above config is the correct combine condtions to activate filer of one specific interface (xe-0/1/6) at 16:32 to 16:35?

    2. Without including "interface" within the group, does that mean it apply to every interfaces?

     

    Regards,

     



  • 6.  RE: Time-based firewall filter on MX
    Best Answer

    Posted 10-07-2019 05:25

    Hello,

     


    @Seyma wrote:

     

    1. Does above config is the correct combine condtions to activate filer of one specific interface (xe-0/1/6) at 16:32 to 16:35?

     


    You forgot to apply the group:

     

    set interfaces apply-groups time-based-filter

     


    @Seyma wrote:

     

    2. Without including "interface" within the group, does that mean it apply to every interfaces?

     

     


     

    Not sure what You actually meant. The "interfaces {" the top-level stanza, You cannot skip top-level stanzas in the groups.

    If You mean specifying interface as wildcard - like below:

     

    set groups BLAH interfaces <*> <blah-blah-whatever>

    - then it depends on the group application point. If You do:

     

    set interfaces apply-groups BLAH

    - then it will be applied to EVERY interface defined in the config. 

    If You apply this group like below:

     

    set interfaces xe-0/0/0 apply-groups BLAH

    - then it will apply only to xe-0/0/0 even though the group BLAH has a wildcard.

     

    HTH

    Thx

    Alex

     

     

     

     



  • 7.  RE: Time-based firewall filter on MX

    Posted 10-17-2019 02:28

    Dear Seyma, 

     

    This is working for me. Here is the example
    set groups CUST-TIME-RANGE when time 6:00PM
    set groups CUST-TIME-RANGE when time to 11:59PM
    set groups CUST-TIME-RANGE interfaces xe-0/1/4 unit 10 family inet filter input POLICE-20M-TEST
    set groups CUST-TIME-RANGE interfaces xe-0/1/4 unit 10 family inet filter output POLICE-20M-TEST
    set groups CUST-TIME-RANGE-1 when time 00:00
    set groups CUST-TIME-RANGE-1 when time to 6:00
    set groups CUST-TIME-RANGE-1 interfaces xe-0/1/4 unit 10 family inet filter input POLICE-20M-TEST
    set groups CUST-TIME-RANGE-1 interfaces xe-0/1/4 unit 10 family inet filter output POLICE-20M-TEST
    set groups CUST-TIME-RANGE-DAY when time 6:00AM
    set groups CUST-TIME-RANGE-DAY when time to 6:00PM
    set groups CUST-TIME-RANGE-DAY interfaces xe-0/1/4 unit 10 family inet filter input POLICE-30M
    set groups CUST-TIME-RANGE-DAY interfaces xe-0/1/4 unit 10 family inet filter output POLICE-30M
    set interfaces xe-0/1/4 unit 10 vlan-id 10
    set interfaces xe-0/1/4 unit 10 family inet address x.x.x.x/xx

    set apply-groups CUST-TIME-RANGE
    set apply-groups CUST-TIME-RANGE-1
    set apply-groups CUST-TIME-RANGE-DAY

     

    Cheers,

    Try Chhay

     



  • 8.  RE: Time-based firewall filter on MX

    Posted 10-07-2019 01:02