enter the security-config [firewall-ipv4-lan-wan-outbound] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer. However, note that the setting of the action keyword determines which other keywords and parameters can you can apply to a rule.
Step 1 Format security firewall ipv4 add_rule lan_wan outbound Mode security
Step 2 Format service_name {default_services <default service name> | {custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 | Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK {schedule {Schedule1 | Schedule2 | Schedule3}}}
lan_users {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>}
{lan_user_end_ip <ipaddress>}} | group_wise <group name>}
wan_users {address_wise {ANY | SINGLE_ADDRESS {wan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {wan_user_start_ip <ipaddress>}
{wan_user_end_ip <ipaddress>}} | group_wise <group name>}
qos_profile <profile name>
log {NEVER | ALWAYS}
bandwidth_profile <profile name>
{nat_ip type {Auto | WAN1 | WAN2 | WAN3 | WAN4} | address
<ipaddress>}
Mode security-config [firewall-ipv4-lan-wan-outbound]
Keyword (might consist of two separate words)
Associated Keyword to Select or Parameter to Type
Description
Service name, action, and schedule service_name
default_services
ANY, AIM, BGP, BOOTP_CLIENT, BOOTP_SERVER, CU-SEEME:UDP, CU-SEEME:TCP, DNS:UDP, DNS:TCP, FINGER, FTP, HTTP, HTTPS,
ICMP-TYPE-3, ICMP-TYPE-4, ICMP-TYPE-5, ICMP-TYPE-6, ICMP-TYPE-7, ICMP-TYPE-8, ICMP-TYPE-9, ICMP-TYPE-10, ICMP-TYPE-11, ICMP-TYPE-13, ICQ, IMAP2, IMAP3, IRC, NEWS, NFS, NNTP, PING, POP3, PPTP, RCMD, REAL-AUDIO, REXEC, RLOGIN, RTELNET, RTSP:TCP, RTSP:UDP, SFTP, SMTP, SNMP:TCP, SNMP:UDP, SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET, SSH:TCP, SSH:UDP, STRMWORKS, TACACS, TELNET, TFTP, RIP, IKE, SHTTPD, IPSEC-UDP-ENCAP, IDENT, VDOLIVE, SSH, SIP-TCP, SIP-UDP, NFS-TCP, or RPC-TCP
Specifies the default service and protocol to which the firewall rule applies.
service_name custom_services
custom service name The custom service that you have configured with the security services add command and to which the firewall rule applies.
action ALWAYS_BLOCK, ALWAYS_ALLOW,
BLOCK_BY_SCHEDULE_ELSE_ALLOW, or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
Specifies the type of action to be enforced by the rule.
schedule Schedule1, Schedule2, or Schedule3
Specifies the schedule, if any, that is applicable to the rule.
LAN user addresses or LAN group and WAN user addresses lan_users address_wise ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of LAN address.
The address_wise and group_wise keywords are mutually exclusive.
lan_user_start_ip ipaddress There are two options:
• The IP address if the lan_users address_wise keywords are set to SINGLE_ADDRESS.
• The start IP address if the lan_users address_wise keywords are set to
ADDRESS_RANGE.
lan_user_end_ip ipaddress The end IP address if the lan_users address_wise keywords are set to
ADDRESS_RANGE.
lan_users group_wise group name The name of the LAN group or LAN IP group. The LAN group name is either a default name (Group1, Group2, Group3, and so on) or a custom name that you have specified with the net lan lan_groups edit <row id>
<new group name> command. The LAN IP group name is a name that you have specified with the security services ip_group add command.
The address_wise and group_wise keywords are mutually exclusive.
wan_users address_wise ANY, SINGLE_ADDRESS, or ADDRESS_RANGE
Specifies the type of WAN address.
The address_wise and group_wise keywords are mutually exclusive.
wan_user_start_ip ipaddress There are two options:
• The IP address if the wan_users keyword is set to
SINGLE_ADDRESS.
• The start IP address if the wan_users keyword is set to ADDRESS_RANGE.
wan_user_end_ip ipaddress The end IP address if the wan_users keyword is set to ADDRESS_RANGE.
wan_users group_wise group name The name of the WAN IP group.
The WAN IP group name is a name that you have specified with the security services ip_group add command.
The address_wise and group_wise keywords are mutually exclusive.
QoS profile, logging, bandwidth profile, and NAT IP address
qos_profile profile name The name of the QoS profile that you have specified with the security Keyword (might consist of two
separate words)
Associated Keyword to Select or Parameter to Type
Description
Command example:
SRX5308> security firewall ipv4 add_rule lan_wan outbound
security-config[firewall-ipv4-lan-wan-outbound]> service_name default_services HTTP security-config[firewall-ipv4-lan-wan-outbound]> action ALWAYS_ALLOW
security-config[firewall-ipv4-lan-wan-outbound]> lan_users group_wise SalesAmericas security-config[firewall-ipv4-lan-wan-outbound]> wan_users address_wise ANY
security-config[firewall-ipv4-lan-wan-outbound]> bandwidth profile PriorityQueue security-config[firewall-ipv4-lan-wan-outbound]> nat_ip type Auto
security-config[firewall-ipv4-lan-wan-outbound]> log NEVER security-config[firewall-ipv4-lan-wan-outbound]> save
Related show command: show security firewall ipv4 setup lan_wan
log NEVER or ALWAYS Specifies whether logging is
disabled or enabled.
bandwidth_profile profile name The name of the bandwidth profile that you have specified with the security bandwidth profile add command.
nat_ip type Auto, WAN1, WAN2, WAN3, or WAN4
Specifies the type of NAT IP address for a nonblocking rule:
• Auto. The source address of the outgoing packets is autodetected through the configured routing and load balancing rules.
• WAN1, WAN2, WAN3, or WAN4.
The IP address of the selected WAN interface.
Note: The nat_ip type and nat_ip address keywords are mutually exclusive.
nat_ip address ipaddress The NAT IP address, if the address is different from the IP address of a WAN interface, for example, a secondary WAN IP address.
Note: The nat_ip type and nat_ip address keywords are mutually exclusive.
Keyword (might consist of two separate words)
Associated Keyword to Select or Parameter to Type
Description