[MX] Time based Firewall filter

I was testing different firewall filters in Juniper MX when i got to think about time based firewall filters that should only be applied at given time.

This configurations might be useful when we need to block some IP address for some time interval.

1. Create group

kijush@srx# show groups
time-based-filter {
when {
time 11:00:00 to 17:00:00; # Time to enable the filtering
}
system {
time-zone Asia/K;
}
interfaces {
ae0 {
unit 0 {
family inet {
filter {
input firewall-filter;
}
}
}
}
}
}

2. Create Firewall filter

kijush@srx# show firewall filter firewall-filter
term T1 {
from {
destination-address {
192.168.1.0/24;
}
}
then {
reject;
}
}
term T2 {
then accept;
}

3. create apply-groups for the group we created before

kijush@srx# show apply-groups
## Last changed: 2015-05-22 14:47:19 NPT
apply-groups time-based-filter;

4. Check inheritance on the interface to enable filtering.

kijush@srx# show interfaces ae0 | display inheritance
description test-interface-lacp;
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family inet {
##
## ‘filter’ was inherited from group ‘time-based-filter’
##
filter {
##
## ‘input’ was inherited from group ‘time-based-filter’
## ‘firewall-filter’ was inherited from group ‘time-based-filter’
##
input firewall-filter;
}
address 1.1.1.1/28;
}
}

Please comment if this documentation doesn’t help.

 

HTH…:)

Leave a Reply

Your email address will not be published. Required fields are marked *