I was testing different firewall filters in Juniper MX when i got to think about time based firewall filters that should only be applied at given time.
This configurations might be useful when we need to block some IP address for some time interval.
1. Create group
kijush@srx# show groups
time-based-filter {
when {
time 11:00:00 to 17:00:00; # Time to enable the filtering
}
system {
time-zone Asia/K;
}
interfaces {
ae0 {
unit 0 {
family inet {
filter {
input firewall-filter;
}
}
}
}
}
}
2. Create Firewall filter
kijush@srx# show firewall filter firewall-filter
term T1 {
from {
destination-address {
192.168.1.0/24;
}
}
then {
reject;
}
}
term T2 {
then accept;
}
3. create apply-groups for the group we created before
kijush@srx# show apply-groups
## Last changed: 2015-05-22 14:47:19 NPT
apply-groups time-based-filter;
4. Check inheritance on the interface to enable filtering.
kijush@srx# show interfaces ae0 | display inheritance
description test-interface-lacp;
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family inet {
##
## ‘filter’ was inherited from group ‘time-based-filter’
##
filter {
##
## ‘input’ was inherited from group ‘time-based-filter’
## ‘firewall-filter’ was inherited from group ‘time-based-filter’
##
input firewall-filter;
}
address 1.1.1.1/28;
}
}
Please comment if this documentation doesn’t help.
HTH…:)
hello , i try to apply it but it is not working