Changes in global-state-policy behavior
This section describes changes in global-state-policy behavior prior to Release 5.1 and gives an example of how to achieve similar functionality for later releases.
Prior to Release 5.1, the vRouter would add implicit rules when global state policies were defined. From release 5.1 onwards this no longer occurs. The reason for the change is to ensure that firewalls are not "opened up" unintentionally. The details of the behavior change are as follows.
Prior to Release 5.1, a rule group named "default_state_group" would be added after all rule groups configured on interfaces, in both the "out" and the "in" directions. Its contents would depend on what values were set for "global-state-policy" (possible values are one or more of "icmp", "tcp", and "udp"). If all three were configured, i.e.
set global-state-policy icmp
set global-state-policy tcp
set global-state-policy udp
Then the following would be its contents:
rule 100 - allow stateful proto tcp
rule 200 - allow stateful proto udp
rule 300 - allow stateful proto icmp
If a protocol was not set as global-state-policy, then an entry would not appear for that protocol.
If with release 5.1 and greater, you would like similar functionality as earlier releases, an explicit group of rules needs to be created which should be applied to each interface and direction (e.g. "in" and "out") after all rule groups you matched earlier (if any).
For example, if the configuration has the lines:
set global-state-policy icmp
set global-state-policy tcp
set global-state-policy udp
then similar functionality can be achieved by the added configuration:
set security firewall name DEFAULT-FW rule 100 action accept
set security firewall name DEFAULT-FW rule 100 protocol tcp
set security firewall name DEFAULT-FW rule 200 action accept
set security firewall name DEFAULT-FW rule 200 protocol udp
set security firewall name DEFAULT-FW rule 300 action accept
set security firewall name DEFAULT-FW rule 300 protocol icmp
for each interface IF-NAME where firewall groups were applied in the "in" direction, configure the following after all other firewall groups on the interface:
set interfaces dataplane IF-NAME firewall in DEFAULT-FW
and for each interface IF-NAME where firewall groups were applied in the "out" direction, configure the following after all other firewall groups on the interface:
set interfaces dataplane IF-NAME firewall out DEFAULT-FW