It can flow between interfaces within a zone, you may need to enable
set firewall zone WAN intra-zone-filtering action 'accept'
set firewall zone LAN intra-zone-filtering action 'accept'
Stateful firewall configuration
# Global state policy
set firewall global-options state-policy established action 'accept'
set firewall global-options state-policy invalid action 'drop'
set firewall global-options state-policy related action 'accept'
# if you are doing bridging/containers while above is set
set firewall global-options apply-to-bridged-traffic accept-invalid <type>
# Alternatively, have statements in each policy to allow related/established, drop invalid
set firewall ipv4 name WAN-to-LAN rule 10 action accept
set firewall ipv4 name WAN-to-LAN rule 10 description "Allow Related/Established Traffic"
set firewall ipv4 name WAN-to-LAN rule 10 state established
set firewall ipv4 name WAN-to-LAN rule 10 state related
set firewall ipv4 name WAN-to-LAN rule 20 action drop
set firewall ipv4 name WAN-to-LAN rule 20 description "Drop Invalid"
set firewall ipv4 name WAN-to-LAN rule 20 state invalid
To apply a policy, it’s in the mindset of “from Zone to Zone”, eg
set firewall ipv4 name ALLOW-ALL default-action 'accept'
set firewall ipv4 name DENY-ALL default-action 'drop'
set firewall zone WAN from LAN firewall ipv6-name 'ALLOW-ALL'
set firewall zone WAN from LAN firewall name 'ALLOW-ALL'
set firewall zone WAN from LOCAL firewall ipv6-name 'ALLOW-ALL'
set firewall zone WAN from LOCAL firewall name 'ALLOW-ALL'
set firewall zone WAN intra-zone-filtering action 'accept'
set firewall zone WAN member interface 'eth1'
set firewall zone LAN from LOCAL firewall ipv6-name 'ALLOW-ALL'
set firewall zone LAN from LOCAL firewall name 'ALLOW-ALL'
set firewall zone LAN from WAN firewall ipv6-name 'DENY-ALL'
set firewall zone LAN from WAN firewall name 'DENY-ALL'
set firewall zone LAN intra-zone-filtering action 'accept'
set firewall zone LAN member interface 'eth2'
set firewall zone LAN member interface 'eth3'
set firewall zone LAN member interface 'eth4'
set firewall zone LOCAL from LAN firewall ipv6-name 'ALLOW-ALL'
set firewall zone LOCAL from LAN firewall name 'ALLOW-ALL'
set firewall zone LOCAL from WAN firewall ipv6-name 'WAN-to-LOCAL'
set firewall zone LOCAL from WAN firewall name 'WAN-to-LOCAL'
set firewall zone LOCAL local-zone
If you’re doing zone based firewall, you should structure your policies to be “From Zone to Zone”, eg WAN-to-LAN, LOCAL-to-WAN, etc. You can only point at a single policy on your zone for traffic from another zone, so a rule like ALLOW-BGP-PEERING is too specific for a policy that is meant to be for ALL traffic from WAN towards LOCAL.
You could have a policy named WAN-to-LOCAL and then in that you would have a statement that allows BGP peering, eg
# Use a network group or address group (network group is more flexible)
set firewall group network-group BGP-PEERS network 10.10.10.10/32
set firewall group address-group BGP-PEERS address 10.10.10.10
set firewall ipv4 name WAN-to-LOCAL default-action 'drop'
set firewall ipv4 name WAN-to-LOCAL rule 10 action 'accept'
set firewall ipv4 name WAN-to-LOCAL rule 10 description 'Allow ICMP'
set firewall ipv4 name WAN-to-LOCAL rule 10 protocol 'icmp'
set firewall ipv4 name WAN-to-LOCAL rule 20 action 'accept'
set firewall ipv4 name WAN-to-LOCAL rule 20 description 'Allow BGP from Peers'
set firewall ipv4 name WAN-to-LOCAL rule 20 protocol 'tcp'
set firewall ipv4 name WAN-to-LOCAL rule 20 destination port 'bgp'
set firewall ipv4 name WAN-to-LOCAL rule 20 source group network-group BGP-PEERS