Firewall Filters Overview

Firewall filters provide rules that define whether to permit or deny packets that are transiting a port on a Juniper Networks EX Series Ethernet Switch from a source endpoint to a destination endpoint. You configure firewall filters to determine whether to permit or deny traffic before it enters or exits a port to which the firewall filter is applied. To apply a firewall filter, you must first configure the filter and then apply it to a port, either while manually configuring a port or through port profiles.

Firewall Filter

Each port or interface on the switch can have a maximum of only two filters:

You can configure firewall filters to subject packets to filtering, class-of-service (CoS) marking (grouping similar types of traffic together, and treating each type of traffic as a class with its own level of service priority), and traffic policing (controlling the maximum rate of traffic sent or received on an interface). You can create an ingress and an egress firewall filter and deploy the filter on a port.

Note If you apply ingress and egress filters to the same interface, the ingress filter is processed first.

Firewall Filter Components

In a firewall filter, you define one or more terms that specify the filtering criteria and the action to be taken if a match occurs. A firewall filter can have multiple terms.

Each term consists of the following components:

Firewall Filter Processing

If there are multiple terms in a filter, the order of the terms is important. Packets are tested against each term in the order in which the terms are listed in the firewall filter configuration. If a packet matches the first term, the switch executes the action defined by that term, and no other terms are evaluated. If the switch does not find a match between the packet and the first term, it compares the packet to the next term. If no match occurs between the packet and the second term, the system continues to compare the packet to each successive term in the filter until a match is found. If the packet does not match any terms in the filter, the switch discards the packet by default.