Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Understanding Firewall Filter Fast Lookup Filter

 

In order to enhance the speed at which specific firewall filters are processed, you can use the filter block hardware available on certain modular port concentrators (MPCs). See the MX Series Interface Module Reference manual    for details.This hardware allows for an increase in the number of firewall filter operations per second that can be accomplished.

Using the fast-lookup-filter option in environments with hundreds or thousands of terms per filter can increase performance of those filters by utilizing the filter block hardware.

There are 4096 hardware filters available per MPC. The number of firewall filters that can be installed in hardware depends on the number of terms in each filter. One hardware filter is needed for every group of 255 terms in a firewall filter. The total number of terms supported per firewall filter is 8000. However, attaching a given firewall filter with less than 256 terms to multiple interfaces will only result in one instance of that firewall filter being installed in the filter block. This is true for interface-specific filters as well as for filter lists.

You designate specific firewall filters to be processed in the filter block hardware by including the fast-lookup-filter option when configuring the firewall.

When this option is used, firewall parameters are stored in the filter block hardware which accelerates the lookup process. fast-lookup-filter is only available for the inet and inet6 protocol families. The match conditions are limited to 5-tuples: protocol, source-address, destination-address, source-port, and destination-port.

Ranges, prefix lists, and the except keyword are supported within the firewall filters and terms when using this option.

Note

Firewall filters that are configured using the fast-lookup-filter option are not optimized by the firewall compiler.