Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Firewall Filter Nonterminating Actions

 

Firewall filters support different sets of nonterminating actions for each protocol family.

Note

You cannot configure the next term action with a terminating action in the same filter term. However, you can configure the next term action with another nonterminating action in the same filter term.

Nonterminating actions carry with them an implicit accept action. In this context, nonterminating means that other actions can follow these actions whereas no other actions can follow a terminating action.

Note

On Junos OS Evolved, next term cannot appear as the last term of the action. A filter term where next term is specified as an action but without any match conditions configured is not supported.

Table 1 describes the nonterminating actions you can configure for a firewall filter term.

Table 1: Nonterminating Actions for Firewall Filters

Nonterminating Action

Description

Protocol Families

bgp-output-queue-priority priority (expedited | (1-16))

Assign the packet to one of the 17 prioritized BGP output queues.

  • family evpn

  • family inet

  • family inet-mdt

  • family inet-mvpn

  • family inet-vpn

  • family inet6

  • family inet6-mvpn

  • family inet6-vpn

  • family iso-vpn

  • family l2vpn

  • family route-target

  • family traffic-engineering

count counter-name

Count the packet in the named counter.

  • family any

  • family bridge

  • family ccc

  • family inet

  • family inet6

  • family mpls

  • family vpls

dont-fragment

(set | clear)

Configure the value of the Don’t Fragment bit (flag) in the IPv4 header to specify whether the datagram can be fragmented:

  • set—Change the flag value to one, preventing fragmentation.

  • clear—Change the flag value to zero, allowing fragmentation.

Note: The dont-fragment (set | clear) actions are supported only on MPCs.

family inet

dscp value

Set the IPv4 Differentiated Services code point (DSCP) bit. You can specify a numerical value from 0 through 63. To specify the value in hexadecimal form, include 0x as a prefix. To specify the value in binary form, include b as a prefix.

The default DSCP value is be (best effort), or 0.

You can also specify one of the following text synonyms:

  • af11—Assured forwarding class 1, low drop precedence (1)

  • af12—Assured forwarding class 1, medium drop precedence (2)

  • af13—Assured forwarding class 1, high drop precedence (3); and so on through af43, Assured forwarding class 4, high drop precedence

  • be—Best effort

  • cs0—Class selector 0; and so on through cs7, Class selector 0

  • ef—Expedited forwarding

Note: This action is not supported on PTX series routers.

Note: MPC line cards running on MX series routers support any value (from 0 to 63) in conjunction with the set dscp firewall filter action.

Note: The actions dscp 0 and dscp be are supported only on T320, T640, T1600, TX Matrix, TX Matrix Plus, and M320 routers and on 10-Gigabit Ethernet Modular Port Concentrators (MPC). However, these actions are not supported on Enhanced III Flexible PIC Concentrators (FPCs) on M320 routers. On T4000 routers, the dscp 0 action is not supported during the inter-operation between a T1600 Enhanced Scaling Type 4 FPC and a T4000 Type 5 FPC.

family inet

force-premium

By default, a hierarchical policer processes the traffic it receives according to the traffic’s forwarding class. Premium, expedited-forwarding traffic, has priority for bandwidth over aggregate, best-effort traffic. The force-premium filter ensures that traffic matching the term is treated as premium traffic by a subsequent hierarchical policer, regardless of its forwarding class. This traffic is given preference over any aggregate traffic received by that policer.

Note: The force-premium filter option is supported only on MPCs.

  • family any

  • family bridge

  • family ccc

  • family inet

  • family inet6

  • family VPLS

forwarding-class class-name

Classify the packet to the named forwarding class:

  • forwarding-class-name

  • assured-forwarding

  • best-effort

  • expedited-forwarding

  • network-control

  • family any

  • family bridge

  • family ccc

  • family inet

  • family inet6

  • family mpls

  • family vpls

hierarchical-policer

Police the packet using the specified hierarchical policer

  • family any

  • family bridge

  • family ccc

  • family inet

  • family inet6

  • family mpls

  • family vpls

ipsec-sa ipsec-sa

Use the specified IPsec security association.

Note: This action is not supported on MX Series routers, Type 5 FPCs on T4000 routers, and PTX Series Packet Transport Routers.

family inet

load-balance group-name

Use the specified load-balancing group.

Note: This action is not supported on MX Series routers or PTX Series Packet Transport Routers.

family inet

log

Log the packet header information in a buffer within the Packet Forwarding Engine. You can access this information by issuing the show firewall log command at the command-line interface (CLI).

Note: The Layer 2 (L2) families log action is available only for MX Series routers with MPCs (MPC mode if the router has only MPCs, or mix mode if it has MPCs and DCPs). For MX Series routers with DPCs, the log action for L2 families is ignored if configured.

  • family bridge

  • family ccc

  • family inet

  • family inet6

  • family vpls

logical-system logical-system-name

Direct packets to a specific logical system.

  • family inet

  • family inet6

loss-priority (high | medium-high | medium-low | low)

Set the packet loss priority (PLP) level.

You cannot also configure the three-color-policer nonterminating action for the same firewall filter term. These two nonterminating actions are mutually exclusive.

This action is supported on M120 and M320 routers; M7i and M10i routers with the Enhanced CFEB (CFEB-E); and MX Series routers.

For IP traffic on M320, MX Series, and T Series routers with Enhanced II Flexible PIC Concentrators (FPCs), you must include the tri-color statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. If the tri-color statement is not enabled, you can only configure the high and low levels. This applies to all protocol families.

For information about the tri-color statement and using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic.

  • family any

  • family bridge

  • family ccc

  • family inet

  • family inet6

  • family mpls

  • family vpls

next-hop-group group-name

Use the specified next-hop group.

We recommend that you do not use the next-hop-group action with the port-mirror-instance or port-mirror action in the same firewall filter.

  • family any

  • family inet

next-interface interface-name

(MX Series) Direct packets to the specified outgoing interface.

  • family inet

  • family inet6

next-ip ip-address

(MX Series) Direct packets to the specified destination IPv4 address.

family inet

next-ip6 ipv6-address

(MX Series) Direct packets to the specified destination IPv6 address.

family inet6

packet-mode

Updates a bit field in the packet key buffer, which specifies traffic that will bypass flow-based forwarding. Packets with the packet-mode action modifier follow the packet-based forwarding path and bypass flow-based forwarding completely. Applies to SRX100, SRX210, SRX220, SRX240, and SRX650 devices only. For more information about selective stateless packet-based services, see the Junos OS Security Configuration Guide.

family any

policer policer-name

Name of policer to use to rate-limit traffic.

  • family any

  • family bridge

  • family ccc

  • family inet

  • family inet6

  • family mpls

  • family vpls

policy-map policy-map-name

(MX Series) Name of policy map used to assign specific rewrite rules to a specific customer.

  • family any

  • family ccc

  • family inet

  • family inet6

  • family mpls

  • family vpls

port-mirror instance-name

Port-mirror the packet based on the specified family. This action is supported on M120 routers, M320 routers configured with Enhanced III FPCs, MX Series routers, and PTX Series Packet Transport Routers only.

We recommend that you do not use both the next-hop-group and the port-mirror actions in the same firewall filter.

  • family any

  • family bridge

  • family ccc

  • family inet

  • family inet6

  • family vpls

  • family mpls

port-mirror-instance instance-name

Port mirror a packet for an instance. This action is supported only on the MX series routers.

We recommend that you do not use both the next-hop-group and the port-mirror-instance actions in the same firewall filter.

  • family any

  • family bridge

  • family ccc

  • family inet

  • family inet6

  • family vpls

  • family mpls

prefix-action action-name

Count or police packets based on the specified action name.

Note: This action is not supported on PTX Series Packet Transport Routers.

family inet

routing-instance routing-instance-name

Direct packets to the specified routing instance.

  • family inet

  • family inet6

sample

Sample the packet.

Note: Junos OS does not sample packets originating from the router. If you configure a filter and apply it to the output side of an interface, then only the transit packets going through that interface are sampled. Packets that are sent from the Routing Engine to the Packet Forwarding Engine are not sampled.

  • family inet

  • family inet6

  • family mpls

service-accounting

Use the inline counting mechanism when capturing subscriber per-service statistics.

Count the packet for service accounting. The count is applied to a specific named counter (__junos-dyn-service-counter) that RADIUS can obtain.

The service-accounting and service-accounting-deferred keywords are mutually exclusive, both per-term and per-filter.

Note: This action is not supported on T4000 Type 5 FPCs and PTX Series Packet Transport Routers.

  • family any

  • family inet

  • family inet6

service-accounting- deferred

Use the deferred counting mechanism when capturing subscriber per-service statistics. The count is applied to a specific named counter (__junos-dyn-service-counter) that RADIUS can obtain.

The service-accounting and service-accounting-deferred keywords are mutually exclusive, both per-term and per-filter.

Note: This action is not supported on T4000 Type 5 FPCs and PTX Series Packet Transport Routers.

  • family any

  • family inet

  • family inet6

service-filter-hit

(Only if the service-filter-hit flag is marked by a previous filter in the current type of chained filters) Direct the packet to the next type of filters.

Indicate to subsequent filters in the chain that the packet was already processed. This action, coupled with the service-filter-hit match condition in receiving filters, helps to streamline filter processing.

Note: This action is not supported on T4000 Type 5 FPCs and PTX Series Packet Transport Routers.

  • family any

  • family inet

  • family inet6

syslog

Log the packet to the system log file.

The syslog firewall action for existing inet and inet6 families, and the syslog action in L2 family filters includes the following L2 information:

Input interface, action, VLAN ID1, VLAN ID2, Ethernet type, source and destination MAC addresses, protocol, source and destination IP addresses, source and destination ports, and the number of packets.

Note: The L2 families syslog action is available only for MX Series routers with MPCs (MPC mode if the router has only MPCs, or mix mode if it has MPCs and DCPs). For MX Series routers with DPCs, the syslog action for L2 families is ignored if configured.

  • family bridge

  • family ccc

  • family inet

  • family inet6

  • family vpls

three-color-policer (single-rate | two-rate) policer-name

Police the packet using the specified single-rate or two-rate three-color-policer.

Note: You cannot also configure the loss-priority action for the same firewall filter term. These two actions are mutually exclusive.

  • family bridge

  • family ccc

  • family inet

  • family inet6

  • family mpls

  • family vpls

traffic-class value

Specify the traffic-class code point. You can specify a numerical value from 0 through 63. To specify the value in hexadecimal form, include 0x as a prefix. To specify the value in binary form, include b as a prefix.

The default traffic-class value is best effort, that is, be or 0.

In place of the numeric value, you can specify one of the following text synonyms:

  • af11—Assured forwarding class 1, low drop precedence

  • af12—Assured forwarding class 1, medium drop precedence

  • af13—Assured forwarding class 1, high drop precedence

  • af21—Assured forwarding class 2, low drop precedence

  • af22—Assured forwarding class 2, medium drop precedence

  • af23—Assured forwarding class 2, high drop precedence

  • af31—Assured forwarding class 3, low drop precedence

  • af32—Assured forwarding class 3, medium drop precedence

  • af33—Assured forwarding class 3, high drop precedence

  • af41—Assured forwarding class 4, low drop precedence

  • af42—Assured forwarding class 4, medium drop precedence

  • af43—Assured forwarding class 4, high drop precedence

  • be—Best effort

  • cs0—Class selector 0

  • cs1—Class selector 1

  • cs2—Class selector 2

  • cs3—Class selector 3

  • cs4—Class selector 4

  • cs5—Class selector 5

  • cs6—Class selector 6

  • cs7—Class selector 7

  • ef—Expedited forwarding

Note: The actions traffic-class 0and traffic-class be are supported only on T Series and M320 routers and on the 10-Gigabit Ethernet Modular Port Concentrator (MPC), 60-Gigabit Ethernet MPC, 60-Gigabit Ethernet Queuing MPC, and 60-Gigabit Ethernet Enhanced Queuing MPC on MX Series routers. However, these actions are not supported on Enhanced III Flexible PIC Concentrators (FPCs) on M320 routers.

family inet6