Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Firewall Filter Match Conditions and Actions (QFX and EX Series Switches)

 

Firewall Filter Match Conditions and Actions (QFX5100, QFX5110, QFX5120, QFX5200, EX4600, EX4650)

Each term in a firewall filter consists of match conditions and an action. Match conditions are the fields and values that a packet must contain to be considered a match. You can define single or multiple match conditions in match statements. You can also include no match statement, in which case the term matches all packets.

When a packet matches a filter, a switch takes the action specified in the term. In addition, you can specify action modifiers to count, mirror, rate-limit, and classify packets. If no match conditions are specified for the term, the switch accepts the packet by default.

  • Table 1 describes the match conditions you can specify when configuring a firewall filter. Some of the numeric range and bit-field match conditions allow you to specify a text synonym. To see a list of all the synonyms for a match condition, type ? at the appropriate place in a statement.

  • Table 2 shows the actions that you can specify in a term.

  • Table 3 shows the action modifiers you can use to count, mirror, rate-limit, and classify packets.

For match conditions on specific switches, these limitations apply:

(QFX5100, QFX5110, QFX5200) When using filter-based forwarding on IPv6 interfaces, only these match conditions are supported in the (ingress direction): source-address, destination-address, source-prefix-list, destination-prefix-list, source-port, destination-port, hop-limit, icmp-type, and next-header.

(QFX5110) When you enable the egress-to-ingress option under the [edit firewall] hierarchy, only accept, discard, and count actions are supported.

(QFX5100, QFX5110) In an EVPN-VXLAN environment, only these match conditions are supported: source-address, destination-address, source-port, destination-port, ttl, ip-protocol, and user-vlan-id.

(QFX5100, QFX5110, QFX5200) You cannot apply a firewall filter in the egress direction on a EVPN-VXLAN IRB interface.

(QFX5100, QFX5110) If you are using firewall filters to implement MAC filtering in an EVPN-VXLAN environment, see MAC Filtering, Storm Control, and Port Mirroring Support in an EVPN-VXLAN Environment for the supported match conditions.

(QFX5100, QFX5110) For each firewall filter that you apply to a VXLAN, you can specify family ethernet-switching to filter Layer 2 (Ethernet) packets, or family inet to filter on IRB interfaces. You cannot apply a firewall filter in the egress direction on IRB interfaces.

On switches that do not support Layer 2 features, use only those match conditions that are valid for IPv4 and IPv6 interfaces.

Table 1: Supported Match Conditions for Firewall Filters

Match Condition

Description

Direction and Interface

arp-type

ARP request packet or ARP reply packet.

Egress and ingress interfaces.

destination-address

ip-address

IP destination address field, which is the address of the final destination node.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

destination-mac-address mac-address

Destination media access control (MAC) address of the packet.

Ingress ports, VLANs and IPv4 (inet) interfaces.

Egress ports and VLANs.

destination-port value

TCP or UDP destination port field. Typically, you specify this match in conjunction with the protocol match statement. For the following well-known ports you can specify text synonyms (the port numbers are also listed):

afs (1483), bgp (179), biff (512), bootpc (68), bootps (67),

cmd (514), cvspserver (2401),

dhcp (67), domain (53),

eklogin (2105), ekshell (2106), exec (512),

finger (79), ftp (21), ftp-data (20),

http (80), https (443),

ident (113), imap (143),

kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544),

ldap (389), login (513),

mobileip-agent (434), mobilip-mn (435), msdp (639),

netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123),

pop3 (110), pptp (1723), printer (515),

radacct (1813),radius (1812), rip (520), rkinit (2108),

smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514),

tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525),

who (513),

xdmcp (177),

zephyr-clt (2103), zephyr-hm (2104)

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

destination-port range-optimize range

Match a range of TCP or UDP port ranges while using the available memory more efficiently. Using this condition allows you to configure more firewall filters than if you configure individual destination ports. (Not supported with filter-based forwarding.)

Ingress IPv4 (inet) interfaces.

destination-prefix-list prefix-list

IP destination prefix list field. You can define a list of IP address prefixes under a prefix-list alias for frequent use. Define this list at the [edit policy-options] hierarchy level.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

dscp value

Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most-significant 6 bits of this byte form the DSCP.

You can specify DSCP in hexadecimal, binary, or decimal form.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

  • be—best effort (default)

  • ef (46)—as defined in RFC 3246, An Expedited Forwarding PHB.

  • af11 (10), af12 (12), af13 (14);

    af21 (18), af22 (20), af23 (22);

    af31 (26), af32 (28), af33 (30);

    af41 (34), af42 (36), af43 (38)

    These four classes, with three drop precedences in each class, for a total of 12 code points, are defined in RFC 2597, Assured Forwarding PHB.

  • cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, cs5

Ingress ports, VLANs, and IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

ether-type value

Ethernet type field of a packet. The EtherType value specifies what protocol is being transported in the Ethernet frame. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

  • aarp (0x80F3)—EtherType value AARP

  • appletalk (0x809B)—EtherType value AppleTalk

  • arp (0x0806)—EtherType value ARP

  • fcoe (0x8906)—EtherType value FCoE

  • fip (0x8914)—EtherType value FIP

  • ipv4 (0x0800)—EtherType value IPv4

  • ipv6 (0x08DD)—EtherType value IPv6

  • mpls-multicast (0x8848)—EtherType value MPLS multicast

  • mpls-unicast (0x8847)—EtherType value MPLS unicast

  • oam (0x88A8)—EtherType value OAM

  • ppp (0x880B)—EtherType value PPP

  • pppoe-discovery (0x8863)—EtherType value PPPoE Discovery Stage

  • pppoe-session (0x8864)—EtherType value PPPoE Session Stage

  • sna (0x80D5)—EtherType value SNA

Ingress ports and VLANs.

Egress ports and VLANs.

egress-to-ingress

Include this option to increase the number of egress VLAN firewall filter terms from 1024 to 2048.

Egress VLAN IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

exp

Match on MPLS EXP bits.

Ingress MPLS interfaces.

Egress MPLS interfaces.

fragment-flags value

IP fragmentation flags. In place of the numeric value, you can specify one of the following text synonyms (the hexadecimal values are also listed):

  • is-fragment

  • dont-fragment (0x4000)

  • more-fragments (0x2000)

  • reserved (0x8000)

Ingress ports and VLANs.

icmp-code value

ICMP code field. Because the meaning of the value depends upon the associated icmp-type, you must specify a value for icmp-type along with a value for icmp-code. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

  • IPv4: parameter-problem—ip-header-bad (0), required-option-missing (1)

  • IPv6: parameter-problem—ip6-header-bad (0), unrecognized-next-header (1), unrecognized-option (2)

  • redirectredirect-for-network (0), redirect-for-host (1), redirect-for-tos-and-net (2), redirect-for-tos-and-host (3)

  • time-exceededttl-eq-zero-

    during-reassembly (1)
    , ttl-eq-zero-during-transit (0)

  • IPv4: unreachable—network-unreachable (0), host-unreachable (1), protocol-unreachable (2), port-unreachable (3), fragmentation-needed (4), source-route-failed (5), destination-network-unknown (6), destination-host-unknown (7), source-host-isolated (8), destination-network-prohibited (9), destination-host-prohibited (10), network-unreachable-for-TOS (11), host-unreachable-for-TOS (12), communication-prohibited-by-filtering (13), host-precedence-violation (14), precedence-cutoff-in-effect (15)

  • IPv6: unreachable—address-unreachable (3), administratively-prohibited (1), no-route-to-destination (0), port-unreachable (4)

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

hop-limit value

Match the specified hop limit or set of hop limits. Specify a single value or a range of values from 0 through 255.



Ingress and egress IPv6 (inet6) interfaces.



Note: Not supported in the egress direction on the QFX3500, QFX3600, QFX5100, QFX5120, QFX5110, QFX5200, and QFX5210 switches.

icmp-type value

ICMP message type field. Typically, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

IPv4: echo-reply (0), destination unreachable (3), source-quench (4), redirect (5), echo-request (8), IPv4 (inet)-advertisement (9), IPv4 (inet)-solicit (10), time-exceeded (11), parameter-problem (12), timestamp (13), timestamp-reply (14), info-request (15), info-reply (16), mask-request (17), mask-reply (18)

IPv6: destination-unreachable (1), packet-too-big (2), time-exceeded (3), parameter-problem (4), echo-request (128), echo-reply (129), membership-query (130), membership-report (131), membership-termination (132), router-solicit (133), router-advertisement (134), neighbor-solicit (135), neighbor-advertisement (136), redirect (137), router-renumbering (138), node-information-request (139), node-information-reply (140)

See also icmp-code variable.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

interface interface-name

Interface on which the packet is received, including the logical unit. You can include the wildcard character (*) as part of an interface name or logical unit.



Note: An interface from which a packet is sent cannot be used as a match condition.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

ip-destination-address address

IPv4 address that is the final destination node address for the packet.

Ingress ports and VLANs.

ip6-destination-address address

IPv6 address that is the final destination node address for the packet.

Ingress ports and VLANs. (You cannot simultaneously apply a filter with this match criterion to a Layer 2 port and VLAN that includes that port.)

ip-options

Specify any to create a match if anything is specified in the options field in the IP header.

Ingress ports, VLANs, and IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

ip-precedence ip-precedence-field

IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00).

Ingress ports, VLANs, and IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

ip-protocol number

IP protocol field.

Ingress ports, VLANs, and IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

ip-source-address address

IPv4 address of the source node sending the packet.

Ingress ports and VLANs.

ip6-source-address address

IPv6 address of the source node sending the packet.

Ingress ports and VLANs. (You cannot simultaneously apply a filter with this match criterion to a Layer 2 port and VLAN that includes that port.)

ip-version address

IP version of the packet. Use this condition to match IPv4 or IPv6 header fields in traffic that arrives on a Layer 2 port or VLAN interface.

Ingress ports and VLANs.

is-fragment

Using this condition causes a match if the More Fragments flag is enabled in the IP header or if the fragment offset is not zero.

Ingress ports, VLANs, and IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

l2-encap-type llc-non-snap

Match on logical link control (LLC) layer packets for non-Subnet Access Protocol (SNAP) Ethernet Encapsulation type.

Ingress ports and VLANs.

Egress ports and VLANs.

label

Match on MPLS label bits.

Ingress MPLS interfaces.

Egress MPLS interfaces.

learn-vlan-id number

Matches the ID of a normal VLAN or the ID of the outer (service) VLAN (for Q-in-Q VLANs). The acceptable values are 1-4095.

Note: Not supported on QFX3600, QFX5100, QFX5110, QFX5120, QFX5200, QFX5210, EX4600, EX4650 switches. Use the user-vlan-id match condition to match the outer VLAN ID.

Ingress ports and VLANs.

Egress ports and VLANs.

next-header

IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

hop-by-hop (0),icmp (1), icmp6 (58), igmp (2), ipip (4), tcp (6), egp (8), udp (17), ipv6 (41), routing (43), fragment (44),rsvp (46), gre (47), esp (50), ah (51), icmp6 (58), no-next-header (59), dstopts (60), ospf (89), pim (103), vrrp (112), sctp (132)

Ingress ports, VLANs, and IPv6 (inet6) interfaces.

Egress IPv6 (inet6) interfaces.

packet-length

Packet length in bytes. You must enter a value between 0 and 65535.

Ingress ports, VLANs, IPv4 (inet), and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

payload-protocol

IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

hop-by-hop (0),icmp (1), icmp6 (58), igmp (2), ipip (4), tcp (6), egp (8), udp (17), ipv6 (41), routing (43), fragment (44),rsvp (46), gre (47), esp (50), ah (51), icmp6 (58), no-next-header (59), dstopts (60), ospf (89), pim (103), vrrp (112), sctp (132)



Note: Not supported on the QFX3500, QFX3600, QFX5100, QFX5110, QFX5200, QFX5210 switches.

Ingress ports, VLANs, and IPv6 (inet6) interfaces.

Egress IPv6 (inet6) interfaces.

precedence value

IP precedence bits in the type-of-service (ToS) byte in the IP header. (This byte can also used for the DiffServ DSCP.) In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

  • routine (0)

  • priority (1)

  • immediate (2)

  • flash (3)

  • flash-override (4)

  • critical-ecp (5)

  • internet-control (6)

  • net-control (7)

Ingress ports, VLANs, and IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

protocol type

IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

hop-by-hop (0),icmp (1), icmp6, igmp (2), ipip (4), tcp (6), egp (8), udp (17), ipv6 (41), routing (43), fragment (44),rsvp (46), gre (47), esp (50), ah (51), icmp6 (58), no-next-header (59), dstopts (60), ospf (89), pim (103), vrrp (112), sctp (132)

Ingress ports, VLANs and IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

rat-type

tech-type-value

Match the radio-access technology (RAT) type specified in the 8-bit Tech-Type field of Proxy Mobile IPv4 (PMIPv4) access technology type extension. The technology type specifies the access technology through which the mobile device is connected to the access network. Specify a single value, a range of values, or a set of values. You can specify a technology type as a numeric value from 0 through 255 or as a system keyword.

  • Numeric value 1 matches IEEE 802.3.

  • Numeric value 2 matches IEEE 802.11a/b/g.

  • Numeric value 3 matches IEEE 802.16e

  • Numeric value 4 matches IEEE 802.16m.

  • Text string eutran matches 4G.

  • Text string geran matches 2G.

  • Text string utran matches 3G.

Egress and ingress IPv4 (inet) interfaces.

sample

Sample the packet traffic. Apply this option only if you have enabled traffic sampling.

Egress and ingress IPv4 (inet) interfaces.

source-address

ip-address

IP source address field, which is the address of the node that sent the packet.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

source-mac-address mac-address

Source media access control (MAC) address of the packet.

Ingress ports and VLANs.

Egress ports and VLANs.

source-port value

TCP or UDP source port. Typically, you specify this match in conjunction with the protocol match statement. In place of the numeric field, you can specify one of the text synonyms listed under destination-port.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

source-port range-optimize range

Match a range of TCP or UDP port ranges while using the available memory more efficiently. Using this condition allows you to configure more firewall filters than if you configure individual source ports. (Not supported with filter-based forwarding.)

Ingress IPv4 (inet) interfaces.

source-prefix-list prefix-list

IP source prefix list. You can define a list of IP address prefixes under a prefix-list alias for frequent use. Define this list at the [edit policy-options] hierarchy level.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

tcp-established

Matches packets of an established TCP three-way handshake connection (SYN, SYN-ACK, ACK). The only packet not matched is the first packet of the handshake since only the SYN bit is set. For this packet, you must specify tcp-initial as the match condition.

When you specify tcp-established, the switch does not implicitly verify that the protocol is TCP. You must also specify the protocol tcp match condition.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

tcp-flags value

One or more TCP flags:

  • ack (0x10)

  • fin (0x01)

  • push (0x08)

  • rst (0x04)

  • syn (0x02)

  • urgent (0x20)

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

tcp-initial

Match the first TCP packet of a connection. A match occurs when the TCP flag SYN is set and the TCP flag ACK is not set.

When you specify tcp-initial, a switch does not implicitly verify that the protocol is TCP. You must also specify the protocol tcp match condition.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

traffic-class

8-bit field that specifies the class-of-service (CoS) priority of the packet. The traffic-class field is used to specify a DiffServ code point (DSCP) value. This field was previously used as the type-of-service (ToS) field in IPv4, and, the semantics of this field (for example, DSCP) are identical to those of IPv4.

You can specify one of the following text synonyms (the field values are also listed):

af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs0 (0), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), ef (46)

Ingress ports, VLANs, and IPv6 (inet6) interfaces.

Egress IPv6 (inet6) interfaces.

ttl value

IP Time-to-live (TTL) field in decimal. The value can be 1-255.

Ingress IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

user-vlan-1p-priority value

Matches the specified 802.1p VLAN priority in the range 0-7.

Ingress ports, VLANs, and IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

user-vlan-id number

Matches the ID of the inner (customer) VLAN for a Q-in-Q VLAN.The acceptable values are 1-4095.

Note: QFX3600, QFX5100, QFX5110, QFX5120, QFX5200, QFX5210, EX4600, EX4650 switches do not support the learn-vlan-id match condition, so use this match condition to match the ID of the outer VLAN on those switches.

Ingress ports, VLANs, and IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

Use then statements to define actions that should occur if a packet matches all conditions in a from statement. Table 2shows the actions that you can specify in a term. (If you do not include a then statement, the system accepts packets that match the filter.)

Table 2: Actions for Firewall Filters

Action

Description

accept

Accept a packet. This is the default action for packets that match a term.

discard

Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message.

reject message-type

Discard a packet and send a “destination unreachable” ICMPv4 message (type 3). To log rejected packets, configure the syslog action modifier.

You can specify one of the following message types: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, or tcp-reset.

If you specify tcp-reset, the system sends a TCP reset if the packet is a TCP packet; otherwise nothing is sent.

If you do not specify a message type, the ICMP notification “destination unreachable” is sent with the default message “communication administratively filtered.”

Note: The reject action is supported on ingress interfaces only.

routing-instance instance-name

Forward matched packets to a virtual routing instance.

vlan VLAN-name

Forward matched packets to a specific VLAN.

Note: The vlan action is supported on ingress interfaces only.

Note: This action is not supported on OCX series switches.

You can also specify the action modifiers listed in Table 3 to count, mirror, rate-limit, and classify packets.

Table 3: Action Modifiers for Firewall Filters

Action Modifier

Description

analyzer analyzer-name

(Non-ELS platforms) Mirror traffic (copy packets) to an analyzer configured at the [edit ethernet-switching-options analyzer] hierarchy level.

You can specify port mirroring for ingress port, VLAN, and IPv4 (inet) firewall filters only.

count counter-name

Count the number of packets that match the term.

decapsulate [gre | routing-instance]

De-encapsulate GRE packets or forward de-encapsulated GRE packets to the specified routing instance

dscp value

Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most-significant 6 bits of this byte form the DSCP.

You can specify DSCP in hexadecimal, binary, or decimal form.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

  • be—best effort (default)

  • ef (46)—as defined in RFC 3246, An Expedited Forwarding PHB.

  • af11 (10), af12 (12), af13 (14);

    af21 (18), af22 (20), af23 (22);

    af31 (26), af32 (28), af33 (30);

    af41 (34), af42 (36), af43 (38)

    These four classes, with three drop precedences in each class, for a total of 12 code points, are defined in RFC 2597, Assured Forwarding PHB.

  • cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, cs5

forwarding-class class

Classify the packet in one of the following default forwarding classes, or in a user-defined forwarding class:

  • best-effort

  • fcoe

  • mcast

  • network-control

  • no-loss

Note: To configure a forwarding class, you must also configure loss priority.

interface

Switch the traffic to the specified interface without performing a lookup on it. This action is valid only when the filter is applied on ingress.

log

Log the packet's header information in the Routing Engine. To view this information, enter the show firewall log operational mode command.

Note: The log action modifier is supported on ingress interfaces only.

loss-priority (low | medium-low | medium-high | high)

Set the packet loss priority (PLP).

Note: The loss-priority action modifier is supported on ingress interfaces only.

Note: The loss-priority action modifier is not supported in combination with the policer action.

policer policer-name

Send packets to a policer (for the purpose of applying rate limiting).

You can specify a policer for ingress port, VLAN, IPv4 (inet), IPv6 (inet6), and MPLS filters.

Note: The policer action modifier is not supported in combination with the loss-priority action.

port-mirror

(ELS platforms) Mirror traffic (copy packets) to an output interface configured in a port-mirroring instance at the [edit forwarding-options port-mirroring] hierarchy level.

You can specify port mirroring for ingress port, VLAN, and IPv4 (inet) firewall filters only.

port-mirror-instance port-mirror-instance-name

(ELS platforms) Mirror traffic to a port-mirroring instance configured at the [edit forwarding-options port-mirroring] hierarchy level.

You can specify port mirroring for ingress port, VLAN, and IPv4 (inet) firewall filters only.

Note: This action modifier is not supported on OCX series switches.

syslog

Log an alert for this packet.

Note: The syslog action modifier is supported on ingress interfaces only.

three-color-policer three-color-policer-name

Send packets to a three-color policer (for the purpose of applying rate limiting).

You can specify a three-color policer for ingress and egress port, VLAN, IPv4 (inet), IPv6 (inet6), and MPLS filters.

Note: The policer action modifier is not supported in combination with the loss-priority action.

Firewall Filter Match Conditions and Actions (QFX5220)

This topic describes the supported firewall filter match conditions, actions, and action modifiers for the QFX5220-CD and QFX5220-128C switches.

Each term in a firewall filter consists of match conditions and an action. Match conditions are the fields and values that a packet must contain to be considered a match. You can define single or multiple match conditions in match statements. You can also include no match statement, in which case the term matches all packets.

When a packet matches a filter, a switch takes the action specified in the term. If no match conditions are applied, the switch accepts the packet by default.

  • Table 4 shows the match conditions for IPv4 (inet) and IPv6 (inet6) interfaces, and the match conditions for ports and VLANs (ethernet-switching).

  • Table 5 shows the actions and action modifiers that you can specify in a term.

Note

For match conditions, some of the numeric range and bit-field match conditions allow you to specify a text synonym. To see a list of all the synonyms for a match condition, type ? at the appropriate place in a statement

Table 4: Supported Match Conditions (QFX5220 Switches)

Match Condition

Description

Direction and Interface

arp-type

ARP request packet or ARP reply packet.

Ingress and egress ports and VLANs.

destination-address

ip-address

IP destination address field, which is the address of the final destination node.

Ingress and egress IPv4 and IPv6 interfaces.

Ingress ports and VLANs.

destination-mac-address mac-address

Destination media access control (MAC) address of the packet.

Ingress and egress ports and VLANs.

destination-port value

TCP or UDP destination port field. Typically, you specify this match in conjunction with the protocol match statement. For the following well-known ports you can specify text synonyms (the port numbers are also listed):

afs (1483), bgp (179), biff (512), bootpc (68), bootps (67),

cmd (514), cvspserver (2401),

dhcp (67), domain (53),

eklogin (2105), ekshell (2106), exec (512),

finger (79), ftp (21), ftp-data (20),

http (80), https (443),

ident (113), imap (143),

kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544),

ldap (389), login (513),

mobileip-agent (434), mobilip-mn (435), msdp (639),

netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123),

pop3 (110), pptp (1723), printer (515),

radacct (1813),radius (1812), rip (520), rkinit (2108),

smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514),

tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525),

who (513),

xdmcp (177),

zephyr-clt (2103), zephyr-hm (2104)

Ingress and egress IPv4 interfaces.

Ingress IPv6 interfaces.

Ingress ports and VLANs.

destination-port range-optimize range

Match a range of TCP or UDP port ranges while using the available memory more efficiently. Using this condition allows you to configure more firewall filters than if you configure individual destination ports. (Not supported with filter-based forwarding.)

Ingress IPv4 interfaces.

destination-prefix-list prefix-list

IP destination prefix list field. You can define a list of IP address prefixes under a prefix-list alias for frequent use. Define this list at the [edit policy-options] hierarchy level.

Ingress and egress IPv4 and IPv6 interfaces.

Ingress ports and VLANs.

dscp value

Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most-significant 6 bits of this byte form the DSCP.

You can specify DSCP in hexadecimal, binary, or decimal form.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

  • be—best effort (default)

  • ef (46)—as defined in RFC 3246, An Expedited Forwarding PHB.

  • af11 (10), af12 (12), af13 (14);

    af21 (18), af22 (20), af23 (22);

    af31 (26), af32 (28), af33 (30);

    af41 (34), af42 (36), af43 (38)

    These four classes, with three drop precedences in each class, for a total of 12 code points, are defined in RFC 2597, Assured Forwarding PHB.

  • cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, cs5

Ingress and egress IPv4 interfaces.

Ingress ports and VLANs.

ether-type value

Ethernet type field of a packet. The EtherType value specifies what protocol is being transported in the Ethernet frame. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

  • aarp (0x80F3)—EtherType value AARP

  • appletalk (0x809B)—EtherType value AppleTalk

  • arp (0x0806)—EtherType value ARP

  • fcoe (0x8906)—EtherType value FCoE

  • fip (0x8914)—EtherType value FIP

  • ipv4 (0x0800)—EtherType value IPv4

  • ipv6 (0x08DD)—EtherType value IPv6

  • mpls-multicast (0x8848)—EtherType value MPLS multicast

  • mpls-unicast (0x8847)—EtherType value MPLS unicast

  • oam (0x88A8)—EtherType value OAM

  • ppp (0x880B)—EtherType value PPP

  • pppoe-discovery (0x8863)—EtherType value PPPoE Discovery Stage

  • pppoe-session (0x8864)—EtherType value PPPoE Session Stage

  • sna (0x80D5)—EtherType value SNA

Ingress and egress ports and VLANs.

icmp-code value

ICMP code field. Because the meaning of the value depends upon the associated icmp-type, you must specify a value for icmp-type along with a value for icmp-code. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

  • IPv4: parameter-problem—ip-header-bad (0), required-option-missing (1)

  • IPv6: parameter-problem—ip6-header-bad (0), unrecognized-next-header (1), unrecognized-option (2)

  • redirectredirect-for-network (0), redirect-for-host (1), redirect-for-tos-and-net (2), redirect-for-tos-and-host (3)

  • time-exceededttl-eq-zero-

    during-reassembly (1)
    , ttl-eq-zero-during-transit (0)

  • IPv4: unreachable—network-unreachable (0), host-unreachable (1), protocol-unreachable (2), port-unreachable (3), fragmentation-needed (4), source-route-failed (5), destination-network-unknown (6), destination-host-unknown (7), source-host-isolated (8), destination-network-prohibited (9), destination-host-prohibited (10), network-unreachable-for-TOS (11), host-unreachable-for-TOS (12), communication-prohibited-by-filtering (13), host-precedence-violation (14), precedence-cutoff-in-effect (15)

  • IPv6: unreachable—address-unreachable (3), administratively-prohibited (1), no-route-to-destination (0), port-unreachable (4)

Ingress and egress IPv4 interfaces.

Ingress IPv6 interfaces.

Ingress ports and VLANs.

icmp-type value

ICMP message type field. Typically, you specify this match in along with the protocol match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

IPv4: echo-reply (0), destination unreachable (3), source-quench (4), redirect (5), echo-request (8), IPv4 (inet)-advertisement (9), IPv4 (inet)-solicit (10), time-exceeded (11), parameter-problem (12), timestamp (13), timestamp-reply (14), info-request (15), info-reply (16), mask-request (17), mask-reply (18)

IPv6: destination-unreachable (1), packet-too-big (2), time-exceeded (3), parameter-problem (4), echo-request (128), echo-reply (129), membership-query (130), membership-report (131), membership-termination (132), router-solicit (133), router-advertisement (134), neighbor-solicit (135), neighbor-advertisement (136), redirect (137), router-renumbering (138), node-information-request (139), node-information-reply (140)

See also icmp-code variable.

Ingress and egress IPv4 interfaces.

Ingress IPv6 interfaces.

Ingress ports and VLANs.

interface interface-name

Interface on which the packet is received, including the logical unit. You can include the wildcard character (*) as part of an interface name or logical unit.



Note: An interface from which a packet is sent cannot be used as a match condition.

Egress IPv4 interfaces.

ip-destination-address address

IPv4 address that is the final destination node address for the packet.

Ingress ports and VLANs.

ip-options

Specify any to create a match if anything is specified in the options field in the IP header.

Ingress IPv4 interfaces.

ip-protocol number

IP protocol field.

Ingress ports and VLANs.

ip-precedence ip-precedence-field

IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00).

Ingress ports and VLANs.

ip-source-address address

IPv4 address of the source node sending the packet.

Ingress ports and VLANs.

ip-version address

IP version of the packet. Use this condition to match IPv4 or IPv6 header fields in traffic that arrives on a Layer 2 port or VLAN interface.

Ingress ports and VLANs.

next-header

IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

hop-by-hop (0),icmp (1), icmp6 (58), igmp (2), ipip (4), tcp (6), egp (8), udp (17), ipv6 (41), routing (43), fragment (44),rsvp (46), gre (47), esp (50), ah (51), icmp6 (58), no-next-header (59), dstopts (60), ospf (89), pim (103), vrrp (112), sctp (132)

Ingress and egress IPv6 interfaces.

packet-length

Packet length in bytes. You must enter a value between 0 and 65535.

Ingress IPv4 and IPv6 interfaces.

precedence value

IP precedence bits in the type-of-service (ToS) byte in the IP header. (This byte can also used for the DiffServ DSCP.) In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

  • routine (0)

  • priority (1)

  • immediate (2)

  • flash (3)

  • flash-override (4)

  • critical-ecp (5)

  • internet-control (6)

  • net-control (7)

Ingress and egress IPv4 interfaces.

protocol type

IP protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

hop-by-hop (0),icmp (1), icmp6, igmp (2), ipip (4), tcp (6), egp (8), udp (17), ipv6 (41), routing (43), fragment (44),rsvp (46), gre (47), esp (50), ah (51), icmp6 (58), no-next-header (59), dstopts (60), ospf (89), pim (103), vrrp (112), sctp (132)

Ingress and egress IPv4 interfaces.

Ingress ports and VLANs.

source-address

ip-address

IP source address field, which is the address of the node that sent the packet.

Ingress and egress IPv4 interfaces.

Ingress IPv6 interfaces.

Ingress ports and VLANs.

source-mac-address mac-address

Source media access control (MAC) address of the packet.

Ingress and egress ports and VLANs.

source-port value

TCP or UDP source port. Typically, you specify this match in conjunction with the protocol match statement. In place of the numeric field, you can specify one of the text synonyms listed under destination-port.

Ingress and egress IPv4 interfaces.

Ingress IPv6 interfaces.

Ingress ports and VLANs.

source-port range-optimize range

Match a range of TCP or UDP port ranges while using the available memory more efficiently. Using this condition allows you to configure more firewall filters than if you configure individual source ports. (Not supported with filter-based forwarding.)

Ingress IPv4 interfaces.

source-prefix-list prefix-list

IP source prefix list. You can define a list of IP address prefixes under a prefix-list alias for frequent use. Define this list at the [edit policy-options] hierarchy level.

Ingress and egress IPv4 interfaces.

Ingress IPv6 interfaces.

Ingress ports and VLANs.

tcp-flags value

TCP flags (only one value is supported):

  • ack (0x10)

  • fin (0x01)

  • push (0x08)

  • rst (0x04)

  • syn (0x02)

  • urgent (0x20)

Ingress and egress IPv4 interfaces.

Ingress IPv6 interfaces.

Ingress ports and VLANs.

traffic-class

8-bit field that specifies the class-of-service (CoS) priority of the packet. The traffic-class field is used to specify a DiffServ code point (DSCP) value. This field was previously used as the type-of-service (ToS) field in IPv4, and, the semantics of this field (for example, DSCP) are identical to those of IPv4.

You can specify one of the following text synonyms (the field values are also listed):

af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs0 (0), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), ef (46)

Ingress and egress IPv6 interfaces.

ttl value

IP Time-to-live (TTL) field in decimal. The value can be 1-255.

Ingress and egress IPv4 interfaces.

user-vlan-id number

Matches the ID of the inner (customer) VLAN for a Q-in-Q VLAN.The acceptable values are 1-4095.

Note: The switches do not support the learn-vlan-id match condition, so use this match condition to match the ID of the outer VLAN on those switches.

Ingress and egress ports and VLANs.

user-vlan-1p-priority value

Matches the specified 802.1p VLAN priority in the range 0-7.

Ingress and egress ports and VLANs.

Use then statements to define actions that should occur if a packet matches all conditions in a from statement. Table 5 shows the actions that you can specify in a term. (If you do not include a then statement, the system accepts packets that match the filter.)

Note

For egress IPv4 interfaces, IPv6 interfaces, and egress ports, you can only apply the accept, discard, and count actions. For egress VLANs, you can only apply the accept action.

Table 5: Actions and Action Modifiers

Action

Description

accept

Accept a packet. This is the default action for packets that match a term.

apply-groups-except

Specify which groups not to inherit configuration data from. You can specify more than one group name.

count counter-name

Count the number of packets that match the term.

discard

Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message.

forwarding-class class

Classify the packet in one of the following default forwarding classes, or in a user-defined forwarding class:

  • best-effort

  • fcoe

  • mcast

  • network-control

  • no-loss

Note: To configure a forwarding class, you must also configure loss priority.

log

Log the packet's header information in the Routing Engine. To view this information, enter the show firewall log operational mode command.

loss-priority (low | medium-low | medium-high | high)

Set the packet loss priority (PLP).

Note: The loss-priority action modifier is supported on ingress IPv4 interfaces only.

Note: The loss-priority action modifier is not supported in combination with the policer action.

policer policer-name

Send packets to a policer (for the purpose of applying rate limiting).

Note: The policer action modifier is not supported in combination with the loss-priority action.

port-mirror

Mirror traffic (copy packets) to an output interface configured in a port-mirroring instance at the [edit forwarding-options port-mirroring] hierarchy level.

port-mirror-instance port-mirror-instance-name

Mirror traffic to a port-mirroring instance configured at the [edit forwarding-options port-mirroring] hierarchy level.

You can specify port mirroring for ingress port, VLAN, and IPv4 (inet) firewall filters only.

reject message-type

Discard a packet and send a “destination unreachable” ICMPv4 message (type 3). To log rejected packets, configure the syslog action modifier.

You can specify one of the following message types: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed.

If you do not specify a message type, the ICMP notification “destination unreachable” is sent with the default message “communication administratively filtered.”

Note: The reject action is supported on ingress IPv4 interfaces only.

three-color-policer three-color-policer-name

Send packets to a three-color policer (for the purpose of applying rate limiting).

Note: The policer action modifier is not supported in combination with the loss-priority action.

Note: The color-aware and color-blind policers are not supported. By default, traffic is treated as color-blind.

vlan VLAN-name

Forward matched packets to a specific VLAN.

Note: The vlan action is only supported on ingress ports and VLANs.