Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All
Related Documentation
- EX Series
- Overview of Firewall Filters
- Understanding Firewall Filter Match Conditions
- Configuring Firewall Filters
- QFabric System
- Overview of Firewall Filters
- Understanding Firewall Filter Match Conditions
- Configuring Firewall Filters
- QFX Series standalone switches
- Overview of Firewall Filters
- Understanding Firewall Filter Match Conditions
- Configuring Firewall Filters
Understanding How a Firewall Filter Tests a Protocol
When examining match conditions in a firewall filter, a switch tests only the fields that you specify. It does not implicitly test any fields that you do not explicitly configure. For example, if you specify a match condition of source-port ssh, there is no implied test to determine if the protocol is TCP. In this case, the switch considers any packet that has a value of 22 (decimal) in the 2-byte field that follows a presumed IP header to be a match. To ensure that the term matches on TCP packets, you also specify an ip-protocol tcp match condition.
For the following match conditions, you should explicitly specify the protocol match condition in the same term:
- destination-port—Specify protocol tcp or protocol udp.
- icmp-code—Specify protocol icmp and icmp-type.
- icmp-type—Specify protocol icmp or protocol icmp6.
- source-port—Specify protocol tcp or protocol udp.
- tcp-flags—Specify protocol tcp.
Related Documentation
- EX Series
- Overview of Firewall Filters
- Understanding Firewall Filter Match Conditions
- Configuring Firewall Filters
- QFabric System
- Overview of Firewall Filters
- Understanding Firewall Filter Match Conditions
- Configuring Firewall Filters
- QFX Series standalone switches
- Overview of Firewall Filters
- Understanding Firewall Filter Match Conditions
- Configuring Firewall Filters
