You can force filter processing to occur in a particular order by using the precedence statement. You specify a precedence for input and output filters within a dynamic profile at the [edit dynamic-profiles family profile-name interfaces interface-name unit logical-unit-numberfamily family] and [edit dynamic-profiles profile-name interfaces demux0 unit logical-unit-number family family] hierachy level.
The precedence range is from 0 to 250. Setting a lower precedence value for a filter gives it a higher precedence within the dynamic profile. A precedence of zero (the default) gives the filter the highest precedence. If no precedence is specified, the filter receives a precedence of zero (highest precedence). Filters with matching precedence (zero or otherwise) are applied in random order.
Before you define a precedence for a filter in a dynamic profile.
See the JUNOS Policy Framework Configuration Guide for detailed information about firewall filters and how to create them.
See Dynamically Attaching Statically Created Filters or Dynamically Attaching Filters Using RADIUS Variables.
To define a precedence for an input and output filter:
- [edit dynamic-profiles access-profile interfaces ge-1/1/1
unit 1 family inet filter]
- user@host# set filter input precedence 50
- [edit dynamic-profiles access-profile interfaces ge-1/1/1
unit 1 family inet filter]
- user@host# set filter output precedence 5