Firewall filters provide rules that define whether to permit or deny packets that are transiting an interface on a router. The subscriber management feature supports two categories of firewall filters—classic filters and fast update filters. Classic filters are compiled at commit time and then, when a service is activated, an interface-specific clone of the filter is created and attached to a logical interface. Classic filters are static filters, and therefore cannot contain subscriber-specific terms (also called rules). Fast update filters are similar to classic filters in many ways. However, fast update filters support subscriber-specific, rather than interface-specific, filter values. Fast update filters also allow individual filter terms to be incrementally added or removed from filters without requiring that the entire filter be recompiled for each modification. Fast update filters are essential for networking environments in which multiple subscribers might share the same logical interface
You configure firewall filters to determine whether to permit or deny traffic before it enters or exits an interface to which the firewall filter is applied. An input (or ingress) firewall filter is one that is applied to packets that are entering a network. An output (or egress) firewall filter is one that is applied to packets that are exiting a network. You can configure firewall filters to subject packets to filtering or class-of-service (CoS) marking (grouping similar types of traffic together and treating each type of traffic as a class with its own level of service priority).
What makes firewall filters “dynamic” is the ability of the router to apply them to interfaces dynamically. This dynamic application is performed by associating input or output dynamic filters to a dynamic profile. When triggered, a dynamic profile can apply a named filter or a filter specified in RADIUS to an interface.