[edit firewall] Hierarchy Level
Several statements in the [edit firewall] hierarchy are valid at numerous locations within the hierarchy. To make the complete hierarchy easier to read, the repeated statements are listed in the following sections, which are referenced at the appropriate locations in Complete [edit firewall] Hierarchy.
- Common Firewall Actions
- Common IP Firewall Actions
- Common IPv4 Firewall Actions
- Common IP Firewall Match Conditions
- Common IPv4 Firewall Match Conditions
- Common Layer 2 Firewall Match Conditions
- Complete [edit firewall] Hierarchy
Common Firewall Actions
This section lists statements that are valid at the following hierarchy levels, and is referenced at those levels in Complete [edit firewall] Hierarchy instead of the statements being repeated.
- [edit firewall family (any | bridge | ccc | inet | inet6 | mpls | vpls) filter filter-name term term-name then]
- [edit firewall filter filter-name term term-name then]
The common firewall actions are as follows:
count counter-name;forwarding-class class-name;loss-priority (high | low | medium-high | medium-low);next term;policer policer-name;three-color-policer policer-name {(single-rate single-rate-policer-name | two-rate two-rate-policer-name);}
Common IP Firewall Actions
This section lists statements that are valid at the following hierarchy levels, and is referenced at those levels in Complete [edit firewall] Hierarchy instead of the statements being repeated.
- [edit firewall family inet filter filter-name term term-name then]
- [edit firewall family inet6 filter filter-name term term-name then]
- [edit firewall filter filter-name term term-name then]
The common IP firewall actions are as follows:
log;logical-system logical-system-name <routing-instance routing-instance-name>
<topology topology-name>;port-mirror;routing-instance routing-instance-name> <topology topology-name>;sample;syslog;topology topology-name;
Common IPv4 Firewall Actions
This section lists statements that are valid at the following hierarchy levels, and is referenced at those levels in Complete [edit firewall] Hierarchy instead of the statements being repeated.
- [edit firewall family inet filter filter-name term term-name then]
- [edit firewall filter filter-name term term-name then]
The common IP version 4 (IPv4) firewall actions are as follows:
(accept | discard <accounting collector-name> | reject <administratively-prohibited | bad-host-tos |
bad-network-tos | fragmentation-needed | host-prohibited |
host-unknown | host-unreachable | network-prohibited |
network-unknown | network-unreachable | port-unreachable |
precedence-cutoff | precedence-violation | protocol-unreachable |
source-host-isolated | source-route-failed | tcp-reset>;ipsec-sa sa-name;load-balance sa-name;next-hop-group group-name;prefix-action action-name;
Common IP Firewall Match Conditions
This section lists statements that are valid at the following hierarchy levels, and is referenced at those levels in Complete [edit firewall] Hierarchy instead of the statements being repeated.
- [edit firewall family inet dialer-filter filter-name term term-name from] (with the exceptions noted at this level in Complete [edit firewall] Hierarchy)
- [edit firewall family inet filter filter-name term term-name from]
- [edit firewall family inet6 filter filter-name term term-name from]
- [edit firewall filter filter-name term term-name from]
The common IP firewall match conditions are as follows:
address ip-prefix</prefix-length>;destination-address ip-prefix</prefix-length>;destination-class [ class-names ]
| destination-class-except [ class-names ]);(destination-port [ port-names ] |
destination-port-except [ port-names ]);destination-prefix-list list-name;(forwarding-class [ class-names ]
| forwarding-class-except [ class-names ]);(icmp-code [ codes ] | icmp-code-except
[ codes ]);(icmp-type [ types ] | icmp-type-except
[ types ]);interface interface-name;(interface-group [ group-names ] |
interface-group-except [ group-names ]);interface-set set-name;(loss-priority [ priorities ] | loss-priority-except
[ priorities ]);(packet-length [ values ] | packet-length-except
[ values ]);(port [ port-names ] | port-except
[ port-names ]);prefix-list list-name;source-address ip-prefix</prefix-length>;(source-class [ class-names ] | source-class-except
[ class-names ]);(source-port [ port-names ] | source-port-except
[ port-names ]);source-prefix-list list-name;tcp-established;tcp-flags flag;tcp-initial;
Common IPv4 Firewall Match Conditions
This section lists statements that are valid at the following hierarchy levels, and is referenced at those levels in Complete [edit firewall] Hierarchy instead of the statements being repeated.
- [edit firewall family inet dialer-filter filter-name term term-name from] (with the exceptions noted at this level in Complete [edit firewall] Hierarchy)
- [edit firewall family inet filter filter-name term term-name from]
- [edit firewall filter filter-name term term-name from]
The common IPv4 firewall match conditions are as follows:
(ah-spi [ values ] | ah-spi-except
[ values ]);(dscp [ code-point-values ] | dscp-except
[ code-point-values ]);(esp-spi [ values ] | esp-spi-except
[ values ]);first-fragment;fragment-flags flag;(fragment-offset [ offsets ] | fragment-offset-except
[ offsets ]);(ip-options [ option-names ] | ip-options-except
[ option-names ]);is-fragment;(precedence [ precedence-names ] |
precedence-except [ precedence-names ]);(protocol [ protocol-names ] | protocol-except
[ protocol-names ]);(ttl [ ttl-values ] | ttl-except [ ttl-values ]);
Common Layer 2 Firewall Match Conditions
This section lists statements that are valid at the following hierarchy levels, and is referenced at those levels in Complete [edit firewall] Hierarchy instead of the statements being repeated.
- [edit firewall family bridge filter filter-name term term-name from]
- [edit firewall family vpls filter filter-name term term-name from]
The common Layer 2 firewall match conditions are as follows:
destination-mac-address mac-address;(destination-port [ port-names ] |
destination-port-except [ port-names ]);(dscp [ code-point-values ] | dscp-except
[ code-point-values ]);(ether-type [ protocol-types ] | ether-type-except
[ protocol-types ]);(forwarding-class [ class-names ]
| forwarding-class-except [ class-names ]);(icmp-code [ codes ] | icmp-code-except
[ codes ]);(icmp-type [ types ] | icmp-type-except
[ types ]);(interface-group [ group-names ] |
interface-group-except [ group-names ]);ip-address ip-prefix</prefix-length>;ip-destination-address ip-prefix</prefix-length>;(ip-precedence [ precedence-names ]
| ip-precedence-except [ precedence-names ]);(ip-protocol [ protocol-names ] |
ip-protocol-except [ protocol-names ]);ip-source-address ip-prefix</prefix-length>;(learn-vlan-1p-priority [ priorities ] | learn-vlan-id-except [ priorities ]);(learn-vlan-id [ vlan-ids ] | learn-vlan-id-except
[ vlan-ids ]);(loss-priority [ priorities ] | loss-priority-except
[ priorities ]);(port [ port-names ] | port-except
[ port-names ]);source-mac-address mac-address;(source-port [ port-names ] | source-port-except
[ port-names ]);tcp-flags flag;(traffic-type [ broadcast known-unicast multicast unknown-unicast ] |
traffic-type-except [ broadcast known-unicast multicast unknown-unicast ]);(user-vlan-1p-priority [ priorities ] | user-vlan-id-except [ priorities ]);(user-vlan-id [ vlan-ids ] | user-vlan-id-except
[ vlan-ids ]);(vlan-ether-type [ protocol-types ]
| vlan-ether-type-except [ protocol-types ]);
Complete [edit firewall] Hierarchy
firewall {family (any | bridge | ccc | inet | inet6 | mpls | vpls)
{... the family subhierarchies
appear after the main [edit firewall] hierarchy ...}filter filter-name {accounting-profile [ profile-names ];interface-specific;physical-interface-policer;term term-name {filter filter-name;from {... statements in Common IP Firewall Match Conditions AND ...... statements in Common IPv4 Firewall Match Conditions ...}then {... statements in Common Firewall Actions AND ...... statements in Common IP Firewall Actions AND ...... statements in Common IPv4 Firewall Actions PLUS the following statement...service-filter-hit;}}}hierarchical-policer policer-name {aggregate {if-exceeding {bandwidth-limit bps;burst-size-limit bytes;}then {discard;forwarding-class class-name;loss-priority (high | low | medium-high |
medium-low);}}premium {if-exceeding {bandwidth-limit bps;burst-size-limit bytes;}then {discard;}}}interface-set interface-set-name {interface-name;}load-balance-group group-name {next-hop-group [ group-names ];}policer policer-name {filter-specific;if-exceeding {bandwidth-limit bps;bandwidth-percent number;burst-size-limit bytes;}logical-bandwidth-policer;logical-interface-policer;physical-interface-policer;then {discard;forwarding-class class-name;loss-priority (high | low | medium-high |
medium-low);}}three-color-policer policer-name {action {loss-priority high then discard;}logical-interface-policer;single-rate {(color-aware | color-blind);committed-burst-size bytes;committed-information-rate bps;excess-burst-size bytes;}two-rate {(color-aware | color-blind);committed-burst-size bytes;committed-information-rate bps;peak-burst-size bytes;peak-information-rate bps;}}} firewall {family any {filter filter-name {term term-name {from {(forwarding-class [ class-names ] |
forwarding-class-except [ class-names ]);interface interface-name;interface-set set-name;(loss-priority [ priorities ] | loss-priority-except
[ priorities ]);(packet-length [ values ] | packet-length-except
[ values ]);}then {... statements in Common Firewall Actions PLUS the following statements ...(accept | discard);}}}}} firewall {family bridge {filter filter-name {accounting-profile [ profile-names ];interface-specific;term term-name {filter filter-name;from {... statements in Common Layer 2 Firewall Match Conditions ...}then {... statements in Common Firewall Actions PLUS the following statements ...(accept | discard);port-mirror;}}}}} firewall {family ccc {filter filter-name {accounting-profile [ profile-names ];interface-specific;term term-name {filter filter-name;from {(forwarding-class [ class-names ] |
forwarding-class-except [ class-names ]);(interface-group [ group-names ] |
interface-group-except [ group-names ]);(loss-priority [ priorities ] | loss-priority-except
[ priorities ]);}then {... statements in Common Firewall Actions PLUS the following statements ...(accept | discard);}}}}} firewall {family inet {dialer-filter filter-name {accounting-profile [ profile-names ];term term-name {from {... statements in Common IP Firewall Match Conditions AND ...... statements in Common IPv4 Firewall Match Conditions EXCEPT FOR the following statements ...(ah-spi [ values ] | ah-spi-except
[ values ]); # NOT valid at this hierarchy level(destination-class [ class-names ]
| destination-class-except [ class-names ]); # NOT valid at this hierarchy
levelinterface interface-name; # NOT valid at this hierarchy level(loss-priority [ priorities ] | loss-priority-except
[ priorities ]); # NOT valid at this hierarchy level(source-class [ class-names ] | source-class-except
[ class-names ]); # NOT valid at this hierarchy level}then {(ignore | note);log;sample;syslog;}}}filter filter-name {accounting-profile [ profile-names ];interface-specific;term term-name {filter filter-name;from {... statements in Common IP Firewall Match Conditions AND ...... statements in Common IPv4 Firewall Match Conditions ...}then {... statements in Common Firewall Actions AND ...... statements in Common IP Firewall Actions AND ...... statements in Common IPv4 Firewall Actions ...}}}prefix-action name {count;destination-prefix-length prefix-length;filter-specific;policer policer-name;source-prefix-length prefix-length;subnet-prefix-length prefix-length;}service-filter filter-name {term term-name {from {address ip-prefix</prefix-length>;(ah-spi [ values ] | ah-spi-except
[ values ]);destination-address ip-prefix</prefix-length>;(destination-port [ port-names ] |
destination-port-except [ port-names ]);destination-prefix-list list-name;(esp-spi [ values ] | esp-spi-except
[ values ]);first-fragment;fragment-flags flag;(fragment-offset [ offsets ] | fragment-offset-except
[ offsets ]);(interface-group [ group-names ] |
interface-group-except [ group-names ]);(ip-options [ option-names ] | ip-options-except
[ option-names ]);is-fragment;(loss-priority [ priorities ] | loss-priority-except
[ priorities ]);(port [ port-names ] | port-except
[ port-names ]);prefix-list list-name;(protocol [ protocol-names ] | protocol-except
[ protocol-names ]);source-address ip-prefix</prefix-length>;(source-port [ port-names ] | source-port-except
[ port-names ]);source-prefix-list list-name;}then {count counter-name;log;port-mirror;sample;(service | skip);}}}simple-filter filter-name {interface-specific;term term-name {from {destination-address ip-prefix</prefix-length>;destination-port port-name;forwarding-class [ class-names ];protocol protocol-name;source-address ip-prefix</prefix-length>;source-port port-name;}then {forwarding-class class-name;loss-priority (high | low | medium-high | medium-low);policer policer-name;}}}}} firewall {family inet6 {filter filter-name {accounting-profile [ profile-names ];interface-specific;term term-name {filter filter-name;from {... statements in Common IP Firewall Match Conditions PLUS the following statements ...(next-header [ protocol-types ] |
next-header-except [ protocol-types ]);(traffic-class [ code-point-values ] | traffic-class-except [ code-point-values ]);}then {... statements in Common Firewall Actions AND ...... statements in Common IP Firewall Actions PLUS the following statements ...(accept | discard | reject <address-unreachable |
administratively-prohibited | beyond-scope | fragmentation-needed |
no-route | port-unreachable | tcp-reset>;}}}service-filter filter-name {term term-name {from {address ip-prefix</prefix-length>;(ah-spi [ values ] | ah-spi-except
[ values ]);destination-address ip-prefix</prefix-length>;(destination-port [ port-names ] |
destination-port-except [ port-names ]);destination-prefix-list list-name;(esp-spi [ values ] | esp-spi-except
[ values ]);(interface-group [ group-names ] |
interface-group-except [ group-names ]);(next-header [ protocol-types ] |
next-header-except [ protocol-types ]);(port [ port-names ] | port-except
[ port-names ]);prefix-list list-name;source-address ip-prefix</prefix-length>;(source-port [ port-names ] | source-port-except
[ port-names ]);source-prefix-list list-name;}then {count counter-name;log;port-mirror;sample;(service | skip);}}}}} firewall {family mpls {filter filter-name {accounting-profile [ profile-names ];interface-specific;term term-name {filter filter-name;from {(exp [ exp-bits ] | exp-except [ exp-bits ]);(forwarding-class [ class-names ] |
forwarding-class-except [ class-names ]);interface interface-name;interface-set set-name;(loss-priority [ priorities ] | loss-priority-except
[ priorities ]);}then {... statements in Common Firewall Actions PLUS the following statements ...(accept | discard);sample;}}}}} firewall {family vpls {filter filter-name {accounting-profile [ profile-names ];interface-specific;term term-name {filter filter-name;from {... statements in Common Layer 2 Firewall Match Conditions ...}then {... statements in Common Firewall Actions PLUS the following statements ...(accept | discard);port-mirror;}}}}}
