Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Stateless Firewall Filter Actions and Action Modifiers
Table 21 and Table 22 list the actions and action modifiers you can specify in stateless firewall filter terms.
Table 21: IPv4 Stateless Firewall Filter Actions and Action Modifiers
Action or Action Modifier | Description |
|---|---|
accept | Accepts a packet. This is the default if the packet matches. However, we strongly recommend that you always explicitly configure an action in the then statement. |
discard | Discards a packet silently, without sending an ICMP message. Packets are available for logging and sampling before being discarded. |
next term | Continues to the next term for evaluation. |
reject message-type | Discards a packet, sending an ICMP destination unreachable message. Rejected packets are available for logging and sampling. You can specify one of the following message types: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, or tcp-reset. If you specify tcp-reset, a TCP reset is returned (indicating the end of a TCP flow), if the packet is a TCP packet. Otherwise, nothing is returned. |
routing-instance routing-instance | Routes the packet using the specified routing instance. |
| Action Modifiers | |
count counter-name | Counts the number of packets passing this term. The name can contain letters, numbers, and hyphens (-), and can be up to 24 characters long. A counter name is specific to the filter that uses it, so all interfaces that use the same filter increment the same counter. |
forwarding-class class-name | Classifies the packet to the specified forwarding class. |
log | Logs the packet's header information in the Routing Engine. You can access this information by entering the CLI show firewall log command. |
loss-priority priority | Sets the scheduling priority of the packet. The priority can be low or high. |
packet-mode | Updates a bit field in the packet key buffer, which specifies traffic that will bypass flow-based forwarding. Packets with the packet-mode action modifier follow the packet-based forwarding path and bypass flow-based forwarding completely. For more information about selective stateless packet-based services, see the Junos OS Administration Guide. |
policer policer-name | Applies rate limits to the traffic using the named policer. |
sample | Samples the traffic on the interface. Use this modifier only when traffic sampling is enabled. See the Junos Policy Framework Configuration Guide. |
syslog | Records information in the system logging facility. This action can be used in conjunction with all options except discard. |
Table 22: IPV6 Stateless Firewall Filter Actions and Action Modifiers
Action or Action Modifier | Description |
|---|---|
accept | Accepts a packet. This is the default if the packet matches. However, we strongly recommend that you always explicitly configure an action in the then statement. |
discard | Discards a packet silently, without sending an ICMP message. Packets are available for logging and sampling before being discarded. |
next term | Continues to the next term for evaluation. Note: Applies to SRX100, SRX210, SRX240, and SRX650 devices only. |
reject message-type | Discards a packet, sending an ICMP destination unreachable message. Rejected packets are available for logging and sampling. You can specify one of the following message types: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, or tcp-reset. If you specify tcp-reset, a TCP reset is returned (indicating the end of a TCP flow), if the packet is a TCP packet. Otherwise, nothing is returned. Note: Applies to SRX100, SRX210, SRX240, and SRX650 devices only. |
routing-instance routing-instance | Routes the packet using the specified routing instance. In filter-based forwarding, the IPv6 filter does not identify fragmented IPv6 packets and does not forward them to routing instances other than those used by normal packets. |
| Action Modifiers | |
count counter-name | Counts the number of packets passing this term. The name can contain letters, numbers, and hyphens (-), and can be up to 24 characters long. A counter name is specific to the filter that uses it, so all interfaces that use the same filter increment the same counter. Note: Applies to SRX100, SRX210, SRX240, and SRX650 devices only. |
loss-priority priority | Sets the scheduling priority of the packet. The priority can be low, high, medium high, or medium low. |
log | Logs the packet's header information in the Routing Engine. You can access this information by entering the CLI show firewall log command. Note: Applies to SRX100, SRX210, SRX240, and SRX650 devices only. |
forwarding-class class-name | Classifies the packet to the specified forwarding class. |
policer policer-name | Applies rate limits to the traffic using the named policer. Note: Applies to SRX100, SRX210, SRX240, and SRX650 devices only. |
syslog | Records information in the system-logging facility. This action can be used in conjunction with all options except discard. Note: Applies to SRX100, SRX210, SRX240, and SRX650 devices only. |
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Configuring Actions in Firewall Filter Terms in the Junos Policy Framework Configuration Guide
