Configuring a Firewall Filter

You configure firewall filters on EX Series switches to control traffic that enters ports on the switch or enters and exits VLANs on the network and Layer 3 (routed) interfaces. To configure a firewall filter you must configure the filter and then apply it to a port, VLAN, or Layer 3 interface.

To configure a firewall filter and apply it to an interface:

  1. In the navigation tree, select Device Manager > Devices. In Device Manager, select the device for which you want to configure firewall filters.
  2. In the configuration tree, expand Firewall.
  3. Expand Ethernet Switching and click Filter.
  4. Click Add New Entry to add a firewall filter.
  5. Perform the configuration tasks described in Table 28.

Note: After you make changes to a device configuration, you must push that updated device configuration to the physical security device for those changes to take effect. You can update multiple devices at one time. See Updating Devices for more information.

Table 28: Create a New Term

Option

Function

Your Action

Term Name

Specifies the name of the term.

Enter a name.

ICMP Type

Specifies the ICMP packet type field. Typically, you specify this match in conjunction with the protocol match to determine which protocol is being used on the port.

Select the option from the list.

ICMP Code

Specifies more specific information than icmp-type. Because the value’s meaning depends upon the associated icmp-type, you must specify icmp-type along with icmp-code. The keywords are grouped by the ICMP type with which they are associated.

Select one:

  • Parameter-problem
  • Redirect
  • Time-exceeded
  • Unreachable

Fragment Flags

Specifies the IP fragmentation flags.

Note: Fragment flags is supported on ingress ports, VLANs, and router interfaces.

Select either the option is-fragement or enter a combination of fragment flags.

TCP Flags

Specifies one or more TCP flags.

Note: TCP flags is supported on ingress ports, VLANs, and router interfaces.

Select either the option tcp-initial or enter a combination of TCP flags.

IP Precedence

Specifies IP precedence. The options are: assured forwarding, best-effort, expedited-forwarding, network-control.

Note: IP precedence and DSCP number cannot be specified together for the same term.

Select the option from the list.

Interface

Specifies the interface association.

Select the interface from the list.

Ether Type

Specifies the ethernet type field of a packet.

Note: This option is not applicable for a Routing filter.

Select one:

  • Arp
  • Dot 1q

dot1q-tag

Specifies the tag field in the Ethernet header. Values can be from 1 through 4095.

Note: This option is not applicable for a Routing filter.

Enter the required number.

Dot 1q User Priority

Specifies the user-priority field of the tagged Ethernet packet. User-priority values can be 0–7.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed)

  • background (1)—Background
  • best-effort (0)—Best effort
  • controlled-load (4)—Controlled load
  • excellent-load (3)—Excellent load
  • network-control (7)—Network control reserved traffic
  • standard (2)—Standard or Spare
  • video (5)—Video
  • voice (6)—Voice

Note: This option is not applicable for a Routing filter.

Enter a number or the corresponding text synonym.

DSCP Number

Specifies the Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant six bits of this byte form the DSCP.

Select the DSCP number from the list.

VLAN

Specifies the VLAN to be associated.

Note: This option is not applicable for a Routing filter.

Enter the VLAN name

TTL Value

Specifies the time-to-live value.

Note: This option is applicable for a Routing filter.

Enter a value.

Packet Length

Specifies the length of the packet.

Note: This option is applicable for a Routing filter.

Enter a value.

Action

Counter Name

Specifies the count of the number of packets that pass this filter, term, or policer.

Enter a value.

Forwarding Class

Classifies the packet into one of the following forwarding classes:

  • assured-forwarding
  • best-effort
  • expedited-forwarding
  • network-control
  • user-defined

Select the option from the list.

Loss Priority

Specifies the Packet Loss Priority.

Note: Forwarding Class and Loss Priority should be specified together for the same term.

Enter the value.

Analyzer

Specifies whether to perform port-mirroring on packets. Port-mirroring copies all packets seen on one switch port to a network monitoring connection on another switch port.

Select the analyzer from the list.