Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding Firewall Filter Planning

Before you create a firewall filter and apply it, determine what you want the filter to accomplish and how to use its match conditions and actions to achieve your goals. It is important that you understand how packets are matched, the default and configured actions of the firewall filter, and where to apply the firewall filter.

You can apply no more than one firewall filter per router interface per direction (input and output). For example, for a given interface you can apply at most one filter in the input direction and one filter in the output direction. You should try to be conservative in the number of terms (rules) that you include in each firewall filter, because a large number of terms requires longer processing time during a commit operation and can make testing and troubleshooting more difficult.

Before you configure and apply firewall filters, answer the following questions for each of them:

  1. What is the purpose of the filter?

    For example, the system can drop packets based on header information, rate-limit traffic, classify packets into forwarding classes, log and count packets, or prevent denial-of-service attacks.

  2. What are the appropriate match conditions? Determine the packet header fields that the packet must contain for a match. Possible fields include:

    • Layer 3 header fields—Source and destination IP addresses, protocols, and IP options (IP precedence, IP fragmentation flags, or TTL type).

    • TCP header fields—Source and destination ports and flags.

    • ICMP header fields—Packet type and code.

  3. What are the appropriate actions to take if a match occurs?

    The system can accept, discard, or reject packets.

  4. What additional action modifiers might be required?

    For example, you can configure the system to mirror (copy) packets to a specified port, count matching packets, apply traffic management, or police packets.

  5. On what Layer 3 interface should the firewall filter be applied?

    Before you choose the interface on which to apply a firewall filter, understand how that placement can affect traffic flow to other interfaces. In general, apply a filter close to the source device if the filter matches on source or destination IP addresses, IP protocols, or protocol information—such as ICMP message types, and TCP or UDP port numbers. However, you should apply a filter close to the destination device if the filter matches only on a source IP address. When you apply a filter too close to the source device, the filter could prevent that source device from accessing other services that are available on the network.

  6. In which direction should the firewall filter be applied?

    You typically configure different actions for traffic entering an interface than you configure for traffic exiting an interface.

  7. How many filters should I create?

Related Documentation