Understanding Firewall Filter Match Conditions
Learn how to configure match conditions for firewall filters on Juniper switches.
Before configuring firewall filter terms, understand how match conditions work and how to specify different match types for desired filtering results.
Filter Match Conditions
In the from statement of a firewall filter term, specify conditions that trigger actions in the then statement. All conditions must match for the action to occur. The order of conditions is unimportant.
Specify multiple values for the same condition using either:
[edit firewall family family-name filter filter-name term term-name from]
user@switch# set protocol (icmp | udp)
user@switch# set source-address 10.1.1.1
user@switch# set source-address 10.1.1.2Unlike traditional Junos OS firewall filters:
- Individual conditions cannot contain value lists (ranges/multiple addresses)
- Conditions cannot be negated using
except
If no match conditions are specified, the term matches all packets.
Numeric Match Conditions
Match numeric fields (port/protocol numbers) using:
- Single number:
source-port 23 - Text synonym:
source-port telnet
Specify multiple values:
[edit firewall family family-name filter filter-name term term-name from]
user@switch# set source-port 22
user@switch# set source-port 23Interface Match Conditions
Match interfaces using these formats:
[edit firewall family family-name filter filter-name term term-name from]
user@switch# set interface ge-0/0/1
user@switch# set interface ge-0/0/6.0 Wildcards are supported:
interface ge-0/*/6.0
interface ge-0/1/*.0
interface ge-0/0/6.*QFX/EX/OCX/NFX Series: Always include logical unit where required. For VLAN filtering applications, specify interfaces participating in the VLAN.
IP Address Match Conditions
Match IP prefixes:
[edit firewall family family-name filter filter-name term term-name from]
user@switch# set destination-address 10.2.1.0/24Omitted prefix-length defaults to /32:
user@switch# set destination-address 10
user@switch# show
destination-address {
10.0.0.0/32;
}MAC Address Match Conditions
Match MAC addresses using these formats:
destination-mac-address 00:11:22:33:44:55
destination-mac-address 0011.2233.4455
destination-mac-address 001122334455All formats resolve to standard 00:11:22:33:44:55.
Specify multiple MAC addresses:
source-mac-address 00:11:22:33:44:55
source-mac-address 00:11:22:33:20:15Bit-Field Match Conditions
Match specific bits in packet headers:
tcp-flags syn
tcp-flags 0x02
tcp-flags tcp-initial | Operator | Description |
|---|---|
! |
Negation |
& |
Logical AND |
| |
Logical OR |
Operator usage examples:
tcp-flags "syn&ack"
tcp-flags "syn&!ack" Operator guidelines:
- Enclose values in quotes:
"syn|fin" - No spaces between operators
- Maximum two values per OR operation
- Operations evaluated left-to-right with precedence: ! > & > |