IPv6 Firewall Filters Configuration Page Options

  1. Select Configure>Security>Filters>IPv6 Firewall Filters in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Security>Firewall Filters>IPv6 in the J-Web user interface.

    The IPv6 Firewall Filters configuration page appears.

  2. Click one:
    • Add—Adds a new or duplicate IPv6 firewall filters configuration. Enter information as specified in Table 186.
    • Edit—Edits the selected IPv6 firewall filters configuration.
    • Delete—Deletes the selected IPv6 firewall filters configuration.
  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.
    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.
    • Cancel—Cancels your entries and returns to the main configuration page.

Table 186: Add IPv6 Firewall Filters Configuration Details

Field FunctionAction

IPv6 Filter Summary

Action column

Displays up and down arrows and an X, allowing you to delete or change the order of a filter or term. The order of an item is important because it determines the order in which corresponding actions are carried out.

The options available are:

  • To move an item upward—Locate the item and click the up arrow from the same row.
  • To move an item downward—Locate the item and click the down arrow from the same row.
  • To delete an item—Locate the item and click the X from the same row.

Select an option.

Filter Name

Displays the name of the filter and, when expanded, lists the terms attached to the filter.

Displays the match conditions and actions that are set for each term.

Allows you to add more terms to a filter or to modify filter terms.

The options available are:

  • To display the terms added to a filter—Click the plus sign next to the filter name. This also displays the match conditions and actions set for the term.
  • To edit a filter—Click the filter name. To edit a term, click the name of the term.

Select an option.

Search

Filter Name

Searches for existing filters by filter name.

The options available are:

  • To find a specific filter—Enter the name of the filter in the Filter Name box.
  • To list all filters with a common prefix or suffix—Use the wildcard character (*) when you enter the name of the filter. For example, te* lists all filters with a name starting with the characters te.

Select an option.

Term Name

Searches for existing terms by name.

The options available are:

  • To find a specific term—Enter the name of the term in the Term Name box.
  • To list all terms with a common prefix or suffix—Use the wildcard character (*) when typing the name of the term. For example, ra* lists all terms with a name starting with the characters ra.

Select an option.

Number of Items to Display

Specifies the number of filters or terms to display on one page. Selects the number of items to be displayed on one page.

Select a number from the list.

Add New IPv6 Filter

Name

Positions the new filter in one of the following locations:

  • After Final IPv4 Filter—At the end of all filters.
  • After IPv6 Filter—After a specified filter.

    Before IPv6 Filter—Before a specified filter.

Select an option.

Add

Adds a new filter name. Opens the term summary page for this filter allowing you to add new terms to this filter.

Click Add.

Add New IPv6 Term

Name

Positions the new term in one of the following locations:

  • After Final IPv6 Filter—At the end of all terms.
  • After IPv6 Filter—After a specified term.

    Before IPv6 Filter—Before a specified term.

Select an option.

Add

Opens the Filter Term page, allowing you to define the match conditions and the action for this term.

Click Add.

Match Source

Source Address

Specifies IP source addresses to be included in, or excluded from, the match condition. Allows you to remove source IP addresses from the match condition.

If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses, and also search for them.

The options available are:

  • Add—To include the address in the match condition.
  • Except —To exclude the address from the match condition and then select Add -To include the address in the match condition.
  • Delete—To remove an IP source address from the match condition.

Enter an IP source address and prefix length, and select an option.

Source Prefix List

Specifies source prefix lists, which you have already defined, to be included in the match condition. Allows you to remove a prefix list from the match condition.

The options available are:

  • Add—To include a predefined source prefix list in the match condition, type the prefix list name.
  • Delete—To remove a prefix list from the match condition.

Select an option.

Source Port

Specifies the source port type to be included in, or excluded from, the match condition. Allows you to remove a source port type from the match condition.

Note: This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term.

The options available are:

  • Add—To include the port in the match condition.
  • Except—To exclude the port from the match condition and then select Add—To include the port in the match condition.
  • Delete—To remove a port type from the match condition.

Select the port from the port name list; enter the port name, number, or range; and then select an option.

Match Destination

Destination Address

Specifies destination addresses to be included in, or excluded from, the match condition. Allows you to remove a destination IP address from the match condition.

If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses, and search for them.

The options available are:

  • Add—To include the address in the match condition.
  • Except —To exclude the address from the match condition and then select Add—To include the address in the match condition.
  • Delete—To remove an IP address from the match condition.

Enter an IP destination address and prefix length, and select an option.

Destination Prefix List

Specifies destination prefix lists, which you have already defined, to be included in the match condition. Allows you to remove a prefix list from the match condition.

The options available are:

  • Add—To include a predefined destination prefix list, enter the prefix list name.
  • Delete—To remove a prefix list from the match condition.

Select an option.

Destination Port

Specifies destination port types to be included in, or excluded from, the match condition. Allows you to remove a destination port type from the match condition.

Note: This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term.

The options available are:

  • Add—To include the port in the match condition.
  • Except—To exclude the port from the match condition and then select Add—To include the port in the match condition.
  • Delete—To remove a port type from the match condition.

Select the port from the port name list; enter the port name, number, or range; and then select an option.

Match Source or Destination

Address

Specifies IP addresses to be included in, or excluded from, the match condition for a source or destination. Allows you to remove an IP address from the match condition.

If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses and also search for them.

Note: This address match condition cannot be specified in conjunction with the source address or destination address match conditions in the same term.

The options available are:

  • Add—To include the address in the match condition.
  • Except—To exclude the address from the match condition and then select Add—To include the address in the match condition.
  • Delete—To remove an IP address from the match condition.

Enter an IP destination address and prefix length and select an option.

Prefix List

Specifies prefix lists, which you have already defined, to be included in the match condition for a source or destination. Allows you to remove a prefix list from the match condition.

Note: This prefix list match condition cannot be specified in conjunction with the source prefix list or destination prefix list match conditions in the same term.

The options available are:

  • Add—To include a predefined destination prefix list, type the prefix list name.
  • Delete—To remove a prefix list from the match condition.

Select an option.

Port

Specifies a port type to be included in, or excluded from, a match condition for a source or destination. Allows you to remove a destination port type from the match condition.

Note: This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term.

Also, this port match condition cannot be specified in conjunction with the source port or destination port match conditions in the same term.

The options available are:

  • Add—To include the port in the match condition.
  • Except—To exclude the port from the match condition and then select Add—To include the port in the match condition.
  • Delete—To remove a port type from the match condition.

Select the port from the port name list; enter the port name, number, or range; and then select an option.

Match Interface

Interface

Specifies interfaces to be included in a match condition. Allows you to remove an interface from the match condition.

The options available are:

  • Add—To include an interface in a match condition.
  • Delete—To remove an interface from the match condition.

Select a name from the interface name , or enter the interface name, and select an option.

Interface Set

Specifies interface sets, which you have already defined, to be included in a match condition. Allows you to remove an interface set from the match condition.

The options available are:

  • Add—To include the group in the match condition.
  • Delete—To remove an interface group from the match condition.

Enter the interface set name and select an option.

Interface Group

Specifies interface groups, which you have already defined, to be included in, or excluded from, a match condition. Allows you to remove an interface group from the match condition.

The options available are:

  • Add—To include the port in the match condition.
  • Except—To exclude the port from the match condition and then select Add—To include the port in the match condition.
  • Delete—To remove a port type from the match condition.

Enter the name of the group and select an option.

Match Packet and Network

TCP Established

Matches all Transmission Control Protocol packets other than the first packet of a connection.

Note: This match condition does not verify that the TCP is used on the port. Make sure to specify the TCP as a match condition in the same term.

Select the check box.

TCP Initial

Matches the first Transmission Control Protocol packet of a connection.

Note: This match condition does not verify that the TCP is used on the port. Make sure to specify the TCP as a match condition in the same term.

Select the check box.

TCP Flags

Specifies Transmission Control Protocol flags to be included in the match condition.

Note: This match condition does not verify that the TCP is used on the port. Make sure to specify the TCP as a match condition in the same term.

Enter a text or numeric string defining the flag.

ICMP Type

Specifies Internet Control Message Protocol packet types to be included in, or excluded from, the match condition. Allows you to remove an ICMP packet type from the match condition.

Note: This protocol does not verify that ICMP is used on the port. Make sure to specify an ICMP type match condition in the same term.

The options available are:

  • Add—To include the packet type in the match condition.
  • Except—To exclude the packet type from the match condition and then select Add—To include the packet type in the match condition.
  • Delete—To remove an ICMP packet type from the match condition.

Select a packet type from the list or enter a packet type name or number, and select an option.

Next Header

Specifies IPv6 protocol types to be included in, or excluded from, the match condition. Allows you to remove an IPv6 protocol type from the match condition.

  • Add—To include the protocol in the match condition.
  • Except—To exclude the protocol from the match condition and then select Add—To include the protocol in the match condition.
  • Delete—To remove an IPv6 protocol type from the match condition.

Select a protocol name from the list or enter the protocol name number, and select an option.

ICMP Code

Specifies the Internet Control Message Protocol code to be included in, or excluded from, the match condition. Allows you to remove an ICMP code from the match condition.

Note: The ICMP code is dependent on the ICMP type. Make sure to specify an ICMP type match condition in the same term.

The options available are:

  • Add—To include the packet type in the match condition.
  • Except—To exclude the packet type from the match condition and then select Add—To include the packet type in the match condition.
  • Delete—To remove an ICMP packet type from the match condition.

Select a packet code from the list, or enter the packet code as text or a number, and select an option.

Traffic Class

Specifies the traffic class to be included in, or excluded from, the match condition. Allows you to remove a traffic class value from the match condition.

The options available are:

  • Add—To include the traffic class in the match condition.
  • Except—To exclude the traffic class from the match condition and then select Add—To include the traffic class in the match condition.
  • Delete—To remove a traffic class value from the match condition.

Select a traffic class from the list or enter the traffic class as text number or a length by entering a value or range, and select an option.

Packet Length

Specifies the length of received packets, in bytes, to be included in, or excluded from, the match condition. Allows you to remove a packet length value from the match condition.

The options available are:

  • Add—To include the packet length in the match condition.
  • Except—To exclude the packet length from the match condition and then select Add—To include the packet length in the match condition.
  • Delete—To remove a packet length value from the match condition.

Specify a packet length by entering a value or range, and select an option.

Forwarding Class

Specifies forwarding classes to be included in, or excluded from, the match condition. Allows you to a remove forwarding class entry from the match condition.

The options available are:

  • Add—To include the forwarding class in the match condition.
  • Except—To exclude the forwarding class from the match condition and then select Add—To include the forwarding class in the match condition.
  • Delete—To remove a forwarding class from the match condition.

Specify a forwarding class by selecting a forwarding class from the list or entering a forward class, and then select an option.

Action

Nothing

Specifies that no action is performed. By default, a packet is accepted if it meets the match conditions of the term, and packets that do not match any conditions in the firewall filter are dropped.

Select Nothing.

Accept

Accepts a packet that meets the match conditions of the term.

Select Accept.

Discard

Discards a packet that meets the match conditions of the term. Names a discard collector for packets.

Select Discard.

Reject

Rejects a packet that meets the match conditions of the term and returns a rejection message. Allows you to specify a message type that denotes the reason the packet was rejected.

Note: To log and sample rejected packets, specify log and sample action modifiers in conjunction with this action.

Select Reject and Select a message type from the reason list.

Next Term

Evaluates a packet with the next term in the filter if the packet meets the match conditions in this term. This action makes sure that the next term is used for evaluation even when the packet matches the conditions of a term. When this action is not specified, the filter stops evaluating the packet after it matches the conditions of a term, and takes the associated action.

Select Next Term.

Routing Instance

Accepts a packet that meets the match conditions, and forwards it to the specified routing instance.

Select Routing Instance and enter the routing instance name in the box next to Routing Instance.

Load Balance

Specifies a load-balance group, which you have already defined, to be used by packets that meet the match conditions. A load-balance group contains interfaces that use the same next-hop group to balance the traffic load.

Select Load Balance and enter the group name in the box next to Load Balance.

Action Modifiers

Forwarding Class

Classifies the packet as a specific forwarding class.

Select Forwarding Class from the list.

Count

Counts the packets passing this term. Allows you to name a counter, which is specific to this filter. This means that every time a packet transits any interface that uses this filter, it increments the specified counter.

Select Count and then enter a 24–character string containing letters, numbers, or hyphens to specify a counter name.

Log

Logs the packet header information in the routing engine.

Select Log.

Syslog

Records packet information in the system log.

Select Syslog.

Loss Priority

Sets the loss priority of the packet. This is the priority of dropping a packet before it is sent, and it affects the scheduling priority of the packet.

Select Loss Priority from the list.

Related Documentation

Copyright© 2017 Juniper Networks, Inc. All rights reserved.