Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Firewall Filter Terminating Actions

Firewall filters support a set of terminating actions for each protocol family. A filter-terminating action halts all evaluation of a firewall filter for a specific packet. The router performs the specified action, and no additional terms are examined.


You cannot configure the next term action with a terminating action in the same filter term. However, you can configure the next term action with another nonterminating action in the same filter term.

For MX Series routers with MPCs, you need to initialize the filter counter for Trio-only match filters by walking the corresponding SNMP MIB, for example, show snmp mib walk name ascii. This forces Junos to learn the filter counters and ensure that the filter statistics are displayed. This guidance applies to all enhanced mode firewall filters, filters with flexible conditions, and filters with the certain terminating actions. See those topics, listed under Related Documentation, for details.

Table 1 describes the terminating actions you can specify in a firewall filter term.

Table 1: Terminating Actions for Firewall Filters

Terminating Action




Accept the packet.

  • family any

  • family inet

  • family inet6


Discard a packet silently, without sending an Internet Control Message Protocol (ICMP) message. Discarded packets are available for logging and sampling.

  • family any

  • family inet

  • family inet6


Exclude the packet from being included in accurate accounting statistics for tunneled subscribers on an L2TP LAC. Typically used in filters that match DHCPv6 or ICMPv6 control traffic Failure to exclude these packets results in the idle-timeout detection mechanism considering these packets as data traffic, causing the timeout to never expire. (The idle timeout is configured with the client-idle-timeout and client-idle-timeout-ingress-only statements in the access profile session options.)

The term excludes packets from being included in counts for both family accurate accounting and service accurate accounting. The packets are still included in the session interface statistics.

The term is available for both inet and inet6 families, but is used only for inet6.

  • family inet

  • family inet6

reject message-type

Reject the packet and return an ICMPv4 or ICMPv6 message:

  • If no message-type is specified, a destination unreachable message is returned by default.

  • If tcp-reset is specified as the message-type, tcp-reset is returned only if the packet is a TCP packet. Otherwise, the administratively-prohibited message, which has a value of 13, is returned.

  • If any other message-type is specified, that message is returned.

The message-type can be one of the following values: address-unreachable, administratively-prohibited, bad-host-tos, bad-network-tos, beyond-scope, fragmentation-needed, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, no-route, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, or tcp-reset.

  • family inet

  • family inet6