Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


decapsulate (Firewall Filter)


Hierarchy Level


Define the termination action for GRE, UDP, and L2TP tunnels.


inet-in-udp, inet6-in-udp, and mpls-in-udp are supported only on PTX10003, PTX10004, PTX10008, PTX10016 and PTX10001-36MR device models.


The following are the caveats for using the decapsulate firewall filter action.

  • For GRE tunnel decapsulate action if "payload type" in GRE header is a value other than IPv4, IPv6, or MPLS, the packet will be dropped.

  • For UDP tunnel decapsulation, it is expected that the user will configure term match conditions for UDP destination port correctly to term action for decapsulate of IPv4, IPv6 or MPLS. In case of mismatch traffic can be dropped.

  • No decrement TTL attribute is not supported for MPLS payload.

  • Output filter cannot match TTL value of outgoing packet for ingress filter decapsulation traffic with no-decrement-ttl configured.


gre—(Optional) Terminate a GRE tunnel for the filter conditions that are matched.

inet-in-udp—(Optional) Terminate a UDP tunnel with IPv4 payload.

inet6-in-udp—(Optional) Terminate a UDP tunnel with IPv6 payload.

mpls-in-udp—(Optional) Terminate a UDP tunnel with MPLS payload.

l2tp—(Optional) Terminate an L2TP tunnel for the filter conditions that are matched.

output-interface interface-name—(Optional) For L2TP tunnels, enable the packet to be duplicated and sent towards the customer or the network (based on the MAC address in the Ethernet payload),

cookie l2tpv3-cookie—(Optional) For L2TP tunnels, specify the L2TP cookie for the duplicated packets. If the tunnel does not contain the receive-cookie configured, packet injection does not happen. In such a case, any received tunnel packet is counted and dropped in the same manner in which packets that arrive with a wrong cookie are counted and dropped.

Required Privilege Level

firewall—To view this statement in the configuration.

firewall-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 7.6.

output-interface and cookie options introduced in Junos OS Release 15.1.

decapsulate gre introduced in Junos OS Release 15.1F3 and 16.1R2 for PTX5000 routers with third generation FPCs and Junos OS Release 15.1F6 and 16.1R2 for PTX3000 routers with third-generation FPCs.

no-decrement-ttl attribute for the decapsulate gre filter action introduced in Junos OS Release 15.1F6 and 16.2R1 for PTX5000 routers with third-generation FPCs.

inet-in-udp, inet6-in-udp, and mpls-in-udp introduced in Junos OS Release 22.3R1.