fast-lookup-filter
Syntax
fast-lookup-filter;
Hierarchy Level
[edit firewall family family-name filter filter-name], [edit logical-systems logical-system-name firewall family family-name filter filter-name]
Description
The fast-lookup-filter
is available
for the inet and inet6 protocol families for both static and dynamic
profiles. Junos installs firewall filters created under this hierarchy
to the accelerated filter block available in the certain MPCs, which
provides enhanced performance.
Juniper recommends that you use the payload-protocol
term rather than the next-header
term
when configuring a firewall filter with match conditions for IPv6
traffic. Although either can be used, payload-protocol
provides the more reliable match condition because it uses the
actual payload protocol to find a match, whereas next-header
simply takes whatever appears in the first header following the
IPv6 header, which may or may not be the actual protocol. In addition,
if next-header
is used with IPv6, the accelerated
filter block lookup process is bypassed and the standard filter used
instead.
See Firewall Filter Match Conditions for IPv6 Traffic for more information about firewall filters and terms.
Fast lookup filters can boost filtering performance by as much as three to four times for filters under 3000 terms. Firewall instances from the same firewall block can also be attached to multiple interfaces.
Required Privilege Level
firewall—To view this statement in the configuration.
firewall-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 13.3R3 for MX 240, MX 480, MX 960, MX 2010, and MX 2020 routers with MPC5E, MPC5EQ, or MPC6E, and later for MPC7E, MPC8E, and MPC9E MPCs.
Support for the next-header
firewall match condition was added in Junos
OS Release 13.3R6
Support for MPC2E-NG and MPC3E-NG MPCs was added in Junos OS Release 15.1R1.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
next-header
firewall match condition was added in Junos
OS Release 13.3R6