show-firewall-configuration
Syntax
show firewall configuration filter filter-name information-type configured | compiled <application <application-name>>
Description
When firewall filters are configured, an optimization operation is performed on the configuration. The optimization process may merge or eliminate the terms of filters. This can lead to differences between the configured filters and the filters programmed in the hardware.
-
Use the
show firewall configuration firewall firewall filter name information-type configured | compiled
command to display a CLI filter’s configured information or this same firewall filter’s information after its compilation/optimization. -
Use the
show firewall configuration firewall firewall filter name information-type configured | compiled application application-name
command to display a non-CLI filter’s (such as a BGP FlowSpec firewall filter) configured information or this same firewall filter’s information after its compilation/optimization.
Use set firewall enable-filter-debug
to enable this feature.
Options
-
application application name—The owner application of the firewall filter. The application names are:
-
cosd—Cosd filters
-
firewalld—Cli filters
-
jdhcpd—Jdhcpd filters
-
l2cpd—L2cpd filters
-
lsp—Lsp filters
-
p4-switch—P4-switch filters
-
ppmd—Periodic packet management daemon
-
routing (RPD)—BGP flowspec filters
-
-
information-type
-
configured—Display configured information of the filter
-
compiled—Display compiled information of the filter
-
Required Privilege Level
view
Output Fields
Field Name | Field Description |
---|---|
Filter |
Name of the filter |
Number Of Terms |
The number of terms in the filter |
App Name |
The owner application of the firewall filter |
Family Name |
The firewall filter family |
Interface/Instance Specific |
True if the firewall filter is interface or instance specific. False otherwise. |
Fast Lookup |
True if the firewall filter is a Fast Lookup filter. False otherwise. |
Scale Mode |
True if scale-mode setting has been applied on the firewall filter. False otherwise. |
No Incremental Update |
True if no-incremental-update setting has been applied on the firewall filter. False otherwise. |
Layer2 Policer |
True if layer2-policer setting is applied on this firewall filter. False otherwise. |
Term |
Name of the firewall filter term |
Status |
Status of the firewall filter term. For e.g. Available indicates that the firewall filter term will be retained after optimization/compilation. Will get discarded in optimized filter indicates that the firewall filter term will be removed during the optimization/compilation process. |
Match Conditions |
Shows the firewall filter match conditions |
Actions |
Shows the firewall filter actions |
Sample Output
- <show firewall configuration filter <filter-name> information-type configured>
- <show firewall configuration filter <filter-name> information-type compiled>
- <show firewall configuration filter <filter-name> information-type configured application <application-name>
- <show firewall configuration filter <filter-name> information-type compiled application <application-name>>
<show firewall configuration filter <filter-name> information-type configured>
In the following example, after a CLI filter f1
is configured, issuing
show firewall configuration filter f1 information-type
configured
displays the following output.
user@host> show firewall configuration filter f1 information-type configured Filter f1 Number Of Terms 7 App Name firewalld Family Name inet Interface/Instance Specific false Fast Lookup false Scale Mode false No Incremental Update false Layer2 Policer false Term : t1 Status : Available Match Conditions: source-address 10.0.0.0/8 Actions: accept count c1 Term : t2 Status : Will get merged to term t1 in optimized filter due to similar Match Conditions/Actions Match Conditions: source-address 10.0.0.0/16 10.0.0.0/24 Actions: accept Term : t3 Status : Available Match Conditions: protocol [6-6] tcp-flags Operation:bitwise-AND Bits:0b10010 Mask:0x12 Actions: accept Term : t4 Status : Available Match Conditions: source-address 20.0.0.0/8 protocol [10-20] [20-30] Actions: accept Term : t5 Status : Will get discarded in optimized filter Match Conditions: protocol [6-6] tcp-flags Operation:never Bits:0b0 Mask:0x0 Actions: next-ip ifl-index : 0 address : 12.1.2.1/32 routing-instance : default exact match : false Term : t6 Status : Available Match Conditions: flexible-match-range match-start : payload byte-offset : 8 bit-offset : 6 bit-length : 20 range : [20-30] Actions: accept Term : t7 Status : Will get merged to term t6 in optimized filter due to similar Match Conditions/Actions Match Conditions: flexible-match-range match-start : payload byte-offset : 8 bit-offset : 6 bit-length : 20 range : [40-50] Actions: accept
<show firewall configuration filter <filter-name> information-type compiled>
show firewall configuration filter f1 information-type configured showed the
details of the firewall filter named f1
before optimization/compilation.
show firewall configuration filter f1 information-type compiled shows the details
of this firewall filter after optimization/compilation.
user@host> show firewall configuration filter f1 information-type compiled Filter f1 Number Of Terms 5 App Name firewalld Family Name inet Interface/Instance Specific false Fast Lookup false Scale Mode false No Incremental Update false Layer2 Policer false Term : t1 Match Conditions: source-address 10.0.0.0/8 Actions: accept count c1 Term : t3 Match Conditions: protocol [6-6] tcp-flags Operation:bitwise-AND Bits:0b10010 Mask:0x12 Actions: accept Term : t4 Match Conditions: source-address 20.0.0.0/8 protocol [10-30] Actions: accept Term : t6 Match Conditions: flexible-match-range match-start : payload byte-offset : 8 bit-offset : 6 bit-length : 20 range : [20-30] [40-50] Actions: accept Term : _internal Match Conditions: Actions: discard
<show firewall configuration filter <filter-name> information-type configured application <application-name>
The following example displays a sample output of a non-CLI firewall filter, an implicit
filter, such as a BGP Flowspec firewall filter f1
when issuing
show firewall configuration filter f1 information-type
configured application routing
command. Because this is a BGP Flowspec firewall
filter managed by the routing
application, you specify the application
name as routing
. The application name is indicated by App
Name
in the output. Below each term in the output, the status field indicates
how the term will be optimized. As is indicated in the sample output, the following terms
will get optimized:
-
Term *,*,proto=4—Will get merged to term *,*,proto=3 in optimized filter due to similar Match Conditions/Actions
user@host> run show firewall configuration filter __flowspec_default_inet__ information-type configured application routing | no-more Filter __flowspec_default_inet__ Number Of Terms 5 App Name RPD Family Name inet Interface/Instance Specific false Fast Lookup false Scale Mode false No Incremental Update false Layer2 Policer false Term : 10.1.1.1,20.1.1.1,proto=1,dstport=2,srcport=1 Status : Available Match Conditions: source-address 20.1.1.1/32 destination-address 10.1.1.1/32 source-port [1-1] destination-port [2-2] protocol [1-1] Actions: accept Term : 10.1.1.2,20.1.1.2,proto=2,dstport=3,srcport=2 Status : Available Match Conditions: source-address 20.1.1.2/32 destination-address 10.1.1.2/32 source-port [2-2] destination-port [3-3] protocol [2-2] Actions: accept Term : *,*,proto=3 Status : Available Match Conditions: protocol [3-3] Actions: accept Term : *,*,proto=4 Status : Will get merged to term *,*,proto=3 in optimied filter due to similar Match Conditions/Actions Match Conditions: protocol [4-4] Actions: accept Term : default-term Status : Available Match Conditions: Actions: accept
<show firewall configuration filter <filter-name> information-type compiled application <application-name>>
show firewall configuration filter f1 information-type configured application
routing command showed the details of the firewall filter named f1
before optimization/compilation. show firewall configuration filter f1 information-type
compiled application routing shows the details of this firewall filter after
optimization/compilation. Before optimization/compilation, the following terms were
identified for optimization.
-
Term *,*,proto=4—Will get merged to term *,*,proto=3 in optimized filter due to similar Match Conditions/Actions
After optimization/compilation, as can be noted in the sample output:
-
*,*,proto=4 and *,*,proto=3 were merged and *,*,proto=4 is removed.
user@host> run show firewall configuration filter __flowspec_default_inet__ information-type compiled application routing | no-more Filter __flowspec_default_inet__ Number Of Terms 4 App Name RPD Family Name inet Interface/Instance Specific false Fast Lookup false Scale Mode false No Incremental Update false Layer2 Policer false Term : 10.1.1.1,20.1.1.1,proto=1,dstport=2,srcport=1 Match Conditions: source-address 20.1.1.1/32 destination-address 10.1.1.1/32 source-port [1-1] destination-port [2-2] protocol [1-1] Actions: accept Term : 10.1.1.2,20.1.1.2,proto=2,dstport=3,srcport=2 Match Conditions: source-address 20.1.1.2/32 destination-address 10.1.1.2/32 source-port [2-2] destination-port [3-3] protocol [2-2] Actions: accept Term : *,*,proto=3 Match Conditions: protocol [3-4] Actions: accept Term : default-term Match Conditions: Actions: accept
Release Information
Command introduced in Junos OS Release 25.2R1