show-firewall-configuration
Syntax
show firewall configuration filter filter-name information-type configured | compiled <application <application-name>>
Description
When firewall filters are configured, an optimization operation is performed on the configuration. The optimization process may merge or eliminate the terms of filters. This can lead to differences between the configured filters and the filters programmed in the hardware.
-
Use the
show firewall configuration firewall firewall filter name information-type configured | compiledcommand to display a CLI filter’s configured information or this same firewall filter’s information after its compilation/optimization. -
Use the
show firewall configuration firewall firewall filter name information-type configured | compiled application application-namecommand to display a non-CLI filter’s (such as a BGP FlowSpec firewall filter) configured information or this same firewall filter’s information after its compilation/optimization.
Use set firewall enable-filter-debug to enable this feature.
Options
-
application application name—The owner application of the firewall filter. The application names are:
-
cosd—Cosd filters
-
firewalld—Cli filters
-
jdhcpd—Jdhcpd filters
-
l2cpd—L2cpd filters
-
lsp—Lsp filters
-
p4-switch—P4-switch filters
-
ppmd—Periodic packet management daemon
-
routing (RPD)—BGP flowspec filters
-
-
information-type
-
configured—Display configured information of the filter
-
compiled—Display compiled information of the filter
-
Required Privilege Level
view
Output Fields
| Field Name | Field Description |
|---|---|
|
Filter |
Name of the filter |
|
Number Of Terms |
The number of terms in the filter |
|
App Name |
The owner application of the firewall filter |
|
Family Name |
The firewall filter family |
|
Interface/Instance Specific |
True if the firewall filter is interface or instance specific. False otherwise. |
|
Fast Lookup |
True if the firewall filter is a Fast Lookup filter. False otherwise. |
|
Scale Mode |
True if scale-mode setting has been applied on the firewall filter. False otherwise. |
|
No Incremental Update |
True if no-incremental-update setting has been applied on the firewall filter. False otherwise. |
|
Layer2 Policer |
True if layer2-policer setting is applied on this firewall filter. False otherwise. |
|
Term |
Name of the firewall filter term |
|
Status |
Status of the firewall filter term. For e.g. Available indicates that the firewall filter term will be retained after optimization/compilation. Will get discarded in optimized filter indicates that the firewall filter term will be removed during the optimization/compilation process. |
|
Match Conditions |
Shows the firewall filter match conditions |
|
Actions |
Shows the firewall filter actions |
Sample Output
- <show firewall configuration filter <filter-name> information-type configured>
- <show firewall configuration filter <filter-name> information-type compiled>
- <show firewall configuration filter <filter-name> information-type configured application <application-name>
- <show firewall configuration filter <filter-name> information-type compiled application <application-name>>
<show firewall configuration filter <filter-name> information-type configured>
In the following example, after a CLI filter f1 is configured, issuing
show firewall configuration filter f1 information-type
configured displays the following output.
user@host> show firewall configuration filter f1 information-type configured
Filter f1
Number Of Terms 7
App Name firewalld
Family Name inet
Interface/Instance Specific false
Fast Lookup false
Scale Mode false
No Incremental Update false
Layer2 Policer false
Term : t1
Status : Available
Match Conditions:
source-address
10.0.0.0/8
Actions:
accept
count
c1
Term : t2
Status : Will get merged to term t1 in optimized filter due to similar Match Conditions/Actions
Match Conditions:
source-address
10.0.0.0/16
10.0.0.0/24
Actions:
accept
Term : t3
Status : Available
Match Conditions:
protocol
[6-6]
tcp-flags
Operation:bitwise-AND Bits:0b10010 Mask:0x12
Actions:
accept
Term : t4
Status : Available
Match Conditions:
source-address
20.0.0.0/8
protocol
[10-20]
[20-30]
Actions:
accept
Term : t5
Status : Will get discarded in optimized filter
Match Conditions:
protocol
[6-6]
tcp-flags
Operation:never Bits:0b0 Mask:0x0
Actions:
next-ip
ifl-index : 0
address : 12.1.2.1/32
routing-instance : default
exact match : false
Term : t6
Status : Available
Match Conditions:
flexible-match-range
match-start : payload
byte-offset : 8
bit-offset : 6
bit-length : 20
range :
[20-30]
Actions:
accept
Term : t7
Status : Will get merged to term t6 in optimized filter due to similar Match Conditions/Actions
Match Conditions:
flexible-match-range
match-start : payload
byte-offset : 8
bit-offset : 6
bit-length : 20
range :
[40-50]
Actions:
accept
<show firewall configuration filter <filter-name> information-type compiled>
show firewall configuration filter f1 information-type configured showed the
details of the firewall filter named f1 before optimization/compilation.
show firewall configuration filter f1 information-type compiled shows the details
of this firewall filter after optimization/compilation.
user@host> show firewall configuration filter f1 information-type compiled
Filter f1
Number Of Terms 5
App Name firewalld
Family Name inet
Interface/Instance Specific false
Fast Lookup false
Scale Mode false
No Incremental Update false
Layer2 Policer false
Term : t1
Match Conditions:
source-address
10.0.0.0/8
Actions:
accept
count
c1
Term : t3
Match Conditions:
protocol
[6-6]
tcp-flags
Operation:bitwise-AND Bits:0b10010 Mask:0x12
Actions:
accept
Term : t4
Match Conditions:
source-address
20.0.0.0/8
protocol
[10-30]
Actions:
accept
Term : t6
Match Conditions:
flexible-match-range
match-start : payload
byte-offset : 8
bit-offset : 6
bit-length : 20
range :
[20-30]
[40-50]
Actions:
accept
Term : _internal
Match Conditions:
Actions:
discard
<show firewall configuration filter <filter-name> information-type configured application <application-name>
The following example displays a sample output of a non-CLI firewall filter, an implicit
filter, such as a BGP Flowspec firewall filter f1 when issuing
show firewall configuration filter f1 information-type
configured application routing command. Because this is a BGP Flowspec firewall
filter managed by the routing application, you specify the application
name as routing. The application name is indicated by App
Name in the output. Below each term in the output, the status field indicates
how the term will be optimized. As is indicated in the sample output, the following terms
will get optimized:
-
Term *,*,proto=4—Will get merged to term *,*,proto=3 in optimized filter due to similar Match Conditions/Actions
user@host> run show firewall configuration filter __flowspec_default_inet__ information-type configured application routing | no-more
Filter __flowspec_default_inet__
Number Of Terms 5
App Name RPD
Family Name inet
Interface/Instance Specific false
Fast Lookup false
Scale Mode false
No Incremental Update false
Layer2 Policer false
Term : 10.1.1.1,20.1.1.1,proto=1,dstport=2,srcport=1
Status : Available
Match Conditions:
source-address
20.1.1.1/32
destination-address
10.1.1.1/32
source-port
[1-1]
destination-port
[2-2]
protocol
[1-1]
Actions:
accept
Term : 10.1.1.2,20.1.1.2,proto=2,dstport=3,srcport=2
Status : Available
Match Conditions:
source-address
20.1.1.2/32
destination-address
10.1.1.2/32
source-port
[2-2]
destination-port
[3-3]
protocol
[2-2]
Actions:
accept
Term : *,*,proto=3
Status : Available
Match Conditions:
protocol
[3-3]
Actions:
accept
Term : *,*,proto=4
Status : Will get merged to term *,*,proto=3 in optimied filter due to similar Match Conditions/Actions
Match Conditions:
protocol
[4-4]
Actions:
accept
Term : default-term
Status : Available
Match Conditions:
Actions:
accept
<show firewall configuration filter <filter-name> information-type compiled application <application-name>>
show firewall configuration filter f1 information-type configured application
routing command showed the details of the firewall filter named f1
before optimization/compilation. show firewall configuration filter f1 information-type
compiled application routing shows the details of this firewall filter after
optimization/compilation. Before optimization/compilation, the following terms were
identified for optimization.
-
Term *,*,proto=4—Will get merged to term *,*,proto=3 in optimized filter due to similar Match Conditions/Actions
After optimization/compilation, as can be noted in the sample output:
-
*,*,proto=4 and *,*,proto=3 were merged and *,*,proto=4 is removed.
user@host> run show firewall configuration filter __flowspec_default_inet__ information-type compiled application routing | no-more
Filter __flowspec_default_inet__
Number Of Terms 4
App Name RPD
Family Name inet
Interface/Instance Specific false
Fast Lookup false
Scale Mode false
No Incremental Update false
Layer2 Policer false
Term : 10.1.1.1,20.1.1.1,proto=1,dstport=2,srcport=1
Match Conditions:
source-address
20.1.1.1/32
destination-address
10.1.1.1/32
source-port
[1-1]
destination-port
[2-2]
protocol
[1-1]
Actions:
accept
Term : 10.1.1.2,20.1.1.2,proto=2,dstport=3,srcport=2
Match Conditions:
source-address
20.1.1.2/32
destination-address
10.1.1.2/32
source-port
[2-2]
destination-port
[3-3]
protocol
[2-2]
Actions:
accept
Term : *,*,proto=3
Match Conditions:
protocol
[3-4]
Actions:
accept
Term : default-term
Match Conditions:
Actions:
accept
Release Information
Command introduced in Junos OS Release 25.2R1