Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Applying Filters and Services to Interfaces

When you have defined and grouped the service rules by configuring the service-set definition, you can apply services to one or more interfaces on the router. To associate a defined service set with an interface, include the service-set statement with the input or output statement at the [edit interfaces interface-name unit logical-unit-number family inet service] hierarchy level:


When you enable services on an interface, reverse-path forwarding is not supported. You cannot configure services on the management interface (fxp0) or the loopback interface (lo0).

You can configure different service sets on the input and output sides of the interface. However, for service sets with bidirectional service rules, you must include the same service set definition in both the input and output statements. Any service set you include in the service statement must be configured with the interface-service statement at the [edit services service-set service-set-name] hierarchy level; for more information, see Configuring Service Sets to be Applied to Services Interfaces.


If you configure an interface with an input firewall filter that includes a reject action and with a service set that includes stateful firewall rules, the router executes the input firewall filter before the stateful firewall rules are run on the packet. As a result, when the Packet Forwarding Engine sends an Internet Control Message Protocol (ICMP) error message out through the interface, the stateful firewall rules might drop the packet because it was not seen in the input direction.

Possible workarounds are to include a forwarding-table filter to perform the reject action, because this type of filter is executed after the stateful firewall in the input direction, or to include an output service filter to prevent the locally generated ICMP packets from going to the stateful firewall service.

Configuring Service Filters

You can optionally include filters associated with each service set to refine the target and additionally process the traffic. If you include the service-set statement without a service-filter definition, the router software assumes that the match condition is true and selects the service set for processing automatically.

To configure service filters, include the firewall statement at the [edit] hierarchy level:


You must specify inet as the address family to configure a service filter.

You configure service filters in a similar way to firewall filters. Service filters have the same match conditions as firewall filters, but the following specific actions:

  • count—Add the packet to a counter total.

  • log—Log the packet.

  • port-mirror—Port-mirror the packet.

  • sample—Sample the packet.

  • service—Forward the packet for service processing.

  • skip—Omit the packet from service processing.

For more information about configuring firewall filters, see the Routing Policies, Firewall Filters, and Traffic Policers User Guide.

You can also include more than one service set definition on each side of the interface. If you include multiple service sets, the router software evaluates them in the order specified in the configuration. It executes the first service set for which it finds a match in the service filter and ignores the subsequent definitions.

An additional statement allows you to specify a filter for processing the traffic after the input service set is executed. To configure this type of filter, include the post-service-filter statement at the [edit interfaces interface-name unit logical-unit-number family inet service input] hierarchy level:


The software performs postservice filtering only when it has selected and executed a service set. If the traffic does not meet the match criteria for any of the configured service sets, the postservice filter is ignored. The post-service-filter statement is not supported when the service interface is on an MS-MIC or MS-MPC.

For an example of applying a service set to an interface, see Examples: Configuring Services Interfaces.

For more information on applying filters to interfaces, see the Junos OS Network Interfaces Library for Routing Devices. For general information on filters, see the Routing Policies, Firewall Filters, and Traffic Policers User Guide.


After NAT processing is applied to packets, they are not subject to output service filters. The service filters affect only untranslated traffic.