Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Display Firewall Filter Installation Status and Troubleshoot Installation Errors

This topic instructs on how to view firewall filter installation status and troubleshoot installation errors.

Overview

When a CLI or non-CLI firewall filter is configured, and if the configuration undergoes a successful commit operation, the commit operation performs an optimization process that may merge or eliminate the terms of the firewall filter. This can lead to differences in the configured and committed information of a firewall filter. Note that a CLI firewall filter is a firewall filter that is configured using the CLI and a non-CLI firewall filter, such as a BGP FlowSpec firewall filter, is an implicit firewall filter created by the system based on configuration.

To view a firewall filter's configured information before it underwent the optimization process of the compilation operation and to view a firewall filter's compiled information after it underwent the optimization process of the compilation operation, you use the following commands.

  • show firewall configuration filter firewall_filter_name information-type configured command to display a CLI firewall filter’s configured information before it underwent the optimization process of the compilation operation.

  • show firewall configuration filter firewall_filter_name information-type compiled command to display a CLI firewall filter’s information after it underwent the optimization process of the compilation operation.

  • show firewall configuration filter firewall_filter_name information-type configured application application-name command to display a non-CLI firewall filter’s configured information before it underwent the optimization process of the compilation operation.

  • show firewall configuration filter firewall_filter_name information-type compiled application application-name command to display a non-CLI firewall filter’s information after it underwent the optimization process of the compilation operation.

Note:

Use set firewall enable-filter-debug to enable this feature.

When enabled there is an increase in memory consumption in all the apps that publish firewall filters. After you complete your debugging activity, it is recommended to disable this feature with the delete firewall enable-filter-debug command.

The following representative data is indicative of the effects of memory consumption and CPU time after enabling this feature via the set firewall enable-filter-debug command.

1000 firewall filters each having 64 terms and each term having 5 tuples as match condition along with accept and counter as actions.

  • Memory consumption before committing the firewall filter configuration — 52 MB

  • Memory consumption after committing the firewall filter configuration — 2.097 GB

  • Memory consumption after applying the set firewall enable-filter-debug command — 2.306 GB

  • CPU consumption while committing the firewall filter configuration — 59s

  • CPU consumption after applying the set firewall enable-filter-debug command — 15s

Firewall filters have owner applications. For non-CLI firewall filters, you must specify the following application names to list the configured or compiled information of firewall filters by their owner applications.

Table 1: CLI and non-CLI Owner Applications of Firewall Filters

Application Name

Description

cosd

Cosd firewall filters (non-CLI)
firewalld

Firewall module firewall filters

jdhcpd

jdhcpd firewall filters (non-CLI)

l2cpd

l2cpd filters (non-CLI)

lsp

lsp firewall filters (non-CLI)

p4-switch

P4-switch firewall filters (non-CLI)

ppmd

Periodic packet management daemon (non-CLI)

routing (RPD)

BGP flowspec filters (non-CLI)

Platform Compatibility

This feature is supported on PTX10001-36MR, PTX10002-36QDD, PTX10003, PTX10004, PTX10008, and PTX10016 platforms from Junos OS Evolved 25.2R1 onwards.

Viewing Configured and Compiled Information of a Firewall Filter

After a firewall filter is configured, when you view the configured firewall filter, if firewall filter terms are being optimized or merged, it is indicated in the Status fields of the firewall filter terms. In the following example, after a CLI firewall filter f1 is configured, and the debugging feature enabled using set firewall enable-filter-debug, issuing show firewall configuration filter f1 information-type configured displays the following output. Term : t2 displays this message in the Status field - Will get merged to term t1 in optimized filter due to similar Match Conditions/Actions indicating that this term will be merged during compilation.

Issuing show firewall configuration filter f1 information-type compiled command shows the details of this firewall filter after optimization/compilation. Term : t2 is removed and merged with Term : t1.

The following output is of a non-CLI firewall filter, an implicit filter, such as a BGP Flowspec firewall filter f2 when issuing show firewall configuration filter f2 information-type configured application routing command. Because this is a BGP Flowspec firewall filter managed by the routing application, you specify the application name as routing. Term : t2 displays this message in the Status field - Will get merged to term t1 in optimized filter due to similar Match Conditions/Actions indicating that this term will be merged during compilation.

Issuing the show firewall configuration filter f2 information-type compiled application routing command shows the details of this firewall filter after optimization/compilation. Term : t2 is removed and merged with Term : t1.

The following table describes the fields in the outputs.

Table 2: <show firewall configuration filter <filter-name> information-type configured/compiled application <application-name>> Output Fields

Field Name

Field Description

Filter

Name of the firewall filter

Number Of Terms

The number of terms in the firewall filter

App Name

The owner application of the firewall filter

Family Name

The firewall filter family

Interface/Instance Specific

Is set to True if the firewall filter is interface or instance specific. False otherwise.

Fast Lookup

Is set to True if the firewall filter is a Fast Lookup filter. False otherwise.

Scale Mode

True if scale-mode setting has been applied on the firewall filter. False otherwise.

No Incremental Update

True if no-incremental-update setting has been applied on the firewall filter. False otherwise.

Layer2 Policer

True if layer2-policer setting is applied on this firewall filter. False otherwise.

Term

Name of the firewall filter term

Status

Status of the firewall filter term. For e.g. Available indicates that the firewall filter term will be retained after optimization/compilation. Will get discarded in optimized filter indicates that the firewall filter term will be removed during the optimization/compilation process.

Match Conditions

Shows the firewall filter match conditions

Actions

Shows the firewall filter actions

Viewing Firewall Filter Installation Status and Troubleshooting Errors

Post compilation, the firewall filter is installed into the system. Installation errors are reported by way of syslog messages that provide information about the errors and actions to correct the errors.

Note:

Errors are also recorded at the telemetry sensor path /system/alarms

Error messages are displayed in this format.

The following is the list of error codes.

Table 3: Error Codes

Error Code

Description

FILTER_UNSUPPORTED_TYPE

Unsupported Filter Type. Reduce number of match conditions in the filter, remove incompatible match conditions from the filter.

FILTER_CHAINING_FAILURE

Filter chaining (next-filter) failure. Remove the filter from the chain.

FILTER_UNSUPPORTED_MATCH_TYPE

Filter does not support the match type. Remove the unsupported match.

FILTER_UNSUPPORTED_ACTION_TYPE

Filter does not support the action type. Remove the unsupported action type.

FILTER_EXCEED_MAX_TERMS_ALLOWED

Reached maximum number of terms in a firewall filter. Reduce the number of terms.

FILTER_EXCEED_MAX_TCAM_ENTRIES_PER_FILTER

Reached maximum number of TCAM entries in a firewall filter. Reduce number of VLAN ID, TCP flags, frag offset & flags, Ip-options, TTL, PLP, FC, Intf group, MPLS exp matches.

FILTER_FFTC_MAX_NUM_OF_TERMS

Reached maximum number of fast filter terms. Reduce number of terms.

FILTER_FFTC_EXCEED_MAX_TCAM_ENTRIES_PFE_FILTER

Reached maximum number of fast filter TCAM Entries. Reduce number of terms.

FILTER_FFTC_UNSUPPORTED_MATCH_TYPE

Fast Filter does not support match type. Remove unsupported match.

FILTER_FFTC_MATCH_KEY_SIZE_EXCEEDED

Reached maximum Fast Filter match keysize (too many match conditions). Reduce number of match conditions in the filter, remove incompatible match conditions from the filter.

FILTER_BETA_RESOURCE_NOT_AVAILABLE

BETA resource exhausted. Reduce number of port, protocol or range matches.

FILTER_ALPHA_RESOURCE_NOT_AVAILABLE

ALPHA resource exhausted. Reduce number of prefixes being matched.

FILTER_TCAM_RESOURCE_NOT_AVAILABLE

TCAM resource exhausted. Reduce number of VLAN ID TCP flags, flag offset & flags, Ip-options, TTL, PLP, FC, Intf group , MPLS exp matches.

FILTER_ACTION_MEMORY_NOT_AVAILABLE

Action memory exhausted, Reduce number of actions.

FILTER_PHYSICAL_FILTER_NOT_AVAILABLE

Reached maximum number of physical firewall filters. Reduce number of attached firewall filters.

FILTER_EXCEED_MAX_BINDS_ALLOWED

Reached maximum number of firewall filter attachments. vfmum allocation failed for firewall filter attachment with new filter. Detach some firewall filters.

FILTER_COUNTER_RESOURCE_NOT_AVAILABLE

No more counters available. Reduce number of counter actions.

FILTER_POLICER_RESOURCE_NOT_AVAILABLE

No more policers available. Reduce number of policer actions.

FILTER_UNSUPPORTED_TCP_FLAGS

Processing of TCP flags boolean expression failed.

Change TCP flags boolean expression.

FILTER_HEAP_MEMORY_ALLOCATION_FAIL

Software heap memory exhausted. Filter template software object creation failed. Reduce number of configured firewall filters.

FILTER_INIT_ALLOC_FAIL

Unable to initialize the firewall filter. Filter HW instance not created. Filter Attachment with <bindName> in <bindDir > direction failed. Remove the filter and retry.

In addition to syslog messages, the system provides you show commands that you can use in the following order to verify if the firewall filter installation is a success or failure.

  • show system alarms–When you issue this command, if there is an error in firewall filter installation, a high-level statement is provided. When there is no error statement seen after issuing this command, it is confirmed that there are no firewall filter installation errors in the system. In the following example, the description states Firewall software errors reported by consumer application . It indicates that in the firewall module, one or many firewall filters have installation errors.

  • show system errors active detail– This command provides a high-level consolidated error description of an error per FPC/firewall filter module and total number of occurrences of this error.

    • The Error Name field displays standard Linux Error Code descriptions such as invalid argument, No-space-left-on-device etc.

    • The Identifier field displays the identity of the PFE application that reported this error. The Identifier field is in this format:

      • /<node-name>/<app-name>/0/SWError/0/<Obj-type>/0/<linux-error-name>

      • For single linecard devices, <node-name> is the value /re/0. For devices with multiple linecards, <node-name> can have values such as /fpc/0 or /fpc/1 etc. (line card name / slot number).

      • <app-name> indicates daemon/application running and programming the line card (e.g. evo-aftmand-bx / evo-aftmand-bt)

      • <Obj-type> indicates the Junos OS Evolved object type. This object is pushed from control plane to forwarding plane/linecard. E.g. IFF_filter_bind.

  • show system applications error detail– This command lists every individual firewall filter installation error that occurred. Displayed are details about the exact error, error description, filter name, and actions to correct the error. In the following example, the Error Description field indicates the error code, the firewall filter with the installation error, the reason for the error, and the corrective action etc. See Table 3 to read about all the error codes that can be potentially raised by the system.

  • show firewall– In addition to displaying statistics for all firewall filters, this command will show the firewall filters and bind-points which have encountered error while being installed on the PFE. It is possible that PFE programming of the firewall filters on few of the attachment points (or bind points) were successful and few were not. show firewall displays a brief output indicating at a high-level the nature of the error in the Status field as shown in the following example, where the firewall filter InputFlt1 has a BIND-ERROR. show firewall detailed displays a detailed output indicating the bindpoints where the firewall installation failed, as shown in the following example, where the firewall filter InputFlt1 failed to successfully install at the bindpoints indicated in the Errored Bindpoints field.

Related Documentation