Firewall Filter Nonterminating Actions
Firewall filters support different sets of nonterminating actions for each protocol
family, which include an implicit accept action. In this context, nonterminating means that other actions can follow these actions whereas no other actions can follow a terminating action. As such, you cannot configure the next term
action with a terminating action in the same filter term. You can,
however, configure the next term
action with another nonterminating action in the same filter term.
On Junos OS and Junos OS Evolved, next term
cannot appear as the last term of
the action. A filter term where next term
is specified as an action
but without any match conditions configured is not supported.
Table 1 describes the nonterminating actions you can configure for a firewall filter term.
Nonterminating Action |
Description |
Protocol Families |
---|---|---|
|
Assign the packet to one of the 17 prioritized BGP output queues. |
|
|
Count the packet in the named counter. |
|
|
Configure the value of the Don’t Fragment bit (flag) in the IPv4 header to specify whether the datagram can be fragmented:
Note:
The |
|
|
Set the IPv4 Differentiated Services code point
(DSCP) bit. You can specify a numerical value from
The default DSCP value is You can also specify one of the following text synonyms:
Note:
This action is not supported on PTX series routers. Note:
MPC line cards running on MX series routers
support any value (from 0 to 63) in conjunction
with the Note:
The actions |
|
|
Police the packets of a traffic priority using the specified enhanced hierarchical policer. |
|
|
By default, a hierarchical policer processes
the traffic it receives according to the traffic’s
forwarding class. Premium, expedited-forwarding
traffic, has priority for bandwidth over
aggregate, best-effort traffic. The
Note:
The |
|
|
Classify the packet to the named forwarding class:
|
|
|
Police the packet using the specified hierarchical policer |
|
|
Use the specified IPsec security association. Note:
This action is not supported on MX Series routers, Type 5 FPCs on T4000 routers, and PTX Series Packet Transport Routers. |
|
|
Use the specified load-balancing group. Note:
This action is not supported on MX Series routers or PTX Series Packet Transport Routers. |
|
|
Log the packet header information in a buffer
within the Packet Forwarding Engine. You can
access this information by issuing the
Note:
The Layer 2 (L2) families log action is available only for MX Series routers with MPCs (MPC mode if the router has only MPCs, or mix mode if it has MPCs and DCPs). For MX Series routers with DPCs, the log action for L2 families is ignored if configured. |
|
|
Direct packets to a specific logical system. |
|
|
Set the packet loss priority (PLP) level. You cannot also configure the
This action is supported on M120 and M320 routers; M7i and M10i routers with the Enhanced CFEB (CFEB-E); and MX Series routers. For IP traffic on M320, MX Series, and T Series
routers with Enhanced II Flexible PIC
Concentrators (FPCs), you must include the For information about the
|
|
|
Use the specified next-hop group. We
recommend that you do not use the
|
|
|
(MX Series) Direct packets to the specified outgoing interface. |
|
|
(MX Series) Direct packets to the specified destination IPv4 address. |
|
|
(MX Series) Direct packets to the specified destination IPv6 address. |
|
|
Updates a bit field in the packet key buffer,
which specifies traffic that will bypass
flow-based forwarding. Packets with the
|
|
|
Name of policer to use to rate-limit traffic. |
|
|
(MX Series) Name of policy map used to assign specific rewrite rules to a specific customer. |
|
|
Port-mirror the packet based on the specified family. This action is supported on M120 routers, M320 routers configured with Enhanced III FPCs, MX Series routers, and PTX Series Packet Transport Routers only. We
recommend that you do not use both the
|
|
|
Port mirror a packet for an instance. This action is supported only on the MX Series routers. We
recommend that you do not use both the
|
|
|
Count or police packets based on the specified action name. Note:
This action is not supported on PTX Series Packet Transport Routers. |
|
|
Direct packets to the specified routing instance. |
|
|
Sample the packet. Note:
Junos OS does not sample packets originating from the router. If you configure a filter and apply it to the output side of an interface, then only the transit packets going through that interface are sampled. Packets that are sent from the Routing Engine to the Packet Forwarding Engine are not sampled. |
|
|
Use the inline counting mechanism when capturing subscriber per-service statistics. Count the packet for service accounting. The
count is applied to a specific named counter
( The Note:
This action is not supported on T4000 Type 5 FPCs and PTX Series Packet Transport Routers. |
|
|
Use the deferred counting mechanism when
capturing subscriber per-service statistics. The
count is applied to a specific named counter
( The Note:
This action is not supported on T4000 Type 5 FPCs and PTX Series Packet Transport Routers. |
|
|
(Only if the
Indicate to subsequent filters in the chain
that the packet was already processed. This
action, coupled with the
Note:
This action is not supported on T4000 Type 5 FPCs and PTX Series Packet Transport Routers. |
|
|
Mark packets that pass the match conditions of the rule with the slice identifier corresponding to the Services Network-Slicing configuration. See slice (firewall filter action). |
|
|
Log the packet to the system log file. The syslog firewall action for existing
Input interface, action, VLAN ID1, VLAN ID2, Ethernet type, source and destination MAC addresses, protocol, source and destination IP addresses, source and destination ports, and the number of packets. Note:
The L2 families syslog action is available only for MX Series routers with MPCs (MPC mode if the router has only MPCs, or mix mode if it has MPCs and DCPs). For MX Series routers with DPCs, the syslog action for L2 families is ignored if configured. |
|
|
Police the packet using the specified single-rate or two-rate three-color-policer. Note:
You cannot also configure the
|
|
|
Specify the traffic-class code point. You can
specify a numerical value from The default traffic-class value is best effort,
that is, In place of the numeric value, you can specify one of the following text synonyms:
Note:
The actions |
|