Understanding How Firewall Filters Are Evaluated

When a firewall filter consists of a single term, the filter is evaluated as follows:

• If the packet matches all the conditions, the action in the then statement is taken.

• If the packet matches all the conditions, and no action is specified in the then statement, the default action accept is taken.

When a firewall filter consists of more than one term, the firewall filter is evaluated sequentially:

1. The packet is evaluated against the conditions in the from statement in the first term.

2. If the packet matches all the conditions in the term, the action in the then statement is taken and the evaluation ends. Subsequent terms in the filter are not evaluated.

3. If the packet does not match all the conditions in the term, the packet is evaluated against the conditions in the from statement in the second term.

   This process continues until either the packet matches the conditions in the from statement in one of the subsequent terms or there are no more terms in the filter.

4. If a packet passes through all the terms in the filter without a match, the packet is discarded.

Figure 1 shows how an EX Series switch evaluates the terms within a firewall filter.

Figure 1: Evaluation of Terms Within a Firewall Filter

If a term does not contain a from statement, the packet is considered to match and the action in the then statement of the term is taken.

If a term does not contain a then statement, or if an action has not been configured in the then statement, and the packet matches the conditions in the from statement of the term, the packet is accepted.

Every firewall filter contains an implicit deny statement at the end of the filter, which is equivalent to the following explicit filter term:

Consequently, if a packet passes through all the terms in a filter without matching any conditions, the packet is discarded. If you configure a firewall filter that has no terms, all packets that pass through the filter are discarded.