Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Understanding Firewall Filter Match Conditions

Learn how to configure match conditions for firewall filters on Juniper switches.

Before configuring firewall filter terms, understand how match conditions work and how to specify different match types for desired filtering results.

Filter Match Conditions

In the from statement of a firewall filter term, specify conditions that trigger actions in the then statement. All conditions must match for the action to occur. The order of conditions is unimportant.

Important:

Unlike traditional Junos OS firewall filters:

  • Individual conditions cannot contain value lists (ranges/multiple addresses)
  • Conditions cannot be negated using except

Numeric Match Conditions

Match numeric fields (port/protocol numbers) using:

  • Single number: source-port 25
  • Text synonym: source-port http

Specify multiple values:

Restriction: Numeric ranges or comma-separated lists are not supported.

Interface Match Conditions

Match interfaces using these formats:

Note:

QFX Series requirement: Always include logical unit (ge-0/0/6.0). Wildcards allowed: ge-0/0/6.*
Note:

EX Series note: Logical units not required for port/VLAN interfaces, but may be used for router interfaces (ge-0/1/0.0).

IP Address Match Conditions

Match IP prefixes:

Omitted prefix-length defaults to /32:

MAC Address Match Conditions

Match MAC addresses using these formats:

All formats resolve to standard 00:11:22:33:44:55.

Bit-Field Match Conditions

Match specific bits in packet fields:

Table 1: Logical Operators for Bit-Field Matching
Operator Description
! Negation
& Logical AND
| Logical OR
Important:

Operator usage guidelines:

  • Enclose values in quotes: "syn|fin"
  • No spaces between operators
  • Maximum two values per OR operation

Related Documentation