Firewall Filter Match Conditions and Actions (QFX10000 Switches)

destination-address ip-address

IP destination address field, which is the address of the final destination node.

Ingress IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Ingress IRB interface for EVPN/VXLAN fabric, where applicable

destination-mac-address mac-address

Destination media access control (MAC) address of the packet.

Ingress ports and VLANs.

Egress ports and VLANs.

destination-port value

TCP or UDP destination port field. Typically, you specify this match in conjunction with the protocol match statement. For the following well-known ports you can specify text synonyms (the port numbers are also listed):

afs (1483), bgp (179), biff (512), bootpc (68), bootps (67),

cmd (514), cvspserver (2401),

dhcp (67), domain (53),

eklogin (2105), ekshell (2106), exec (512),

finger (79), ftp (21), ftp-data (20),

http (80), https (443),

ident (113), imap (143),

kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544),

ldap (389), login (513),

mobileip-agent (434), mobilip-mn (435), msdp (639),

netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123),

pop3 (110), pptp (1723), printer (515),

radacct (1813),radius (1812), rip (520), rkinit (2108),

smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514),

tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525),

who (513),

xdmcp (177),

zephyr-clt (2103), zephyr-hm (2104)

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

ingress IRB interface for EVPN/VXLAN fabric, where applicable

destination-prefix-list prefix-list

IP destination prefix list field. You can define a list of IP address prefixes under a prefix-list alias for frequent use. Define this list at the [edit policy-options] hierarchy level.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

dscp value

Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most-significant 6 bits of this byte form the DSCP.

You can specify DSCP in hexadecimal, binary, or decimal form.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

• be—best effort (default)

• ef (46)—as defined in RFC 3246, An Expedited Forwarding PHB.

• af11 (10), af12 (12), af13 (14);

  af21 (18), af22 (20), af23 (22);

  af31 (26), af32 (28), af33 (30);

  af41 (34), af42 (36), af43 (38)

  These four classes, with three drop precedences in each class, for a total of 12 code points, are defined in RFC 2597, Assured Forwarding PHB.

• cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, cs5

Ingress ports, VLANs, and IPv4 (inet) interfaces.

Egress ports, VLANs, and IPv4 (inet) interfaces.

ether-type value

Ethernet type field of a packet. The EtherType value specifies what protocol is being transported in the Ethernet frame. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

• aarp (0x80F3)—EtherType value AARP

• appletalk (0x809B)—EtherType value AppleTalk

• arp (0x0806)—EtherType value ARP

• fcoe (0x8906)—EtherType value FCoE

• fip (0x8914)—EtherType value FIP

• ipv4 (0x0800)—EtherType value IPv4

• ipv6 (0x08DD)—EtherType value IPv6

• mpls-multicast (0x8848)—EtherType value MPLS multicast

• mpls-unicast (0x8847)—EtherType value MPLS unicast

• oam (0x88A8)—EtherType value OAM

• ppp (0x880B)—EtherType value PPP

• pppoe-discovery (0x8863)—EtherType value PPPoE Discovery Stage

• pppoe-session (0x8864)—EtherType value PPPoE Session Stage

• sna (0x80D5)—EtherType value SNA

Ingress ports and VLANs.

Egress ports and VLANs.

forwarding-class class

Classify the packet in one of the following default forwarding classes, or in a user-defined forwarding class:

• best-effort

• fcoe

• network-control

• no-loss

Egress IPv4 (inet) and IPv6 (inet6) interfaces.

fragment-flags value

IP fragmentation flags. In place of the numeric value, you can specify one of the following text synonyms (the hexadecimal values are also listed):

• is-fragment

• dont-fragment (0x4000)

• more-fragments (0x2000)

• reserved (0x8000)

Ingress ports, VLANs, and IPv4 (inet) interfaces.

hop-limit value

Match the specified hop limit or set of hop limits. Specify a single value or a range of values from 0 through 255.

Ingress and egress IPv6 (inet6) interfaces.

icmp-code value

ICMP code field. Because the meaning of the value depends upon the associated icmp-type, you must specify a value for icmp-type along with a value for icmp-code. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

• IPv4: parameter-problem—ip-header-bad (0), required-option-missing (1)

• IPv6: parameter-problem—ip6-header-bad (0), unrecognized-next-header (1), unrecognized-option (2)

• redirect—redirect-for-network (0), redirect-for-host (1), redirect-for-tos-and-net (2), redirect-for-tos-and-host (3)

• time-exceeded—ttl-eq-zero- during-reassembly (1), ttl-eq-zero-during-transit (0)

• IPv4: unreachable—network-unreachable (0), host-unreachable (1), protocol-unreachable (2), port-unreachable (3), fragmentation-needed (4), source-route-failed (5), destination-network-unknown (6), destination-host-unknown (7), source-host-isolated (8), destination-network-prohibited (9), destination-host-prohibited (10), network-unreachable-for-TOS (11), host-unreachable-for-TOS (12), communication-prohibited-by-filtering (13), host-precedence-violation (14), precedence-cutoff-in-effect (15)

• IPv6: unreachable—address-unreachable (3), administratively-prohibited (1), no-route-to-destination (0), port-unreachable (4)

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces

icmp-type value

ICMP message type field. Typically, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

IPv4: echo-reply (0), destination unreachable (3), source-quench (4), redirect (5), echo-request (8), IPv4 (inet)-advertisement (9), IPv4 (inet)-solicit (10), time-exceeded (11), parameter-problem (12), timestamp (13), timestamp-reply (14), info-request (15), info-reply (16), mask-request (17), mask-reply (18)

IPv6: destination-unreachable (1), packet-too-big (2), time-exceeded (3), parameter-problem (4), echo-request (128), echo-reply (129), membership-query (130), membership-report (131), membership-termination (132), router-solicit (133), router-advertisement (134), neighbor-solicit (135), neighbor-advertisement (136), redirect (137), router-renumbering (138), node-information-request (139), node-information-reply (140)

See also icmp-code variable.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

interface interface-name

Interface on which the packet is received, including the logical unit. You can include the wildcard character (*) as part of an interface name or logical unit.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

ip-destination-address address

IPv4 address that is the final destination node address for the packet.

Ingress ports, egress ports, and VLANs.

Ingress IRB interface for EVPN/VXLAN fabric, where applicable

ip-options

Specify any to create a match if anything is specified in the options field in the IP header.

Ingress ports, VLANs, and IPv4 (inet) interfaces.

ip-precedence ip-precedence-field

IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00).

Ingress ports and VLANs.

Egress ports and VLANs.

ip-protocol number

IP protocol field.

Ingress ports and VLANs.

Egress ports and VLANs.

Ingress IRB interface for EVPN/VXLAN fabric, where applicable

ip-source-address address

IPv4 address of the source node sending the packet.

Ingress ports and VLANs.

Egress ports and VLANs.

Ingress IRB interface for EVPN/VXLAN fabric, where applicable

ip-version address

IP version of the packet. Use this condition to match IPv4 or IPv6 header fields in traffic that arrives on a Layer 2 port or VLAN interface.

Ingress ports and VLANs.

Egress ports and VLANs.

is-fragment

Using this condition causes a match if the More Fragments flag is enabled in the IP header or if the fragment offset is not zero.

Ingress ports, VLANs, and IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

learn-1p-priority number

Matches the specified IEEE 802.1p VLAN priority bits in the range 0-7.

Ingress ports and VLANs.

Egress ports and VLANs.

learn-vlan-id number

Matches the ID of a normal VLAN or the ID of the outer (service) VLAN (for Q-in-Q VLANs). To use filter memory most efficiently and maximize the number of possible filters, use this condition in addition to user-id when you want to match on the inner (customer) VLAN ID. The acceptable values are 1-4095.

Ingress ports and VLANs.

Egress ports and VLANs.

Ingress IRB interface for EVPN/VXLAN fabric, where applicable

loss-priority (low | medium-low | medium-high | high)

Set the packet loss priority (PLP).

Egress IPv4 (inet) and IPv6 (inet6) interfaces.

next-header value

IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

hop-by-hop (0),icmp (1), icmp6 (58), igmp (2), ipip (4), tcp (6), egp (8), udp (17), ipv6 (41), routing (43), fragment (44),rsvp (46), gre (47), esp (50), ah (51), icmp6 (58), no-next-header (59), dstopts (60), ospf (89), pim (103), vrrp (112), sctp (132)

Ingress IPv6 (inet6) interfaces.

Egress IPv6 (inet6) interfaces.

packet-length number

Packet length in bytes. You must enter a number between 0 and 65535.

Ingress ports, VLANs, IPv4 (inet), and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

precedence value

IP precedence bits in the type-of-service (ToS) byte in the IP header. (This byte can also used for the DiffServ DSCP.) In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

• routine (0)

• priority (1)

• immediate (2)

• flash (3)

• flash-override (4)

• critical-ecp (5)

• internet-control (6)

• net-control (7)

Ingress IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

protocol type

IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

hop-by-hop (0),icmp (1), icmp6, igmp (2), ipip (4), tcp (6), egp (8), udp (17), ipv6 (41), routing (43), fragment (44),rsvp (46), gre (47), esp (50), ah (51), icmp6 (58), no-next-header (59), dstopts (60), ospf (89), pim (103), vrrp (112), sctp (132)

Ingress IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

source-address ip-address

IP source address field, which is the address of the node that sent the packet.

Ingress IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

Ingress IRB interface for EVPN/VXLAN fabric, where applicable

source-mac-address mac-address

Source media access control (MAC) address of the packet.

Ingress ports and VLANs.

Egress ports and VLANs.

source-port value

TCP or UDP source port. Typically, you specify this match in conjunction with the protocol match statement. In place of the numeric field, you can specify one of the text synonyms listed under destination-port.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Ingress IRB interface for EVPN/VXLAN fabric, where applicable

source-prefix-list prefix-list

IP source prefix list. You can define a list of IP address prefixes under a prefix-list alias for frequent use. Define this list at the [edit policy-options] hierarchy level.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

tcp-established

Match packets of an established TCP connection. This condition matches packets other than those used to set up a TCP connection—that is, three-way handshake packets are not matched.

When you specify tcp-established, a switch does not implicitly verify that the protocol is TCP. You must also specify the protocol tcp match condition.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

tcp-flags value

One or more TCP flags:

• ack (0x10)

• fin (0x01)

• push (0x08)

• rst (0x04)

• syn (0x02)

• urgent (0x20)

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

tcp-initial

Match the first TCP packet of a connection. A match occurs when the TCP flag SYN is set and the TCP flag ACK is not set.

When you specify tcp-initial, a switch does not implicitly verify that the protocol is TCP. You must also specify the protocol tcp match condition.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

traffic-class value

8-bit field that specifies the class-of-service (CoS) priority of the packet. The traffic-class field is used to specify a DiffServ code point (DSCP) value. This field was previously used as the type-of-service (ToS) field in IPv4, and, the semantics of this field (for example, DSCP) are identical to those of IPv4.

You can specify one of the following text synonyms (the field values are also listed):

af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs0 (0), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), ef (46)

Ingress IPv6 (inet6) interfaces.

Egress IPv6 (inet6) interfaces.

ttl value

IP Time-to-live (TTL) field in decimal. The value can be 1-255.

Ingress IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

Ingress IRB interface for EVPN/VXLAN fabric, where applicable

user-vlan-id number

Matches the ID of the inner (customer) VLAN in a Q-in-Q VLAN. To use filter memory most efficiently and maximize the number of possible filters, use in combination with learn-vlan-id to match the outer (service) VLAN ID. The acceptable values are 1-4095.

Ingress ports and VLANs.

Egress ports and VLANs.

accept

Accept a packet. This is the default action for packets that match a term.

discard

Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message.

reject message-type

Discard a packet and send a “destination unreachable” ICMPv4 message (type 3). To log rejected packets, configure the syslog action modifier.

You can specify one of the following message types: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, or tcp-reset.

If you specify tcp-reset, the system sends a TCP reset if the packet is a TCP packet; otherwise nothing is sent.

If you do not specify a message type, the ICMP notification “destination unreachable” is sent with the default message “communication administratively filtered.”

routing-instance instance-name

Forward matched packets to a virtual routing instance. (The only supported instance type is virtual-router.) Packets can be forwarded to the default instance.

vlan VLAN-name

Forward matched packets to a specific VLAN.

count counter-name

Count the number of packets that match the term.

forwarding-class class

Classify the packet in one of the following default forwarding classes, or in a user-defined forwarding class:

• best-effort

• fcoe

• mcast

• network-control

• no-loss

log

Log the packet's header information in the Routing Engine. To view this information, enter the show firewall log operational mode command.

loss-priority (low | medium-low | medium-high | high)

Set the packet loss priority (PLP).

policer policer-name

Send packets to a policer (for the purpose of applying rate limiting).

You can specify a policer for ingress and egress port, VLAN, IPv4 (inet), and IPv6 (inet6) firewall filters.

port-mirror

(ELS platforms) Mirror traffic (copy packets) to an output interface configured in a port-mirroring instance at the [edit forwarding-options port-mirroring] hierarchy level.

You can specify port mirroring for ingress and egress port, VLAN, IPv4 (inet), and IPv6 (inet6) firewall filters.

port-mirror-instance port-mirror-instance-name

(ELS platforms) Mirror traffic to a port-mirroring instance configured at the [edit forwarding-options port-mirroring] hierarchy level.

You can specify port mirroring for ingress and egress port, VLAN, IPv4 (inet), and IPv6 (inet6) firewall filters.

syslog

Log an alert for this packet.

three-color-policer three-color-policer-name

Send packets to a three-color policer (for the purpose of applying rate limiting).

You can specify a three-color policer for ingress and egress port, VLAN, IPv4 (inet), and IPv6 (inet6) filters.