Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Guidelines for Configuring Service Filters

Statement Hierarchy for Configuring Service Filters

To configure a service filter, include the service-filter service-filter-name statement at the [edit firewall family (inet | inet6)] hierarchy level:

Individual statements supported under the service-filter service-filter-name statement are described separately in this topic and are illustrated in the example of configuring and applying a service filter.

Service Filter Protocol Families

You can configure service filters to filter IPv4 traffic (family inet) and IPv6 traffic (family inet6) only. No other protocol families are supported for service filters.

Service Filter Names

Under the family inet or family inet6 statement, you can include service-filter service-filter-name statements to create and name service filters. The filter name can contain letters, numbers, and hyphens (-) and be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (“ ”).

Service Filter Terms

Under the service-filter service-filter-name statement, you can include term term-name statements to create and name filter terms.

  • You must configure at least one term in a firewall filter.

  • You must specify a unique name for each term within a firewall filter. The term name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (“ ”).

  • The order in which you specify terms within a firewall filter configuration is important. Firewall filter terms are evaluated in the order in which they are configured. By default, new terms are always added to the end of the existing filter. You can use the insert configuration mode command to reorder the terms of a firewall filter.

Service Filter Match Conditions

Service filter terms support only a subset of the IPv4 and IPv6 match conditions that are supported for standard stateless firewall filters.

If you specify an IPv6 address in a match condition (the address, destination-address, or source-address match conditions), use the syntax for text representations described in RFC 4291, IP Version 6 Addressing Architecture. For more information about IPv6 addresses, see “IPv6 Overview” in the Junos OS Routing Protocols Library for Routing Devices.

Service Filter Terminating Actions

When configuring a service filter term, you must specify one of the following filter-terminating actions:

  • service

  • skip

Note:

These actions are unique to service filters.

Service filter terms support only a subset of the IPv4 and IPv6 nonterminating actions that are supported for standard stateless firewall filters:

  • count counter-name

  • log

  • port-mirror

  • sample

Service filters do not support the next action.

Related Documentation