Service Filter Overview
Services
The Adaptive Services Physical Interface Cards (PICs), Multiservices PICs, and Multiservices Dense Port Concentrators (DPCs) provide adaptive services interfaces. Adaptive services interfaces enable you to coordinate a special range of services on a single PIC or DPC by configuring a set of services and applications.
Service filters are not supported on T4000 routers.
Service Rules
A service set is an optional definition you can apply to the traffic at an adaptive services interface. A service set enables you to configure combinations of directional rules and default settings that control the behavior of each service in the service set.
Service Rule Refinement
When you apply a service set to the traffic at an adaptive services interface, you can optionally use service filters to refine the target of the set of services and also to process traffic. Service filters enable you to manipulate traffic by performing packet filtering to a defined set of services on an adaptive services interface before the traffic is delivered to its destination. You can apply a service filter to traffic before packets are accepted for input or output service processing or after packets return from input service processing.
Service Filter Counters
Like standard firewall filters, service filters support counting of matched packets. When you display counters for a service filter, however, the syntax for specifying the filter name includes the name of the service set to which the service filter is applied.
To enable counting of the packets matched by a service filter term, specify the
count counter-name
nonterminating action in that term.To display counters for service filters, use the
show firewall filter filter-name <counter counter-name>
operational mode command, and specify thefilter-name
as follows:__service-service-set-name:service-filter-name
For example, suppose you configure a service filter named out_filter
with
a counter named out_counter
and apply that service filter to a logical
interface to direct certain packets for processing by the output services
associated with the service set nat_set
. In this scenario, the syntax for using
the show firewall
operational mode command to display the counter is as follows:
[edit] user@host> show firewall filter __service-nat_set:out_filter counter out_counter