ON THIS PAGE
Example: Configuring Statistics Collection for a Firewall Filter
This example shows how to configure and apply a firewall filter that collects data according to parameters specified in an associated accounting profile.
Requirements
Firewall filter accounting profiles are supported for all traffic
types except family any
.
No special configuration beyond device initialization is required before configuring this example.
Overview
In this example, you create a firewall filter accounting profile and apply it to a firewall filter. The accounting profile specifies how frequently to collect packet and byte count statistics and the name of the file to which the statistics are written. The profile also specifies that statistics are to be collected for three firewall filter counters.
Topology
The firewall filter accounting profile filter_acctg_profile
specifies that statistics are collected every 60 minutes, and
the statistics are written to the file /var/log/ff_accounting_file
. Statistics are collected for counters named counter1
, counter2
, and counter3
.
The IPv4 firewall filter named my_firewall_filter
increments a counter for each of three filter terms. The filter
is applied to logical interface ge-0/0/1.0
.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- CLI Quick Configuration
- Configure an Accounting Profile
- Configure a Firewall Filter That References the Accounting Profile
- Apply the Firewall Filter to an Interface
- Confirm Your Candidate Configuration
- Clear the Counters and Commit Your Candidate Configuration
CLI Quick Configuration
To quickly configure this example, copy the following
configuration commands into a text file, remove any line breaks, and
then paste the commands into the CLI at the [edit]
hierarchy
level.
set accounting-options file ff_accounting_file files 10 set accounting-options file ff_accounting_file transfer-interval 10 set accounting-options filter-profile filter_acctg_profile file ff_accounting_file set accounting-options filter-profile filter_acctg_profile interval 60 set accounting-options filter-profile filter_acctg_profile counters counter1 set accounting-options filter-profile filter_acctg_profile counters counter2 set accounting-options filter-profile filter_acctg_profile counters counter3 set firewall family inet filter my_firewall_filter accounting-profile filter_acctg_profile set firewall family inet filter my_firewall_filter term term1 from protocol ospf set firewall family inet filter my_firewall_filter term term1 then count counter1 set firewall family inet filter my_firewall_filter term term1 then discard set firewall family inet filter my_firewall_filter term term2 from source-address 10.108.0.0/16 set firewall family inet filter my_firewall_filter term term2 then count counter2 set firewall family inet filter my_firewall_filter term term2 then discard set firewall family inet filter my_firewall_filter term accept-all then count counter3 set firewall family inet filter my_firewall_filter term accept-all then accept set interfaces ge-0/0/1 unit 0 family inet address 10.1.2.3/30 set interfaces ge-0/0/1 unit 0 family inet filter input my_firewall_filter
Configure an Accounting Profile
Step-by-Step Procedure
To configure an accounting profile:
-
Create a log file to associate with the accounting profile.
[edit] user@host# edit accounting-options file ff_accounting_file files 10 edit accounting-options file ff_accounting_file transfer-interval 10
-
Create the accounting profile
filter_acctg_profile
.[edit] user@host# edit accounting-options filter-profile filter_acctg_profile
Configure the accounting profile to filter and collect packet and byte count statistics every 60 minutes and write them to the
/var/log/ff_accounting_file
file.[edit accounting-options filter-profile filter_acctg_profile] user@host# set file ff_accounting_file user@host# set interval 60
Configure the accounting profile to collect filter profile statistics (packet and byte counts) for three counters.
[edit accounting-options filter-profile filter_acctg_profile] user@host# set counters counter1 user@host# set counters counter2 user@host# set counters counter3
Configure a Firewall Filter That References the Accounting Profile
Step-by-Step Procedure
To configure a firewall filter that references the accounting profile:
Create the firewall filter
my_firewall_filter
.[edit] user@host# edit firewall family inet filter my_firewall_filter
Apply the filter-accounting profile
filter_acctg_profile
to the firewall filter.[edit firewall family inet filter my_firewall_filter] user@host# set accounting-profile filter_acctg_profile
Configure the first filter term and counter.
[edit firewall family inet filter my_firewall_filter] user@host# set term term1 from protocol ospf user@host# set term term1 then count counter1 user@host# set term term1 then discard
Configure the second filter term and counter.
[edit firewall family inet filter my_firewall_filter] user@host# set term term2 from source-address 10.108.0.0/16 user@host# set term term2 then count counter2 user@host# set term term2 then discard
Configure the third filter term and counter.
[edit firewall family inet filter my_firewall_filter] user@host# set term accept-all then count counter3 user@host# set term accept-all then accept
Apply the Firewall Filter to an Interface
Step-by-Step Procedure
To apply the firewall filter to a logical interface:
Configure the logical interface to which you will apply the firewall filter.
[edit] user@host# edit interfaces ge-0/0/1 unit 0 family inet
Configure the interface address for the logical interface.
[edit interfaces ge-0/0/1 unit 0 family inet] user@host# set address 10.1.2.3/30
Apply the firewall filter to the logical interface.
[edit interfaces ge-0/0/1 unit 0 family inet] user@host# set filter input my_firewall_filter
Confirm Your Candidate Configuration
Step-by-Step Procedure
To confirm your candidate configuration:
-
Confirm the configuration of the accounting profile by entering the
show accounting-options
configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show accounting-options file ff_accounting_file { files 10; transfer-interval 10; } filter-profile filter_acctg_profile { file ff_accounting_file; interval 60; counters { counter1; counter2; counter3; } }
Confirm the configuration of the firewall filter by entering the
show firewall
configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show firewall family inet { filter my_firewall_filter { accounting-profile filter_acctg_profile; term term1 { from { protocol ospf; } then { count counter1; discard; } } term term2 { from { source-address { 10.108.0.0/16; } } then { count counter2; discard; } } term accept-all { then { count counter3; accept; } } } }
Confirm the configuration of the interfaces by entering the
show interfaces
configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show interfaces ge-0/0/1 { unit 0 { family inet { filter { input my_firewall_filter; } address 10.1.2.3/30; } } }
Clear the Counters and Commit Your Candidate Configuration
Step-by-Step Procedure
To clear the counters and commit your candidate configuration:
From operational command mode, use the
clear firewall all
command to clear the statistics for all firewall filters.To clear only the counters incremented in this example, include the name of the firewall filter.
[edit] user@host> clear firewall filter my_firewall_filter
Commit your candidate configuration.
[edit] user@host# commit
Verification
To verify that the filter is applied to the
logical interface, run the show interfaces
command with
the detail
or extensive
output level.
To verify that the three counters are collected separately,
run the show firewall filter my_firewall_filter
command.
user@host> show firewall filter my_firewall_filter Filter: my_firewall_filter Counters: Name Bytes Packets counter1 0 0 counter2 0 0 counter3 0 0