Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Firewall Filter Match Conditions and Actions (PTX Series Routers)

Firewall Filter Match Conditions and Actions (PTX Series Routers)

Each term in a firewall filter consists of match conditions and an action. Match conditions are the fields and values that a packet must contain to be considered a match. You can define single or multiple match conditions in match statements. You can also include no match statement, in which case the term matches all packets.

When a packet matches a filter, the router takes the action specified in the term. In addition, you can specify action modifiers to count, mirror, rate-limit, and classify packets. If no match conditions are specified for the term, the router accepts the packet by default.

On the PTX10003, you can apply multiple firewall filters to a single interface as a single input list or output list (filter input-list and output-list). In this way, you only manage the configuration for a filtering task in a single firewall filter. This gives you flexibility in large environments when you have a device configured with many interfaces. You can do the same on the PTX10008, but the router only supports applying multiple firewall filters to a single input-list.

  • Table 1 describes the match conditions you can specify when configuring a firewall filter. Some of the numeric range and bit-field match conditions allow you to specify a text synonym. To see a list of all the synonyms for a match condition, type ? at the appropriate place in a statement.

  • Table 2 shows the actions and action modifiers that you can specify in a term.

Table 1: Supported Match Conditions

Match Condition

Description

Supported Interfaces

address address [ except ]

Match the source or destination address field unless the except option is included.

IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

destination-address address [ except ]

Match the destination address field unless the except option is included.

You cannot specify both address and destination-address match conditions in the same term.

IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

destination-port number

Match the UDP or TCP destination port field. You must also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port.

You cannot specify both the port and destination-port match conditions in the same term.

In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177).

IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

destination-port-except number

Do not match the UDP or TCP destination port field. For details, see the destination-port match condition.

IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

destination-prefix-list name [ except ]

Match destination prefixes in a list unless the except option is included. You can define a list of IP address prefixes under a prefix-list alias for frequent use. Define this list at the [edit policy-options] hierarchy level.

IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

dscp number

Match the Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most-significant 6 bits of this byte form the DSCP.

You can specify DSCP in hexadecimal, binary, or decimal form.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

  • be—best effort (default)

  • ef (46)—as defined in RFC 3246, An Expedited Forwarding PHB.

  • af11 (10), af12 (12), af13 (14);

    af21 (18), af22 (20), af23 (22);

    af31 (26), af32 (28), af33 (30);

    af41 (34), af42 (36), af43 (38)

    These four classes, with three drop precedences in each class, for a total of 12 code points, are defined in RFC 2597, Assured Forwarding PHB.

  • cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, cs5

IPv4 (inet) and IPv6 (inet6) interfaces.

dscp-except number

Do not match on the DSCP number. For more information, see the dscp match condition.

IPv4 (inet) and IPv6 (inet6) interfaces.

first-fragment

Match if the packet is the first fragment of a fragmented packet. Do not match if the packet is a trailing fragment of a fragmented packet. The first fragment of a fragmented packet has a fragment offset value of 0.

This match condition is an alias for the bit-field match condition fragment-offset 0 match condition.

To match both first and trailing fragments, you can use two terms that specify different match conditions: first-fragment and is-fragment.

IPv4 (inet) interfaces.

forwarding-class class

Classify the packet in one of the following default forwarding classes, or in a user-defined forwarding class:

  • best-effort

  • fcoe

  • network-control

  • no-loss

IPv4 (inet), IPv6 (inet6), and MPLS interfaces.

forwarding-class-except class

Do not match the forwarding class of the packet. For details, see the forwarding-class match condition.

IPv4 (inet), IPv6 (inet6), and MPLS interfaces.

fragment-flags number

Match the three-bit IP fragmentation flags field in the IP header.

In place of the numeric field value, you can specify one of the following keywords (the field values are also listed): dont- (0x4), more-s (0x2), or reserved (0x8).

IPv4 (inet) interfaces.

fragment-offset value

Match the 13-bit fragment offset field in the IP header. The value is the offset, in 8-byte units, in the overall datagram message to the data fragment. Specify a numeric value, a range of values, or a set of values. An offset value of 0 indicates the first fragment of a fragmented packet.

The first-fragment match condition is an alias for the fragment-offset 0 match condition.

To match both first and trailing fragments, you can use two terms that specify different match conditions (first-fragment and is-fragment).

IPv4 (inet) interfaces.

fragment-offset-except number

Do not match the 13-bit fragment offset field.

IPv4 (inet) interfaces.

icmp-code message-code

Match the ICMP message code field.

If you configure this match condition, we recommend that you also configure the next-header icmp or next-header icmp6 match condition in the same term.

If you configure this match condition, you must also configure the icmp-type message-type match condition in the same term. An ICMP message code provides more specific information than an ICMP message type, but the meaning of an ICMP message code is dependent on the associated ICMP message type.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

  • parameter-problem: ip-header-bad (0), required-option-missing (1)

  • redirect: redirect-for-host (1), redirect-for-network (0), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2)

  • time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0)

  • unreachable: communication-prohibited-by-filtering (13), destination-host-prohibited (10), destination-host-unknown (7), destination-network-prohibited (9), destination-network-unknown (6), fragmentation-needed (4), host-precedence-violation (14), host-unreachable (1), host-unreachable-for-TOS (12), network-unreachable (0), network-unreachable-for-TOS (11), port-unreachable (3), precedence-cutoff-in-effect (15), protocol-unreachable (2), source-host-isolated (8), source-route-failed (5)

IPv4 (inet) and IPv6 (inet6) interfaces.

icmp-code-except message-code

Do not match the ICMP message code field. For details, see the icmp-code match condition.

IPv4 (inet) and IPv6 (inet6) interfaces.

icmp-type number

Match the ICMP message type field. You must also configure icmp or icmpv6 as protocol next-header match type in the same term.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), or unreachable (3).

See also icmp-code variable.

IPv4 (inet) and IPv6 (inet6) interfaces.

icmp-type-except message-type

Do not match the ICMP message type field. For details, see the icmp-type match condition.

IPv4 (inet) and IPv6 (inet6) interfaces.

interface interface-name

For ingress filters, match the interface on which the packet was received.

For egress filters, match the interface on which the packet was sent.

Note:

PTX5000 series routers do not support attaching the em0.0 interface (the internal link between the routing and packet forwarding engines) to lo0 (the loopback interface), for example to filter self-originating traffic such as Telnet and SSH by creating a firewall filter on lo0 to match traffic on em0.0. The following code snippet provides context:

firewall
  filter core-protect {
            term Telnet {
                from {
                    protocol tcp;
                    destination-port telnet;
                    interface em0.0;
                }
                then accept;
            }
  }
}

IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

interface-except number

Do not match the logical interface on which the packet was received. For details, see the interface match condition.

IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

is-fragment

Match if the packet is a trailing fragment of a fragmented packet. Do  not match the first fragment of a fragmented packet.

Note:

To match both first and trailing fragments, you can use two terms that specify different match conditions (first-fragment and is-fragment).

For PTX10003 routers running Junos OS Evolved, all fragmented packets including the first fragment of fragmented packets will match on any firewall filter term containing an "is-fragment" match.

IPv4 (inet) interfaces.

loss-priority level

Match the packet loss priority (PLP).

Specify a single level or multiple levels: low, medium-low, medium-high, or high.

Note:

The loss-priority action modifier is not supported in combination with the policer action.

IPv4 (inet), IPv6 (inet6), and MPLS interfaces.

loss-priority-except level

Do not match the PLP level. For details, see the loss-priority match condition.

IPv4 (inet), IPv6 (inet6), and MPLS interfaces.

next-header header-type

Match the first 8-bit next header field in the packet.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), dstops (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4), ipv6 (41), mobility (135), no-next-header (59), ospf (89), pim (103), routing (43), rsvp (46), sctp (132), tcp (6), udp  (17), or vrrp (112).

IPv6 (inet6) interfaces.

next-header-except header-type

Do not match the 8-bit Next Header field that identifies the type of header between the IPv6 header and payload. For details, see the next-header match type.

IPv6 (inet6) interfaces

packet-length bytes

Match the length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead. You can also specify a range of values to be matched.

IPv4 (inet), and IPv6 (inet6) interfaces.

packet-length-except bytes

Do not match the length of the received packet, in bytes. For details, see the packet-length match type.

IPv4 (inet), and IPv6 (inet6) interfaces.

port number

Match the UDP or TCP source or destination port field. You must also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port.

You cannot configure the destination-port match condition or the source-port match condition in the same term.

In place of the numeric value, you can specify one of the text synonyms listed under destination-port.

IPv4 (inet), and IPv6 (inet6) interfaces.

port-except number

Do not match either the source or destination UDP or TCP port field. For details, see the port match condition.

IPv4 (inet), and IPv6 (inet6) interfaces.

precedence ip-precedence-value

Match the IP precedence field.

In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00). You can specify precedence in hexadecimal, binary, or decimal form.

IPv4 (inet) interfaces.

precedence-except ip-precedence-value

Do not match the IP precedence field.

IPv4 (inet) interfaces.

protocol number

Match the IPv4 protocol type field. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

hop-by-hop (0),icmp (1), icmp6, igmp (2), ipip (4), tcp (6), egp (8), udp (17), ipv6 (41), routing (43), fragment (44),rsvp (46), gre (47), esp (50), ah (51), icmp6 (58), no-next-header (59), dstopts (60), ospf (89), pim (103), vrrp (112), sctp (132)

IPv4 (inet) interfaces.

protocol-except number

Do not match the IP protocol type field. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), dstopts (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), sctp (132), tcp (6), udp  (17), or vrrp (112).

IPv4 (inet) interfaces.

source-address ip-address

IP source address field, which is the address of the node that sent the packet.

IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

source-address address [ except ]

Match the IP address of the source node sending the packet unless the except option is included. If the option is included, do not match the IP address of the source node sending the packet.

You cannot specify both the address and source-address match conditions in the same term.

IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

source-port value

Match the TCP or UDP source port. You must also configure the protocol udp or protocol tcp match statement in the same term.

In place of the numeric value, you can specify one of the text synonyms listed with the destination-port number match condition.

IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

source-port-except number

Do not match the UDP or TCP source port field. For details, see the source-port match condition.

IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

source-prefix-list prefix-list

IP source prefix list. You can define a list of IP address prefixes under a prefix-list alias for frequent use. Define this list at the [edit policy-options] hierarchy level.

IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

tcp-flags value

Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header.

To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:

  • fin (0x01)

  • syn (0x02)

  • rst (0x04)

  • push (0x08)

  • ack (0x10)

  • urgent (0x20)

In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet.

You can string together multiple flags using the bit-field logical operators.

If you configure this match condition, we recommend that you also configure the protocol tcp match statement in the same term to specify that the TCP protocol is being used on the port.

For IPv4 traffic only, this match condition does not implicitly check whether the datagram contains the first fragment of a fragmented packet. To check for this condition for IPv4 traffic only, use the first-fragment match condition.

IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

traffic-class value

8-bit field that specifies the class-of-service (CoS) priority of the packet. The traffic-class field is used to specify a DiffServ code point (DSCP) value. This field was previously used as the type-of-service (ToS) field in IPv4, and, the semantics of this field (for example, DSCP) are identical to those of IPv4.

You can specify one of the following text synonyms (the field values are also listed):

af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs0 (0), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), ef (46)

IPv6 (inet6) interfaces.

traffic-class-except number

Do not match the 8-bit field that specifies the CoS priority of the packet. For details, see the traffic-class match description.

IPv6 (inet6) interfaces.

ttl number

Match the IPv4 or IPv6 time-to-live number. Specify a TTL value or a range of TTL values. For number, you can specify one or more values from 0 through 255.

IPv4 (inet) and IPv6 (inet6) interfaces.

ttl-except number

Do not match on the IPv4 or IPv6 TTL number. For details, see the ttl match condition.

IPv4 (inet) and IPv6 (inet6) interfaces.

vxlan

Specify a numeric value or range of numeric values for the VNI. Apply the filter on the ingress interface.

  • vni vni-value—Match the VNI.

  • vni-except vni-value—Do not match the VNI.

IPv4 (inet) interfaces.

Use then statements to define actions that should occur if a packet matches all conditions in a from statement. Table 2 shows the actions that you can specify in a term. (If you do not include a then statement, the system accepts packets that match the filter.)

Table 2: Actions and Action Modifiers

Action

Description

accept

Accept a packet. This is the default action for packets that match a term.

discard

Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message.

count counter-name

Count the number of packets that match the term.

forwarding-class class

Classify the packet in one of the following default forwarding classes, or in a user-defined forwarding class:

  • best-effort

  • fcoe

  • mcast

  • network-control

  • no-loss

Note:

The forwarding-class action is supported on IPv4, IPv6, and MPLS interfaces.

log

Log the packet's header information in the Routing Engine. To view this information, enter the show firewall log operational mode command.

Note:

The log action modifier is only supported on IPv4 and IPv6 ingress interfaces.

loss-priority level

Set the packet loss priority (PLP).

policer policer-name

Send packets to a policer (for the purpose of applying rate limiting). The PTX10003 supports two-color, single-rate three-color (srTCM), and two-rate three-color marker (trTCM) policers.

Note:

The policer action modifier is not supported in combination with the loss-priority action.

redirect instance-name

(Supported on PTX10004, PTX10008, and PTX10016 devices running Junos Evolved OS Release 22.1R1 only.)

Send packets to the P4 controller, as specified in the instance defined at the [services inline-monitoring instance instance-name controller p4] level of the Junos hierarchy.

reject message-type

Discard a packet and send a “destination unreachable” ICMPv4 or ICMPv6 message (type 3). To log rejected packets, configure the syslog action modifier.

You can specify one of the following message types: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, .

Note:

The tcp-reset message type is not supported.

If you do not specify a message type, the ICMP notification “destination unreachable” is sent with the default message “communication administratively filtered.”

syslog

Log an alert for this packet.

routing-instance instance-name

Forward matched packets to a virtual routing instance. Packets can be forwarded to the default instance.

Supported on virtual-router and forwarding instance-types.

IPv6 Firewall Filter Match Conditions and Actions (PTX10001-20C)

This topic describes the IPv6 firewall filter match conditions, actions, and action modifiers for PTX10001-20C routers.

Each term in a firewall filter consists of match conditions and an action. Match conditions are the fields and values that a packet must contain to be considered a match. You can define single or multiple match conditions in match statements. You can also include the no match statement, in which case the term matches all packets.

When a packet matches a filter, the router takes the action specified in the term. You can also specify action modifiers to count, mirror, and classify packets. If no match conditions are specified for the term, the router accepts the packet by default.

Note:

On PTX10001-20C routers, you can only apply a firewall filter on IPv6 interfaces in the ingress direction.

  • Table 3 describes the supported match conditions.

  • Table 4 shows the actions that you can specify in a term. If you don’t include a then statement, the system accepts packets that match the filter.

  • Table 5 shows the action modifiers you can use to count, mirror, rate-limit, and classify packets.

Table 3: IPv6 Supported Match Conditions

Match Condition

Description

address address [ except ]

Match the IPv6 source or destination address field unless the except option is included. If the option is included, do not match the IPv6 source or destination address field.

apply-groups

Specify which groups to inherit configuration data from. You can specify more than one group name. You must list them in order of inheritance priority. The configuration data in the first group takes priority over the data in subsequent groups.

apply-groups-except

Specify which groups not to inherit configuration data from. You can specify more than one group name.

destination-address address [ except ]

Match the IPv6 destination address field unless the except option is included. If the option is included, do not match the IPv6 destination address field.

You cannot specify both the address and destination-address match conditions in the same term.

destination-port number

Match the UDP or TCP destination port field.

You cannot specify both the port and destination-port match conditions in the same term.

If you configure this match condition, we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to specify which protocol is being used on the port.

In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177).

destination-port-except number

Do not match the UDP or TCP destination port field. For details, see the destination-port match condition.

destination-prefix-list prefix-list-name [ except ]

Match the IPv6 destination prefix to the specified list unless the except option is included. If the option is included, do not match the IPv6 destination prefix to the specified list.

The prefix list is defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.

icmp-code message-code

Match the ICMP message code field.

If you configure this match condition, we recommend that you also configure the next-header icmp or next-header icmp6 match condition in the same term.

An ICMP message code provides more specific information than an ICMP message type, but the meaning of an ICMP message code is dependent on the associated ICMP message type.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

  • parameter-problem: ip6-header-bad (0), unrecognized-next-header (1), unrecognized-option (2)

  • time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0)

  • destination-unreachable: administratively-prohibited (1), address-unreachable (3), no-route-to-destination (0), port-unreachable (4)

icmp-code-except message-code

Do not match the ICMP message code field. For details, see the icmp-code match condition.

message-type

Match the ICMP message type field.

You must also configure icmp or next-header icmp6 match condition in the same term.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): certificate-path-advertisement (149), certificate-path-solicitation (148), destination-unreachable (1), echo-reply (129), echo-request (128), home-agent-address-discovery-reply (145), home-agent-address-discovery-request (144), inverse-neighbor-discovery-advertisement (142), inverse-neighbor-discovery-solicitation (141), membership-query (130), membership-report (131), membership-termination (132), mobile-prefix-advertisement-reply (147), mobile-prefix-solicitation (146), neighbor-advertisement (136), neighbor-solicit (135), node-information-reply (140), node-information-request (139), packet-too-big (2), parameter-problem (4), private-experimentation-100 (100), private-experimentation-101 (101), private-experimentation-200 (200), private-experimentation-201 (201), redirect (137), router-advertisement (134), router-renumbering (138), router-solicit (133), or time-exceeded (3).

For private-experimentation-201 (201), you can also specify a range of values within square brackets.

icmp-type-except message-type

Do not match the ICMP message type field. For details, see the icmp-type match condition.

next

Continue to the next term in a filter.

next-header header-type

Match the first 8-bit Next Header field in the packet.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), dstops (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4), ipv6 (41), mobility (135), no-next-header (59), ospf (89), pim (103), routing (43), rsvp (46), sctp (132), tcp (6), udp  (17), or vrrp (112).

Note:

next-header icmp6 and next-header icmpv6 match conditions perform the same function. next-header icmp6 is the preferred option. next-header icmpv6 is hidden in the Junos OS CLI.

next-header-except header-type

Do not match the 8-bit Next Header field that identifies the type of header between the IPv6 header and payload. For details, see the next-header match type.

port number

Match the UDP or TCP source or destination port field.

If you configure this match condition, you cannot configure the destination-port match condition or the source-port match condition in the same term.

If you configure this match condition, we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to specify which protocol is being used on the port.

In place of the numeric value, you can specify one of the text synonyms listed under destination-port.

port-except number

Do not match the UDP or TCP source or destination port field. For details, see the port match condition.

port-mirror instance-name

Port-mirror the packet.

port-mirror-instance instance-name

Port mirror a packet for an instance.

prefix-list prefix-list-name [ except ]

Match the prefixes of the source or destination address fields to the prefixes in the specified list unless the except option is included. If the option is included, do not match the prefixes of the source or destination address fields to the prefixes in the specified list.

The prefix list is defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.

sample

Sample the packet.

source-address address [ except ]

Match the IPv6 address of the source node sending the packet unless the except option is included. If the option is included, do not match the IPv6 address of the source node sending the packet.

You cannot specify both the address and source-address match conditions in the same term.

source-port number

Match the UDP or TCP source port field.

You cannot specify the port and source-port match conditions in the same term.

If you configure this match condition, we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to specify which protocol is being used on the port.

Note:

For Junos OS Evolved, you must configure the next-header udp or next-header tcp match statement in the same term.

In place of the numeric value, you can specify one of the text synonyms listed with the destination-port number match condition.

source-port-except number

Do not match the UDP or TCP source port field. For details, see the source-port match condition.

source-prefix-list name [ except ]

Match the IPv6 address prefix of the packet source field unless the except option is included. If the option is included, do not match the IPv6 address prefix of the packet source field.

Specify a prefix list name defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.

Note:

If you specify an IPv6 address in a match condition (the address, destination-address, or source-address match conditions), use the syntax for text representations described in RFC 4291, IP Version 6 Addressing Architecture. For more information about IPv6 addresses, see IPv6 Overview and Supported IPv6 Standards.

Table 4: Actions for IPv6 Firewall Filters

Action

Description

accept

Accept a packet. This is the default action for packets that match a term.

discard

Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message.

redirect instance-name

(Supported on PTX10004, PTX10008, and PTX10016 devices running Junos Evolved OS Release 22.1R1 only.)

Send packets to the P4 controller, as specified in the instance defined at the [services inline-monitoring instance instance-name controller p4] level of the Junos hierarchy.

Table 5: Action Modifiers for IPv6 Firewall Filters

Action Modifier

Description

count counter-name

Count the number of packets that match the term.

forwarding-class class

Classify the packet in one of the following default forwarding classes, or in a user-defined forwarding class:

  • best-effort

  • fcoe

  • mcast

  • network-control

  • no-loss

Note:

To configure a forwarding class, you must also configure loss priority.

loss-priority (low | medium-low | medium-high | high)

Set the packet loss priority (PLP).