Example: Bypassing Firewall Filters
This example describes how to configure multiple
filters using the service-filter-hit match/action combination
and contains the following sections:
Before You Begin
When using the service-filter-hit match/action
combination, keep the following in mind:
The order in which the filters are applied is important. You can ensure the order in which the filters are processed by specifying a filter precedence value for the interface. See Defining Dynamic Filter Processing Order for more information about dynamic filter processing and how to use the
precedencestatement.
Filter Bypass Overview
Packets must pass through each filter in a chain. However, if
you create a chain of filters to process different types of packets
(for example, voice, video, and data packets), you can streamline
the filter process, decreasing the amount of packet handling for each
filter in the chain, effectively bypassing unnecessary filters, by
using the service-filter-hit match/action combination at
the [edit firewall family family-name filter filter-name term term-name] hierarchy level.
Figure 1 shows the
logical processing flow through a chain of three filters (voice, video,
and data) where only processing for a specific data type is desired.
This configuration example shows an ingress filter flow. Though subsequent
ingress filters in a chain can detect whether the service-filter-hit action is set, egress filters do not. To bypass egress filters,
you must also configure the service-filter-hit match/action
combination on those filters.
Configuring Filter Bypass
- CLI Quick Configuration
- Configuring the Voice Filter
- Configuring the Video Filter
- Configuring the Data Filter
- Results
CLI Quick Configuration
To quickly configure this example:
[edit] set firewall filter voice term T1 from address 203.0.113.11/32 set firewall filter voice term T1 from source-port 5004-5005 set firewall filter voice term T1 then forwarding-class assured-forwarding service-filter-hit accept set firewall filter voice term default then accept set firewall filter video term T1 from service-filter-hit set firewall filter video term T1 then accept set firewall filter video term T2 from source-address 203.0.113.100/32 set firewall filter video term T2 then policer video-policer service-filter-hit accept set firewall filter video term default then accept set firewall filter data term T1 from service-filter-hit set firewall filter data term T1 then accept set firewall filter data term T2 then policer data-policer service-filter-hit accept
Configuring the Voice Filter
Step-by-Step Procedure
To configure the voice filter for the logical flow in Figure 1:
Configure the filter to apply the assured forwarding class and set the
service-filter-hitaction for traffic from a specific address and port range (over which voice traffic is expected).[edit] set firewall filter voice term T1 from address 203.0.113.11/32 set firewall filter voice term T1 from source-port 5004-5005 set firewall filter voice term T1 then forwarding-class assured-forwarding service-filter-hit accept
Configure the filter default action to pass (accept) packet traffic from any other address or port range.
[edit] set firewall filter voice term default then accept
Configuring the Video Filter
Step-by-Step Procedure
To configure the video filter for the logical flow in Figure 1:
Configure the filter to pass (accept) incoming packets that are tagged by the
service-filter-hitaction.[edit] set firewall filter video term T1 from service-filter-hit set firewall filter video term T1 then accept
Configure the filter to apply a video policer and set the
service-filter-hitaction for traffic from a specific address (over which video traffic is expected).[edit] set firewall filter video term T2 from source-address 203.0.113.100/32 set firewall filter video term T2 then policer video-policer service-filter-hit accept
Configure the filter default action to pass (accept) packet traffic from any other address or port range.
[edit] set firewall filter video term default then accept
Configuring the Data Filter
Step-by-Step Procedure
To configure the data filter for the logical flow in Figure 1:
Configure the filter to pass (accept) incoming packets that are tagged by the
service-filter-hitaction.[edit] set firewall filter data term T1 from service-filter-hit set firewall filter data term T1 then accept
Configure the filter to apply a data policer and set the
service-filter-hitaction for traffic from a specific address (over which video traffic is expected).[edit] set firewall filter data term T2 then policer data-policer service-filter-hit accept
Results
Display the results of the configuration:
[edit firewall]
user@host# show
filter voice {
term T1 {
from {
address {
203.0.113.11/32;
}
source-port 5004-5005;
}
then {
forwarding-class assured-forwarding;
service-filter-hit;
accept;
}
}
term default {
then accept;
}
}
filter video {
term T1 {
from {
service-filter-hit;
}
then accept;
}
term T2 {
from {
source-address {
203.0.113.100/32;
}
}
then {
policer video_policer;
service-filter-hit;
accept;
}
}
term default {
then accept;
}
}
filter data {
term T1 {
from {
service-filter-hit;
}
then accept;
}
term T2 {
then {
policer data_policer;
service-filter-hit;
accept;
}
}
}