Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configuring Firewall Filter Bypass

You can streamline the filter process, decrease the amount of packet handling for each filter in a chain, and effectively bypass unnecessary filters by using the service-filter-hit match/action combination at the [edit firewall family family-name filter filter-name term term-name] hierarchy level.

To bypass firewall filters using the service-filter-hit match/action combination, you configure the service-filter-hit action in at least one filter in the chain and configure service-filter-hit match condition in any subsequent filters that you want to bypass. All packets must pass through each filter in a chain. However, after the service-filter-hit flag is set in a packet, the packet “bypasses” any subsequent filters that contain the service-filter-hit match condition and more efficiently passes (accepts) marked packets and accelerating the filter process.


When using the service-filter-hit match/action combination, the order in which the filters are applied is important. You can ensure the order in which the filters are processed by specifying a filter precedence value for the interface. See Defining Dynamic Filter Processing Order for more information about dynamic filter processing.

To bypass filter processing:

  1. Specify the service-filter-hit action for any filters in a filter chain.

    When the match conditions for the filter are met, the service-filter-hit action is set to indicate to subsequent filters that further processing is unnecessary.

  2. Specify the service-filter-hit match condition in any filters with a lower precedence (that is, a higher precedence statement value) that you want to detect service-filter-hit actions applied from previous filters in the chain.
  3. Configure the filter to pass (accept) any packet that has a service-filter-hit action applied from any previous filters.