Configuring Firewall Filter Bypass
You can streamline the filter process, decrease the amount of
packet handling for each filter in a chain, and effectively bypass
unnecessary filters by using the service-filter-hit
match/action
combination at the [edit firewall family family-name filter filter-name term term-name]
hierarchy level.
To bypass firewall filters using the service-filter-hit
match/action combination, you configure the service-filter-hit
action in at least one filter in the chain and configure service-filter-hit
match condition in any subsequent filters that you want to bypass.
All packets must pass through each filter in a chain. However, after
the service-filter-hit
flag is set in a packet, the packet
“bypasses” any subsequent filters that contain the service-filter-hit
match condition and more efficiently passes
(accepts) marked packets and accelerating the filter process.
When using the service-filter-hit
match/action
combination, the order in which the filters are applied is important.
You can ensure the order in which the filters are processed by specifying
a filter precedence value for the interface. See Defining Dynamic Filter Processing Order for more information about dynamic filter processing.
To bypass filter processing: