Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

show firewall

Syntax

Description

Display statistics about configured firewall filters.

If you query for options on the show firewall filter command, on Junos OS systems, you will see this output, which includes the configured Flowspec filters:

However, on Junos OS Evolved systems, the Flowspec filters names are not shown here. To view Flowspec filters, use the show firewall application routing command.

Options

none

(Optional) Display statistics and counters for all configured firewall filters and counters. For EX Series switches, this command also displays statistics about all configured policers.

application (cfm | eswd | rmps

(Optional) Show firewall elements owned by the selected software component:

  • Connectivity Fault Management (cfm)

  • Ethernet switching daemon (eswd)—Shows only on devices that support it.

  • Resource Management and Packet Steering (rmps)

counter counter-name

(Optional) Name of a filter counter.

detail

(EX Series switches and MX Series routers only) (Optional) Display firewall filter statistics and enhanced policer statistics and counters.

filter filter-name

(Optional) Name of a configured filter.

filter regex regular-expression

(Optional) Regular expression that matches the names of a subset of filters.

logical-system (all | logical-system-name)

(Optional) Perform this operation on all logical systems or on a particular logical system.

log

(Optional) Display log entries for firewall filters.

log <(detail | interface interface-name)>

(EX Series switches only) (Optional) Display detailed log entries of firewall activity or log information about a specific interface.

policer counters <(detail | counter-id counter-index <detail>)>

(EX8200 switches only) (Optional) Display enhanced policer counter statistics in brief or in detail.

prefix-action-stats

(Optional) Display prefix action statistics for firewall filters.

terse

(Optional) Display firewall filter names only.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show firewall command. Output fields are listed in the approximate order in which they appear.

Table 1: show firewall Output Fields

Field Name

Field Description

Filter

Name of a filter that has been configured with the filter statement at the [edit firewall] hierarchy level.

Except on EX Series switches:

  • When an interface-specific filter is displayed, the name of the filter is followed by the full interface name and by either -i for an input filter or -o for an output filter.

  • When dynamic filters are displayed, the name of the filter is followed by the full interface name and by either -in for an input filter or -out for an output filter. When a logical system–specific filter is displayed, the name of the filter is prefixed with two underscore (__) characters and the name of the logical system (for example, __ls1/filter1).

  • When a service filter is displayed that uses a service set, the separator between the service-set name and the service-filter name is a semicolon (:).

    Note:

    For bridge family filter, the ip-protocol match criteria is supported only for IPv4 and not for IPv6. This is applicable for line cards that support the Junos Trio chipset, such as the MX 3D MPC line cards.

Counters

Display filter counter information:

  • Name—Name of a filter counter that has been configured with the counter firewall filter action.

  • Bytes—Number of bytes that match the filter term under which the counter action is specified.

  • Packets—Number of packets that matched the filter term under which the counter action is specified.

Note:

On M and T Series routers, firewall filters cannot count ip-options packets on a per option type and per interface basis. A limited work around is to use the show pfe statistics ip options command to see ip-options statistics on a per Packet Forwarding Engine (PFE) basis. See show pfe statistics ip for sample output.

Policers

Display policer information:

  • Name—Name of policer.

  • Bytes—(For two-color policers on MX Series routers and EX Series switches, and for hierarchical policers on interfaces hosted on MICs and MPCs in MX Series routers) Number of bytes that match the filter term under which the policer action is specified. This is only the number out-of-specification (out-of-spec) byte counts, not all the bytes in all packets policed by the policer.

    For other combinations of policer type, device, and line card type, this field is blank.

  • Packets—Number of packets that matched the filter term under which the policer action is specified. This is only the number of out-of-specification (out-of-spec) packet counts, not all packets policed by the policer.

Policer Counter Index

(EX8200 switch only) Global management counter ID. The counter ID value (counter-index) can be 0, 1, or 2.

Green

(EX8200 switch only) Number of packets within the limits. The number of packets is smaller than the committed information rate (CIR).

Yellow

(EX8200 switch only) Number of packets partially within the limits. The number of packets is greater than the CIR, but the burst size is within the excess burst size (EBS) limit.

Discard

(EX8200 switch only) Number of discarded packets.

Bytes

(EX8200 switch only) Number of green, yellow, red, or discarded packets in bytes.

Packets

(EX8200 switch only) Number of green, yellow, red, or discarded packets.

Filter name

(EX8200 switch only) Name of the filter with a term associated to a policer.

Term name

(EX8200 switch only) Name of the term associated with a policer.

Policer name

(EX8200 switch only) Name of the policer that is associated with a global management counter.

P1-t1

  • OOS packet statistics for packets that are marked out-of-specification (out-of-spec) by the policer. Changes to all packets that have out-of-spec actions, such as discard, color marking, or forwarding-class, are included in this counter.

  • Offered packet statistics for traffic subjected to policing.

  • Transmitted packet statistics for traffic that is not discarded by the policer. When the policer action is discard, the statistics are the same as the in-spec statistics; when the policer action is non-discard (loss-priority or forwarding-class), the statistics are included in this counter.

Action

Filter action:

  • A—Accept

  • D—Discard

Interface

Interface on which the firewall filter is applied.

Protocol

Name of the packet protocol.

Packet Length

Length of the packet.

Src Addr

Source address of the packet.

Dest Addr

Destination address of the packet.

Sample Output

show firewall

show firewall filter (MX Series Router and EX Series Switch)

show firewall filter (non MX Series Router and EX Series Switch)

command-name

show firewall filter (Dynamic Input Filter)

show firewall (counter counter-name)

show firewall log

show firewall policer counters (EX8200 Switch)

show firewall policer counters (detail) (EX8200 Switch)

show firewall policer counters (counter-id counter-index) (EX8200 Switch)

show firewall policer counters (counter-id counter-index detail) (EX8200 Switch)

show firewall detail

show firewall application cfm (Junos OS Evolved)

Release Information

Command introduced before Junos OS Release 7.4.

Option logical-system introduced in Junos OS Release 9.3.

Option terse introduced in Junos OS Release 9.4.

Option policer counters introduced in Junos OS Release 12.2 for EX Series switches.

Option detail introduced in Junos OS Release 12.3 for EX Series switches.

Option detail introduced in Junos OS Release 14.1 for MX Series routers.

Option regex regular-expression introduced in Junos OS Release 14.2.

Option lsp introduced in Junos OS Evolved Release 18.3R1.