Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add IPv4 Firewall Filters

You are here: Network > Firewall Filters > IPV4.

To add an IPV4 firewall filter:

  1. Complete the configuration according to the guidelines provided in Table 1 and Table 2.
  2. Click Add available in the Add New IPv4 Filter section.

    A new IPv4 Firewall Filter is created.

  3. Click OK to save the changes. If you want to discard your changes, click Cancel.
Table 1: Fields on the Add IPv4 Firewall Filter Page

Field

Action

IPv4 Filter Summary

Action column

Select an option.

The options available are:

  • To move an item upward—Locate the item and click the up arrow from the same row.

  • To move an item downward—Locate the item and click the down arrow from the same row.

  • To delete an item—Locate the item and click the X from the same row.

Filter Name

Displays the name of the filter and when expanded, lists the terms attached to the filter.

Displays the match conditions and actions that are set for each term.

Allows you to add more terms to a filter or modify filter terms.

The options available are:

  • To display the terms added to a filter—Click the plus sign next to the filter name. This also displays the match conditions and actions set for the term.

  • To edit a filter—Click the filter name. To edit a term, click the name of the term.

Search

IPv4 Filter Name

Enter the existing filter name.

The options available are:

  • To find a specific filter—Enter the name of the filter in the Filter Name box.

  • To list all filters with a common prefix or suffix—Use the wildcard character (*) when you enter the name of the filter. For example, te* lists all filters with a name starting with the characters te.

IPv4 Term Name

Enter the existing terms by term name.

The options available are:

  • To find a specific term—Enter the name of the term in the Term Name box.

  • To list all terms with a common prefix or suffix—Use the wildcard character (*) when typing the name of the term. For example, ra* lists all terms with a name starting with the characters ra .

Number of Items to Display

Enter the number of filters or terms to display on one page. Select the number of items to be displayed on one page.

Add New IPv4 Filter

Filter Name

Enter the existing filter name.

The options available are:

  • To find a specific filter—Enter the name of the filter in the Filter Name box.

  • To list all filters with a common prefix or suffix—Use the wildcard character (*) when you enter the name of the filter. For example, te* lists all filters with a name starting with the characters te.

Term Name

Enter the existing terms by term name.

The options available are:

  • To find a specific term—Enter the name of the term in the Term Name box.

  • To list all terms with a common prefix or suffix—Use the wildcard character (*) when typing the name of the term. For example, ra* lists all terms with a name starting with the characters ra .

Location

Positions the new filter in one of the following locations:

  • After Final IPv4 Filter—At the end of all filters.

  • After IPv4 Filter—After a specified filter.

    Before IPv4 Filter—Before a specified filter.

Add

Adds a new filter name. Opens the term summary page for this filter allowing you to add new terms to this filter.

Add New IPv4 Term

Location

Positions the new term in one of the following locations:

  • After Final IPv4 Filter—At the end of all term.

  • After IPv4 Filter—After a specified term.

    Before IPv4 Filter—Before a specified term.

Add

Opens the Filter Term page allowing you to define the match conditions and the action for this term.

Table 2: Fields on the Match Criteria for IPv4 Firewall Filter

Field

Action

Match Source

Source Address

Enter IP source addresses to be included in, or excluded from, the match condition. Allows you to remove source IP addresses from the match condition.

If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses, and also search for them.

The options available are:

  • Add—To include the address in the match condition.

  • Except—To exclude the address from the match condition and then select Add -To include the address in the match condition.

  • Delete—To remove an IP source address from the match condition.

Enter an IP source address and prefix length and select an option.

Source Prefix List

Enter source prefix lists, which you have already defined, to be included in the match condition. Allows you to remove a prefix list from the match condition.

Select an option:

  • Add—To include a predefined source prefix list in the match condition, type the prefix list name.

  • Except—To exclude the prefix list from the match condition and then select Add—To include the prefix list in the match condition.

  • Delete—To remove a prefix list from the match condition.

Source Port

Enter the source port type to be included in, or excluded from, the match condition. Allows you to remove a source port type from the match condition.

Note:

This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term.

The options available are:

  • Add—To include the port in the match condition.

  • Except—To exclude the port from the match condition and then select Add—To include the port in the match condition.

  • Delete—To remove a port from the match condition.

Select the port from the port name list; enter the port name, number, or range and then select an option.

Match Destination

Destination Address

Enter destination addresses to be included in, or excluded from, the match condition. Allows you to remove a destination IP address from the match condition.

If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses, and also search for them.

The options available are:

  • Add—To include the address in the match condition.

  • Except—To exclude the address from the match condition and then select Add—To include the address in the match condition.

  • Delete—To remove an IP address from the match condition.

Enter an IP destination address and prefix length and select an option.

Destination Prefix List

Enter destination prefix lists, which you have already defined, to be included in the match condition. Allows you to remove a prefix list from the match condition.

Select an option:

  • Add—To include a predefined destination prefix list, enter the prefix list name.

  • Except—To exclude the prefix list from the match condition and then select Add—To include the prefix list in the match condition.

  • Delete—To remove a prefix list from the match condition.

Destination Port

Enter destination port types to be included in, or excluded from, the match condition. Allows you to remove a destination port type from the match condition.

Note:

This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term.

The options available are:

  • Add—To include the port in the match condition.

  • Except—To exclude the port from the match condition and then select Add—To include the port in the match condition.

  • Delete—To remove a port type from the match condition.

Select the port from the port name list; enter the port name, number, or range; and then select an option.

Match Source or Destination

Address

Enter IP addresses to be included in, or excluded from, the match condition for a source or destination. Allows you to remove an IP address from the match condition.

If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses and also search for them.

Note:

This address match condition cannot be specified in conjunction with the source address or destination address match conditions in the same term.

The options available are:

  • Add—To include the address in the match condition.

  • Except—To exclude the address from the match condition and then select Add—To include the address in the match condition.

  • Delete—To remove an IP address from the match condition.

Enter an IP destination address and prefix length and select an option.

Prefix List

Enter prefix lists, which you have already defined, to be included in the match condition for a source or destination. Allows you to remove a prefix list from the match condition.

Note:

This prefix list match condition cannot be specified in conjunction with the source prefix list or destination prefix list match conditions in the same term.

Select an option:

  • Add—To include a predefined destination prefix list, type the prefix list name.

  • Delete—To remove a prefix list from the match condition.

Port

Enter a port type to be included in, or excluded from, a match condition for a source or destination. Allows you to remove a destination port type from the match condition.

Note:

This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term.

Also, this port match condition cannot be specified in conjunction with the source port or destination port match conditions in the same term.

The options available are:

  • Add—To include the port in the match condition.

  • Except—To exclude the port from the match condition and then select Add—To include the port in the match condition.

  • Delete—To remove a port type from the match condition.

Select the port from the port name list; enter the port name, number, or range; and then select an option.

Match Interface

Interface

Enter interfaces to be included in a match condition. Allows you to remove an interface from the match condition.

The options available are:

  • Add—To include an interface in a match condition.

  • Delete—To remove an interface from the match condition.

Select a name from the interface name list or Enter the interface name and select an option.

Interface Set

Enter interface sets, which you have already defined, to be included in a match condition. Allows you to remove an interface set from the match condition.

The options available are:

  • Add—To include the group in the match condition.

  • Delete—To remove an interface group from the match condition.

Enter the interface set name and select an option.

Interface Group

Enter interface groups, which you have already defined, to be included in, or excluded from, a match condition. Allows you to remove an interface group from the match condition.

The options available are:

  • Add—To include the port in the match condition.

  • Except—To exclude the port from the match condition and then select Add—To include the port in the match condition.

  • Delete— To remove a port type from the match condition.

Enter the name of the group and select an option.

Match Packet and Network

First Fragment

Select the check box.

Matches the first fragment of a fragmented packet.

Is Fragment

Select the check box.

Matches trailing fragments (all but the first fragment) of a fragmented packet.

Fragment Flags

Enter fragmentation flags to be included in the match condition.

Enter a text or numeric string defining the flag.

TCP Established

Select the check box.

Matches all Transmission Control Protocol packets other than the first packet of a connection.

Note:

This match condition does not verify that the TCP is used on the port. Make sure to specify the TCP as a match condition in the same term.

TCP Initial

Select the check box.

Matches the first Transmission Control Protocol packet of a connection.

Note:

This match condition does not verify that the TCP is used on the port. Make sure to specify the TCP as a match condition in the same term.

TCP Flags

Enter Transmission Control Protocol flags to be included in the match condition.

Note:

This match condition does not verify that the TCP is used on the port. Make sure to specify the TCP as a match condition in the same term.

Protocol

Enter IPv4 protocol types to be included in, or excluded from, the match condition. Allows you to remove an IPv4 protocol type from the match condition.

The options available are:

  • Add—To include the protocol in the match condition.

  • Except—To exclude the protocol from the match condition and then select Add—To include the protocol in the match condition.

  • Delete—To remove an IPv4 protocol type from the match condition.

Select a protocol name from the list or enter a protocol name or number and then select an option.

ICMP Type

Select a packet type from the list or enter a packet type name or number and then select an option.

Note:

This protocol does not verify that ICMP is used on the port. Make sure to specify an ICMP type match condition in the same term.

The options available are:

  • Add—To include the packet type in the match condition.

  • Except—To exclude the packet type from the match condition and then select.

    Add—To include the packet type in the match condition.

  • Delete—To remove an ICMP packet type from the match condition.

ICMP Code

Select a packet code from the list or enter the packet code as text or a number and select an option.

Note:

The ICMP code is dependent on the ICMP type. Make sure to specify an ICMP type match condition in the same term.

The options available are:

  • Add—To include the packet type in the match condition.

  • Except—To exclude the packet type from the match condition and then select

    Add—To include the packet type in the match condition.

  • Delete—To remove an ICMP packet type from the match condition.

Fragment Offset

Enter a fragment offset number or range and then select an option.

The options available are:

  • Add—To include the offset in the match condition.

  • Except—To exclude the offset from the match condition and then select Add—To include the offset in the match condition.

  • Delete—To remove a fragment offset value from the match condition.

Precedence

Enter IP precedence to be included in, or excluded from, the match condition. Allows you to remove an IP precedence entry from the match condition.

The options available are:

  • Add—To include the precedence in the match condition.

  • Except—To exclude the precedence from the match condition and then select

    Add—To include the precedence in the match condition.

  • Delete—To remove an IP precedence from the match condition.

DSCP

Select DSCP from the list; or enter the DSCP value as a keyword, a decimal integer from 0 through 7, or a binary string; and then select an option.

The options available are:

  • Add—To include the DSCP in the match condition.

  • Except—To exclude the DSCP from the match condition and then select Add—To include the DSCP in the match condition.

  • Delete—To remove a DSCP from the match condition.

TTL

Enter an IPv4 TTL value by entering a number from 1 through 255 and select an option.

Note:

This option is not available in SRX5600 device.

The options available are:

  • Add—To include the TTL in the match condition.

  • Except—To exclude the TTL from the match condition and then select Add—To include the TTL in the match condition .

  • Delete—To remove an IPv4 TTL type from the match condition.

Packet Length

Specify a packet length, enter a value or range.

Select an option.

The options available are:

  • Add—To include the packet length in the match condition.

  • Except—To exclude the packet length from the match condition and then select

    Add—To include the packet length in the match condition.

  • Delete—To remove a packet length value from the match condition.

Forwarding Class

Specify a forwarding class by selecting a forwarding class from the list or entering a forwarding class, and then select an option.

The options available are:

  • Add—To include the forwarding class in the match condition.

  • Except—To exclude the forwarding class from the match condition and then select

    Add—To include the forwarding class in the match condition.

  • Delete—To remove a forwarding class from the match condition.

IP Options

Enter option by selecting an IP option from the list or entering a text or numeric string identifying the option, and then select an option.

The options available are:

  • Add—To include the IP option in the match condition.

  • Except—To exclude the IP option from the match condition and then select Add—To include the IP option in the match condition.

  • Delete—To remove an IP option from the match condition.

IPsec ESP SPI

Enter an ESP SPI value by entering a binary, hexadecimal, or decimal SPI value or range, and then select an option.

The options available are:

  • Add—To include the value in the match condition.

  • Except—To exclude the value from the match condition and then select Add—To include the value in the match condition.

  • Delete—To remove an ESP SPI value from the match condition.

Action

Nothing

Select Nothing.

Specifies that no action is performed. By default, a packet is accepted if it meets the match conditions of the term, and packets that do not match any conditions in the firewall filter are dropped.

Accept

Select Accept.

Accepts a packet that meets the match conditions of the term.

Discard

Select Discard.

Discards a packet that meets the match conditions of the term. Names a discard collector for packets.

Reject

Select Reject and then select a message type from the reason list.

Rejects a packet that meets the match conditions of the term and returns a rejection message. Allows you to specify a message type that denotes the reason the packet was rejected.

Note:

To log and sample rejected packets, specify log and sample action modifiers in conjunction with this action.

Next Term

Select Next Term.

Evaluates a packet with the next term in the filter if the packet meets the match conditions in this term. This action makes sure that the next term is used for evaluation even when the packet matches the conditions of a term. When this action is not specified, the filter stops evaluating the packet after it matches the conditions of a term and takes the associated action.

Routing Instance

Accepts a packet that meets the match conditions, and forwards it to the specified routing instance.

Select Routing Instance and enter the routing instance name in the box next to Routing Instance.

Action Modifiers

Forwarding Class

Classifies the packet as a specific forwarding class.

Select Forwarding Class from the list.

Count

Counts the packets passing this term. Allows you to name a counter that is specific to this filter. This means that every time a packet transits any interface that uses this filter, it increments the specified counter.

Select Count and enter a 24-character string containing letters, numbers, or hyphens to specify a counter name.

Virtual Channel

Enter a string identifying the virtual channel.

Note:

This option is not available in SRX345 of devices.

Prefix Action

Enter the prefix action.

Note:

This option is not available in SRX4100 and SRX345 devices.

Log

Select Log.

Logs the packet header information in the routing engine.

Syslog

Select Syslog.

Records packet information in the system log.

Port Mirror

Select Port Mirror.

Port mirrors the packet.

Note:

This option is not available in SRX5600 and SRX345 devices.

Loss Priority

Sets the loss priority of the packet. This is the priority of dropping a packet before it is sent, and it affects the scheduling priority of the packet.

Select the range of priority from the list.