Add IPv4 Firewall Filters
You are here: Network > Firewall Filters > IPV4.
To add an IPV4 firewall filter:
Field |
Action |
---|---|
IPv4 Filter Summary | |
Action column |
Select an option. The options available are:
|
Filter Name |
Displays the name of the filter and when expanded, lists the terms attached to the filter. Displays the match conditions and actions that are set for each term. Allows you to add more terms to a filter or modify filter terms. The options available are:
|
Search | |
IPv4 Filter Name |
Enter the existing filter name. The options available are:
|
IPv4 Term Name |
Enter the existing terms by term name. The options available are:
|
Number of Items to Display |
Enter the number of filters or terms to display on one page. Select the number of items to be displayed on one page. |
Add New IPv4 Filter | |
Filter Name |
Enter the existing filter name. The options available are:
|
Term Name |
Enter the existing terms by term name. The options available are:
|
Location |
Positions the new filter in one of the following locations:
|
Add |
Adds a new filter name. Opens the term summary page for this filter allowing you to add new terms to this filter. |
Add New IPv4 Term | |
Location |
Positions the new term in one of the following locations:
|
Add |
Opens the Filter Term page allowing you to define the match conditions and the action for this term. |
Field |
Action |
---|---|
Match Source | |
Source Address |
Enter IP source addresses to be included in, or excluded from, the match condition. Allows you to remove source IP addresses from the match condition. If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses, and also search for them. The options available are:
Enter an IP source address and prefix length and select an option. |
Source Prefix List |
Enter source prefix lists, which you have already defined, to be included in the match condition. Allows you to remove a prefix list from the match condition. Select an option:
|
Source Port |
Enter the source port type to be included in, or excluded from, the match condition. Allows you to remove a source port type from the match condition. Note:
This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term. The options available are:
Select the port from the port name list; enter the port name, number, or range and then select an option. |
Match Destination | |
Destination Address |
Enter destination addresses to be included in, or excluded from, the match condition. Allows you to remove a destination IP address from the match condition. If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses, and also search for them. The options available are:
Enter an IP destination address and prefix length and select an option. |
Destination Prefix List |
Enter destination prefix lists, which you have already defined, to be included in the match condition. Allows you to remove a prefix list from the match condition. Select an option:
|
Destination Port |
Enter destination port types to be included in, or excluded from, the match condition. Allows you to remove a destination port type from the match condition. Note:
This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term. The options available are:
Select the port from the port name list; enter the port name, number, or range; and then select an option. |
Match Source or Destination | |
Address |
Enter IP addresses to be included in, or excluded from, the match condition for a source or destination. Allows you to remove an IP address from the match condition. If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses and also search for them. Note:
This address match condition cannot be specified in conjunction with the source address or destination address match conditions in the same term. The options available are:
Enter an IP destination address and prefix length and select an option. |
Prefix List |
Enter prefix lists, which you have already defined, to be included in the match condition for a source or destination. Allows you to remove a prefix list from the match condition. Note:
This prefix list match condition cannot be specified in conjunction with the source prefix list or destination prefix list match conditions in the same term. Select an option:
|
Port |
Enter a port type to be included in, or excluded from, a match condition for a source or destination. Allows you to remove a destination port type from the match condition. Note:
This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term. Also, this port match condition cannot be specified in conjunction with the source port or destination port match conditions in the same term. The options available are:
Select the port from the port name list; enter the port name, number, or range; and then select an option. |
Match Interface | |
Interface |
Enter interfaces to be included in a match condition. Allows you to remove an interface from the match condition. The options available are:
Select a name from the interface name list or Enter the interface name and select an option. |
Interface Set |
Enter interface sets, which you have already defined, to be included in a match condition. Allows you to remove an interface set from the match condition. The options available are:
Enter the interface set name and select an option. |
Interface Group |
Enter interface groups, which you have already defined, to be included in, or excluded from, a match condition. Allows you to remove an interface group from the match condition. The options available are:
Enter the name of the group and select an option. |
Match Packet and Network | |
First Fragment |
Select the check box. Matches the first fragment of a fragmented packet. |
Is Fragment |
Select the check box. Matches trailing fragments (all but the first fragment) of a fragmented packet. |
Fragment Flags |
Enter fragmentation flags to be included in the match condition. Enter a text or numeric string defining the flag. |
TCP Established |
Select the check box. Matches all Transmission Control Protocol packets other than the first packet of a connection. Note:
This match condition does not verify that the TCP is used on the port. Make sure to specify the TCP as a match condition in the same term. |
TCP Initial |
Select the check box. Matches the first Transmission Control Protocol packet of a connection. Note:
This match condition does not verify that the TCP is used on the port. Make sure to specify the TCP as a match condition in the same term. |
TCP Flags |
Enter Transmission Control Protocol flags to be included in the match condition. Note:
This match condition does not verify that the TCP is used on the port. Make sure to specify the TCP as a match condition in the same term. |
Protocol |
Enter IPv4 protocol types to be included in, or excluded from, the match condition. Allows you to remove an IPv4 protocol type from the match condition. The options available are:
Select a protocol name from the list or enter a protocol name or number and then select an option. |
ICMP Type |
Select a packet type from the list or enter a packet type name or number and then select an option. Note:
This protocol does not verify that ICMP is used on the port. Make sure to specify an ICMP type match condition in the same term. The options available are:
|
ICMP Code |
Select a packet code from the list or enter the packet code as text or a number and select an option. Note:
The ICMP code is dependent on the ICMP type. Make sure to specify an ICMP type match condition in the same term. The options available are:
|
Fragment Offset |
Enter a fragment offset number or range and then select an option. The options available are:
|
Precedence |
Enter IP precedence to be included in, or excluded from, the match condition. Allows you to remove an IP precedence entry from the match condition. The options available are:
|
DSCP |
Select DSCP from the list; or enter the DSCP value as a keyword, a decimal integer from 0 through 7, or a binary string; and then select an option. The options available are:
|
TTL |
Enter an IPv4 TTL value by entering a number from 1 through 255 and select an option. Note:
This option is not available in SRX5600 device. The options available are:
|
Packet Length |
Specify a packet length, enter a value or range. Select an option. The options available are:
|
Forwarding Class |
Specify a forwarding class by selecting a forwarding class from the list or entering a forwarding class, and then select an option. The options available are:
|
IP Options |
Enter option by selecting an IP option from the list or entering a text or numeric string identifying the option, and then select an option. The options available are:
|
IPsec ESP SPI |
Enter an ESP SPI value by entering a binary, hexadecimal, or decimal SPI value or range, and then select an option. The options available are:
|
Action | |
Nothing |
Select Nothing. Specifies that no action is performed. By default, a packet is accepted if it meets the match conditions of the term, and packets that do not match any conditions in the firewall filter are dropped. |
Accept |
Select Accept. Accepts a packet that meets the match conditions of the term. |
Discard |
Select Discard. Discards a packet that meets the match conditions of the term. Names a discard collector for packets. |
Reject |
Select Reject and then select a message type from the reason list. Rejects a packet that meets the match conditions of the term and returns a rejection message. Allows you to specify a message type that denotes the reason the packet was rejected. Note:
To log and sample rejected packets, specify log and sample action modifiers in conjunction with this action. |
Next Term |
Select Next Term. Evaluates a packet with the next term in the filter if the packet meets the match conditions in this term. This action makes sure that the next term is used for evaluation even when the packet matches the conditions of a term. When this action is not specified, the filter stops evaluating the packet after it matches the conditions of a term and takes the associated action. |
Routing Instance |
Accepts a packet that meets the match conditions, and forwards it to the specified routing instance. Select Routing Instance and enter the routing instance name in the box next to Routing Instance. |
Action Modifiers | |
Forwarding Class |
Classifies the packet as a specific forwarding class. Select Forwarding Class from the list. |
Count |
Counts the packets passing this term. Allows you to name a counter that is specific to this filter. This means that every time a packet transits any interface that uses this filter, it increments the specified counter. Select Count and enter a 24-character string containing letters, numbers, or hyphens to specify a counter name. |
Virtual Channel |
Enter a string identifying the virtual channel. Note:
This option is not available in SRX345 of devices. |
Prefix Action |
Enter the prefix action. Note:
This option is not available in SRX4100 and SRX345 devices. |
Log |
Select Log. Logs the packet header information in the routing engine. |
Syslog |
Select Syslog. Records packet information in the system log. |
Port Mirror |
Select Port Mirror. Port mirrors the packet. Note:
This option is not available in SRX5600 and SRX345 devices. |
Loss Priority |
Sets the loss priority of the packet. This is the priority of dropping a packet before it is sent, and it affects the scheduling priority of the packet. Select the range of priority from the list. |