Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Routing Policies, Firewall Filters, and Traffic Policers User Guide Configuring Firewall Filters Configuring Firewall Filters (QFX Series Switches, EX4600 Switches, PTX Series Routers)

Routing Policies, Firewall Filters, and Traffic Policers User Guide

keyboard_arrow_up
close
keyboard_arrow_left
Routing Policies, Firewall Filters, and Traffic Policers User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Firewall Filter Match Conditions and Actions (QFX and EX Series Switches)

date_range 18-Mar-25
arrow_backward
arrow_forward

Limitations, Caveats, and, Supporting Information

Table 1: Limitations, Caveats, and Supporting Information

(QFX5100, QFX5110, QFX5200) When using filter-based forwarding on IPv6 interfaces, only these match conditions are supported in the (ingress direction): source-address, destination-address, source-prefix-list, destination-prefix-list, source-port, destination-port, hop-limit, icmp-type, and next-header.

(QFX5110) When you enable the egress-to-ingress option under the [edit firewall] hierarchy, only accept, discard, and count actions are supported.

(QFX5100, QFX5110, QFX5120, QFX5130-32CD, QFX5220, QFX5700) In an EVPN-VXLAN environment, only these match conditions are supported: source-address, destination-address, source-port, destination-port, ttl, ip-protocol, and user-vlan-id.

(QFX5100, QFX5110, QFX5200, and QFX5120) You cannot apply a firewall filter in the egress direction on a EVPN-VXLAN IRB interface.

(QFX5700) You cannot apply a firewall filter in the egress direction on a loopback interface.

(QFX5100, QFX5110) If you are using firewall filters to implement MAC filtering in an EVPN-VXLAN environment, see MAC Filtering, Storm Control, and Port Mirroring Support in an EVPN-VXLAN Environment for the supported match conditions.

(QFX5100, QFX5110) For each firewall filter that you apply to a VXLAN, you can specify family ethernet-switching to filter Layer 2 (Ethernet) packets, or family inet to filter on IRB interfaces. You cannot apply a firewall filter in the egress direction on IRB interfaces.

(EX4100, EX4400, EX4600, EX4650, QFX5100, QFX5110, QFX5120, QFX5200, QFX5210) Use only available interfaces when using the interface match condition with the egress firewall filter on standalone devices. Using unavailable interfaces will result in unexpected behavior.

On switches that do not support Layer 2 features, use only those match conditions that are valid for IPv4 and IPv6 interfaces.

(QFX5120, EX4650) Starting with Junos Release 21.4R1, the following match conditions are supported in an EVPN-VXLAN environment on QFX5120, and EX4650: gbp-src-tag, and gbp-dst-tag.

Starting in Junos OS Release 21.4R1, the source-port-range-optimize and the destination-port-range-optimize conditions are supported under [edit firewall family ethernet-switching filter <filter-name> term <term-name> from] hierarchy level. This considerably reduces the TCAM space usage. In QFX5100 switches with source-port-range-optimize and destination-port-range-optimize match conditions configured, upto 24 non-contiguous source-port range and destination-port range match conditions are supported. If more than 24 non-contiguous match conditions are configured, it might throw an error.

Starting with Junos Release 22.4R1, the following match conditions are supported for GBP tagging in an EVPN-VXLAN environment on supported EX4100, EX4400, EX4650, and QFX5120 Series switches: ip-version ipv4, ip-version ipv6, mac-address, vlan-id, interface + vlan-id combination, and interface.

Starting with Junos Release 23.2R1, new IPV4 and IPv6 L4 matches are supported for policy enforcement on the EX4100 series, EX4400 series, EX4650 series, QFX5120-32C and QFX5120-48Y switches.

Starting in Junos OS Release 23.4R1 and later, the vlan-id vlan list | vlan-range and interface interface-list match conditions are supported for GBP tagging in an EVPN-VXLAN environment on supported EX4100, EX4400, EX4650, and QFX5120 Series switches. The EX4100 switches do not support VLAN and PORT+VLAN based GBP.

Starting in Junos OS Release 24.4R1, arp-type, arp-sender-address, and arp-target-address firewall filter match conditions are added for EX4100, EX4400, EX4650-48Y, QFX5120-48Y, QFX5120-32C, QFX5120-48T, and QFX5120-48YM platforms configurable at the [edit firewall family ethernet-switching filter <name> term <name>] hierarchy. The match conditions can be applied at a port or VLAN ingress firewall filter. The match conditions are not supported on egress firewall filters. arp-sender-address and arp-target-address match conditions are not supported on EX2300, EX3400 and EX4300-MP platforms.

Starting in Junos OS Evolved Release 24.4R1, vlan vlan ID action is added for the QFX5130-32CD, QFX5130-48C, and QFX5700 platforms. To activate this action profile on these platforms, you have to apply the set system packet-forwarding-options firewall profiles actions ethernet-switching profile1 configuration. You can configure the vlan vlanID action in port and VLAN firewall filter rules.

Firewall Filter Match Conditions and Actions (EX4100, EX4100-F, EX4100-H, EX4400, EX4600, EX4650, QFX5100, QFX5110, QFX5120, QFX5200, QFX5210)

Each term in a firewall filter consists of match conditions and an action. Match conditions are the fields and values that a packet must contain to be considered a match. You can define single or multiple match conditions in match statements. You can also include no match statement, in which case the term matches all packets.

When a packet matches a filter, a switch takes the action specified in the term. In addition, you can specify action modifiers to count, mirror, rate-limit, and classify packets. If no match conditions are specified for the term, the switch accepts the packet by default.

  • Table 2 describes the match conditions you can specify when configuring a firewall filter. Some of the numeric range and bit-field match conditions allow you to specify a text synonym. To see a list of all the synonyms for a match condition, type ? at the appropriate place in a statement.

  • Table 3 shows the actions that you can specify in a term.

  • Table 4 shows the action modifiers you can use to count, mirror, rate-limit, and classify packets.

For match conditions on specific switches, these limitations apply:

Table 2: Supported Match Conditions for Firewall Filters

Match Condition

Description

Direction and Interface

arp-type

ARP request packet or ARP reply packet.

Egress and ingress interfaces.

arp-type

ARP request packet or ARP reply packet.

Ingress ports and VLANs

arp-sender-address

ARP header sender IPv4 address to match

Ingress ports and VLANs

arp-target-address

ARP header target IPv4 address to match

Ingress ports and VLANs

destination-address ip-address

IP destination address field, which is the address of the final destination node.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

destination-mac-address mac-address

Destination media access control (MAC) address of the packet.

Ingress ports, VLANs and IPv4 (inet) interfaces.

Egress ports and VLANs.

destination-port value

TCP or UDP destination port field. Typically, you specify this match in conjunction with the protocol match statement. For the following well-known ports you can specify text synonyms (the port numbers are also listed):

afs (1483), bgp (179), biff (512), bootpc (68), bootps (67),

cmd (514), cvspserver (2401),

dhcp (67), domain (53),

eklogin (2105), ekshell (2106), exec (512),

finger (79), ftp (21), ftp-data (20),

http (80), https (443),

ident (113), imap (143),

kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544),

ldap (389), login (513),

mobileip-agent (434), mobilip-mn (435), msdp (639),

netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123),

pop3 (110), pptp (1723), printer (515),

radacct (1813),radius (1812), rip (520), rkinit (2108),

smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514),

tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525),

who (513),

xdmcp (177),

zephyr-clt (2103), zephyr-hm (2104)

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

destination-port range-optimize range

Match a range of TCP or UDP port ranges while using the available memory more efficiently. Using this condition allows you to configure more firewall filters than if you configure individual destination ports. (Not supported with filter-based forwarding.)

Ingress ports, VLANs, IPv4 (inet) interfaces.

destination-prefix-list prefix-list

IP destination prefix list field. You can define a list of IP address prefixes under a prefix-list alias for frequent use. Define this list at the [edit policy-options] hierarchy level.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

dscp value

Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most-significant 6 bits of this byte form the DSCP.

You can specify DSCP in hexadecimal, binary, or decimal form.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

  • be—best effort (default)

  • ef (46)—as defined in RFC 3246, An Expedited Forwarding PHB.

  • af11 (10), af12 (12), af13 (14);

    af21 (18), af22 (20), af23 (22);

    af31 (26), af32 (28), af33 (30);

    af41 (34), af42 (36), af43 (38)

    These four classes, with three drop precedences in each class, for a total of 12 code points, are defined in RFC 2597, Assured Forwarding PHB.

  • cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, cs5

Ingress ports, VLANs, and IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

ether-type value

Ethernet type field of a packet. The EtherType value specifies what protocol is being transported in the Ethernet frame. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

  • aarp (0x80F3)—EtherType value AARP

  • appletalk (0x809B)—EtherType value AppleTalk

  • arp (0x0806)—EtherType value ARP

  • fcoe (0x8906)—EtherType value FCoE

  • fip (0x8914)—EtherType value FIP

  • ipv4 (0x0800)—EtherType value IPv4

  • ipv6 (0x08DD)—EtherType value IPv6

  • mpls-multicast (0x8848)—EtherType value MPLS multicast

  • mpls-unicast (0x8847)—EtherType value MPLS unicast

  • oam (0x88A8)—EtherType value OAM

  • ppp (0x880B)—EtherType value PPP

  • pppoe-discovery (0x8863)—EtherType value PPPoE Discovery Stage

  • pppoe-session (0x8864)—EtherType value PPPoE Session Stage

  • sna (0x80D5)—EtherType value SNA

Ingress ports and VLANs.

Egress ports and VLANs.

egress-to-ingress

Include this option to increase the number of egress VLAN firewall filter terms from 1024 to 2048.

Egress VLAN IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

exp

Match on MPLS EXP bits.

Ingress MPLS interfaces.

Egress MPLS interfaces.

fragment-flags value

IP fragmentation flags. In place of the numeric value, you can specify one of the following text synonyms (the hexadecimal values are also listed):

  • is-fragment

  • dont-fragment (0x4000)

  • more-fragments (0x2000)

  • reserved (0x8000)

Ingress ports and VLANs.

gbp-dst-tag

Match the destination tag, for use with micro-segmentation on a VXLAN, as described here: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN.

Not applicable

gbp-src-tag

Match the source tag, for use with micro-segmentation on a VXLAN, as described here: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN.

Not applicable

icmp-code value

ICMP code field. Because the meaning of the value depends upon the associated icmp-type, you must specify a value for icmp-type along with a value for icmp-code. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

  • IPv4: parameter-problem—ip-header-bad (0), required-option-missing (1)

  • IPv6: parameter-problem—ip6-header-bad (0), unrecognized-next-header (1), unrecognized-option (2)

  • redirectredirect-for-network (0), redirect-for-host (1), redirect-for-tos-and-net (2), redirect-for-tos-and-host (3)

  • time-exceededttl-eq-zero- during-reassembly (1), ttl-eq-zero-during-transit (0)

  • IPv4: unreachable—network-unreachable (0), host-unreachable (1), protocol-unreachable (2), port-unreachable (3), fragmentation-needed (4), source-route-failed (5), destination-network-unknown (6), destination-host-unknown (7), source-host-isolated (8), destination-network-prohibited (9), destination-host-prohibited (10), network-unreachable-for-TOS (11), host-unreachable-for-TOS (12), communication-prohibited-by-filtering (13), host-precedence-violation (14), precedence-cutoff-in-effect (15)

  • IPv6: unreachable—address-unreachable (3), administratively-prohibited (1), no-route-to-destination (0), port-unreachable (4)

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

hop-limit value

Match the specified hop limit or set of hop limits. Specify a single value or a range of values from 0 through 255.

Ingress and egress IPv6 (inet6) interfaces.

Note:

Not supported in the egress direction on the QFX3500, QFX3600, QFX5100, QFX5120, QFX5110, QFX5200, and QFX5210 switches.

ip-version ipv4 <ip address> | <prefix-list>

ip-version ipv6 <ip address> | <prefix-list>

Match the IPv4 or IPv6 source or destination address, for use with micro-segmentation on a VXLAN, as described here: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN

Ingress and egress (system wide).

ip-version ipv4 destination-port DST_PORT

Match the TCP/UDP destination port, for use with GBP policy filter L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN

Ingress only.

ip-version ipv4 source-port SRC_PORT

Match the TCP/UDP source port, for use with for use with GBP policy filter L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN

Ingress only.

ip-version ipv4 ip-protocol PROTOCOL

Match the IP protocol type, for use with GBP policy filter L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN

Ingress only.

ip-version ipv4 is-fragment

Match if the packet is a fragment, for use with GBP policy filter L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN

Ingress only.

ip-version ipv4 fragment-flag FLAGS

Match the fragment flags (in symbolic or hex formats), for use with GBP policy filter L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN

Ingress only.

ip-version ipv4 ttlValue

IP Time-to-live (TTL) field in decimal. The value can be 1-255. For use with GBP policy filter L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN

Ingress only.

ip-version ipv4 tcp-flagsFLAGS

Match one or more TCP flags (in symbolic or hex formats), for use with GBP policy L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN

Ingress only.

ip-version ipv4 tcp-initial

Match the first TCP packet of a connection. For use with GBP policy L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN

Ingress only.

ip-version ipv4 tcp-established

Match the packets of an established TCP connection, for use with GBP policy L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN

Ingress only.

ip-version ipv6 source-port SRC_PORT

Match the TCP/UDP source port, for use with GBP policy L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN

Ingress only.

ip-version ipv6 destination-port DST_PORT

Match the TCP/UDP destination port, for use with for use with GBP policy filter L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN

Ingress only.

ip-version ipv6 next-header PROTOCOL

Match the next header protocol type, for use with GBP policy L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN

Ingress only.

ip-version ipv6 tcp-flagsFLAGS

Match the TCP flags, for use with GBP policy L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN

Ingress only.

ip-version ipv6 tcp-initial

Match the initial packets of an established TCP connection, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN

Ingress only.

ip-version ipv6 tcp-established

Match the packets of an established TCP connection, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN

Ingress only.

icmp-type value

ICMP message type field. Typically, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

IPv4: echo-reply (0), destination unreachable (3), source-quench (4), redirect (5), echo-request (8), IPv4 (inet)-advertisement (9), IPv4 (inet)-solicit (10), time-exceeded (11), parameter-problem (12), timestamp (13), timestamp-reply (14), info-request (15), info-reply (16), mask-request (17), mask-reply (18)

IPv6: destination-unreachable (1), packet-too-big (2), time-exceeded (3), parameter-problem (4), echo-request (128), echo-reply (129), membership-query (130), membership-report (131), membership-termination (132), router-solicit (133), router-advertisement (134), neighbor-solicit (135), neighbor-advertisement (136), redirect (137), router-renumbering (138), node-information-request (139), node-information-reply (140)

See also icmp-code variable.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

interface interface-name | <interface_list>

Interface on which the packet is received, including the logical unit. You can include the wildcard character (*) as part of an interface name or logical unit.

Note:

An interface from which a packet is sent cannot be used as a match condition.

Match a list of interfaces under the same term in a filter. For use with micro-segmentation on a VXLAN, as described here: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

ip-destination-address address

IPv4 address that is the final destination node address for the packet.

Ingress ports and VLANs.

ip6-destination-address address

IPv6 address that is the final destination node address for the packet.

Ingress ports and VLANs. (You cannot simultaneously apply a filter with this match criterion to a Layer 2 port and VLAN that includes that port.)

ip-options

Specify any to create a match if anything is specified in the options field in the IP header.

Ingress ports, VLANs, and IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

ip-precedence ip-precedence-field

IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00).

Ingress ports, VLANs, and IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

ip-protocol number

IP protocol field.

Ingress ports, VLANs, and IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

ip-source-address address

IPv4 address of the source node sending the packet.

Ingress ports and VLANs.

ip6-source-address address

IPv6 address of the source node sending the packet.

Ingress ports and VLANs. (You cannot simultaneously apply a filter with this match criterion to a Layer 2 port and VLAN that includes that port.)

ip-version address

IP version of the packet. Use this condition to match IPv4 or IPv6 header fields in traffic that arrives on a Layer 2 port or VLAN interface.

Ingress ports and VLANs.

is-fragment

Using this condition causes a match if the More Fragments flag is enabled in the IP header or if the fragment offset is not zero.

Ingress ports, VLANs, and IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

l2-encap-type llc-non-snap

Match on logical link control (LLC) layer packets for non-Subnet Access Protocol (SNAP) Ethernet Encapsulation type.

Ingress ports and VLANs.

Egress ports and VLANs.

label

Match on MPLS label bits.

Ingress MPLS interfaces.

Egress MPLS interfaces.

learn-vlan-id number

Matches the ID of a normal VLAN or the ID of the outer (service) VLAN (for Q-in-Q VLANs). The acceptable values are 1-4095.

Note:

Not supported on QFX3600, QFX5100, QFX5110, QFX5120, QFX5200, QFX5210, QFX5220, EX4600, EX4650, EX4400, EX4100 and EX4300-MP switches. Use the user-vlan-id match condition to match the outer VLAN ID.

Ingress ports and VLANs.

Egress ports and VLANs.

mac-address mac-address

Match the source media access control (MAC) address, for use with micro-segmentation on a VXLAN, as described here: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN.

Ingress and egress (system wide)

.

next-header

IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

hop-by-hop (0),icmp (1), icmp6 (58), igmp (2), ipip (4), tcp (6), egp (8), udp (17), ipv6 (41), routing (43), fragment (44),rsvp (46), gre (47), esp (50), ah (51), icmp6 (58), no-next-header (59), dstopts (60), ospf (89), pim (103), vrrp (112), sctp (132)

Ingress ports, VLANs, and IPv6 (inet6) interfaces.

Egress IPv6 (inet6) interfaces.

packet-length

Packet length in bytes. You must enter a value between 0 and 65535.

Ingress ports, VLANs, IPv4 (inet), and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

payload-protocol

IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

hop-by-hop (0),icmp (1), icmp6 (58), igmp (2), ipip (4), tcp (6), egp (8), udp (17), ipv6 (41), routing (43), fragment (44),rsvp (46), gre (47), esp (50), ah (51), icmp6 (58), no-next-header (59), dstopts (60), ospf (89), pim (103), vrrp (112), sctp (132)

Note:

Not supported on the QFX3500, QFX3600, QFX5100, QFX5110, QFX5200, QFX5210 switches.

Ingress ports, VLANs, and IPv6 (inet6) interfaces.

Egress IPv6 (inet6) interfaces.

Port qualifier

The port qualifier will install two entries in the packet forwarding engine. One with the source-port and second one with the destination-port.

Note:

Port qualifier is not supported on EX4400, EX4300, EX4100, EX4300 (Multigigabit PoE), EX2300, EX2300 (Multigigabit PoE), and EX3400 platforms.

Ingress ports, VLANs, IPv4 (inet), and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

precedence value

IP precedence bits in the type-of-service (ToS) byte in the IP header. (This byte can also used for the DiffServ DSCP.) In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

  • routine (0)

  • priority (1)

  • immediate (2)

  • flash (3)

  • flash-override (4)

  • critical-ecp (5)

  • internet-control (6)

  • net-control (7)

Ingress ports, VLANs, and IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

protocol type

IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

hop-by-hop (0),icmp (1), icmp6, igmp (2), ipip (4), tcp (6), egp (8), udp (17), ipv6 (41), routing (43), fragment (44),rsvp (46), gre (47), esp (50), ah (51), icmp6 (58), no-next-header (59), dstopts (60), ospf (89), pim (103), vrrp (112), sctp (132)

Ingress ports, VLANs and IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

rat-type tech-type-value

Match the radio-access technology (RAT) type specified in the 8-bit Tech-Type field of Proxy Mobile IPv4 (PMIPv4) access technology type extension. The technology type specifies the access technology through which the mobile device is connected to the access network. Specify a single value, a range of values, or a set of values. You can specify a technology type as a numeric value from 0 through 255 or as a system keyword.

  • Numeric value 1 matches IEEE 802.3.

  • Numeric value 2 matches IEEE 802.11a/b/g.

  • Numeric value 3 matches IEEE 802.16e

  • Numeric value 4 matches IEEE 802.16m.

  • Text string eutran matches 4G.

  • Text string geran matches 2G.

  • Text string utran matches 3G.

Egress and ingress IPv4 (inet) interfaces.

sample

Sample the packet traffic. Apply this option only if you have enabled traffic sampling.

Egress and ingress IPv4 (inet) interfaces.

source-address ip-address

IP source address field, which is the address of the node that sent the packet.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

source-mac-address mac-address

Source media access control (MAC) address of the packet.

Ingress ports and VLANs.

Egress ports and VLANs.

source-port value

TCP or UDP source port. Typically, you specify this match in conjunction with the protocol match statement. In place of the numeric field, you can specify one of the text synonyms listed under destination-port.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

source-port range-optimize range

Match a range of TCP or UDP port ranges while using the available memory more efficiently. Using this condition allows you to configure more firewall filters than if you configure individual source ports. (Not supported with filter-based forwarding.)

Ingress ports, VLANs, IPv4 (inet) interfaces.

source-prefix-list prefix-list

IP source prefix list. You can define a list of IP address prefixes under a prefix-list alias for frequent use. Define this list at the [edit policy-options] hierarchy level.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

tcp-established

Matches packets of an established TCP three-way handshake connection (SYN, SYN-ACK, ACK). The only packet not matched is the first packet of the handshake since only the SYN bit is set. For this packet, you must specify tcp-initial as the match condition.

When you specify tcp-established, the switch does not implicitly verify that the protocol is TCP. You must also specify the protocol tcp match condition.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

tcp-flags value

One or more TCP flags:

  • ack (0x10)

  • fin (0x01)

  • push (0x08)

  • rst (0x04)

  • syn (0x02)

  • urgent (0x20)

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

tcp-initial

Match the first TCP packet of a connection. A match occurs when the TCP flag SYN is set and the TCP flag ACK is not set.

When you specify tcp-initial, a switch does not implicitly verify that the protocol is TCP. You must also specify the protocol tcp match condition.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

traffic-class

8-bit field that specifies the class-of-service (CoS) priority of the packet. The traffic-class field is used to specify a DiffServ code point (DSCP) value. This field was previously used as the type-of-service (ToS) field in IPv4, and, the semantics of this field (for example, DSCP) are identical to those of IPv4.

You can specify one of the following text synonyms (the field values are also listed):

af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs0 (0), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), ef (46)

Ingress ports, VLANs, and IPv6 (inet6) interfaces.

Egress IPv6 (inet6) interfaces.

ttl value

IP Time-to-live (TTL) field in decimal. The value can be 1-255.

Ingress IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

user-vlan-1p-priority value

Matches the specified 802.1p VLAN priority in the range 0-7.

Ingress and egress ports and VLANs.

user-vlan-id number

Matches the ID of the inner (customer) VLAN for a Q-in-Q VLAN. The acceptable values are 1-4095.

Note:

For QFX3600, QFX5100, QFX5110, QFX5120, QFX5200, QFX5210, EX4600, EX4650, EX4400, EX4100 and EX4300-MP switches, use user-vlan-id to match the ID of the outer VLAN.

For QFX5220 Series switches, and MX and ACX Series routers, use learn-vlan-id to match the ID of the outer VLAN, and user-vlan-id to match the ID of the inner VLAN. Previously, you could use user-vlan-id to match the outer VLAN ID.

Ingress and egress ports and VLANs.

vlan-id <vlan id> | <vlan-range> | <vlan list>

Match the VLAN identifier, vlan-range (the first and last VLAN ID number for the group of VLANs), or vlan list (list of numbers) for use with micro-segmentation on a VXLAN, as described here: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN.

Note:

Not supported on the EX4100 switches.

Ingress and egress (system wide)

Use then statements to define actions that should occur if a packet matches all conditions in a from statement. Table 3shows the actions that you can specify in a term. (If you do not include a then statement, the system accepts packets that match the filter.)

Table 3: Actions for Firewall Filters

Action

Description

accept

Accept a packet. This is the default action for packets that match a term.

discard

Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message.

reject message-type

Discard a packet and send a “destination unreachable” ICMPv4 message (type 3). To log rejected packets, configure the syslog action modifier.

You can specify one of the following message types: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, or tcp-reset.

If you specify tcp-reset, the system sends a TCP reset if the packet is a TCP packet; otherwise nothing is sent.

If you do not specify a message type, the ICMP notification “destination unreachable” is sent with the default message “communication administratively filtered.”

Note:

The reject action is supported on ingress interfaces only.

routing-instance instance-name

Forward matched packets to a virtual routing instance.

vlan VLAN-name

Forward matched packets to a specific VLAN.

Note:

The vlan action is supported on ingress interfaces only.

Note:

This action is not supported on OCX series switches.

You can also specify the action modifiers listed in Table 4 to count, mirror, rate-limit, and classify packets.

Table 4: Action Modifiers for Firewall Filters

Action Modifier

Description

analyzer analyzer-name

(Non-ELS platforms) Mirror traffic (copy packets) to an analyzer configured at the [edit ethernet-switching-options analyzer] hierarchy level.

You can specify port mirroring for ingress port, VLAN, and IPv4 (inet) firewall filters only.

count counter-name

Count the number of packets that match the term.

decapsulate [gre | routing-instance]

De-encapsulate GRE packets or forward de-encapsulated GRE packets to the specified routing instance

dscp value

Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most-significant 6 bits of this byte form the DSCP.

You can specify DSCP in hexadecimal, binary, or decimal form.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

  • be—best effort (default)

  • ef (46)—as defined in RFC 3246, An Expedited Forwarding PHB.

  • af11 (10), af12 (12), af13 (14);

    af21 (18), af22 (20), af23 (22);

    af31 (26), af32 (28), af33 (30);

    af41 (34), af42 (36), af43 (38)

    These four classes, with three drop precedences in each class, for a total of 12 code points, are defined in RFC 2597, Assured Forwarding PHB.

  • cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, cs5

forwarding-class class

Classify the packet in one of the following default forwarding classes, or in a user-defined forwarding class:

  • best-effort

  • fcoe

  • mcast

  • network-control

  • no-loss

Note:

To configure a forwarding class, you must also configure loss priority.

gbp-src-tag

(QFX5120 and EX4650 only)

Set the group based policy source tag (0..65535) for use with micro-segmentation on VXLAN, as described here: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN.

gbp-tag

(EX4100, EX4400, EX4650 and QFX5120)

Set the group based policy source tag (1..65535) for use with micro-segmentation on VXLAN, as described here: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN.

Note: Applies to Junos OS releases 22.4R1 and later.

interface

Switch the traffic to the specified interface without performing a lookup on it. This action is valid only when the filter is applied on ingress.

log

Log the packet's header information in the Routing Engine. To view this information, enter the show firewall log operational mode command.

Note:

The log action modifier is supported on ingress interfaces only.

loss-priority (low | medium-low | medium-high | high)

Set the packet loss priority (PLP).

Note:

The loss-priority action modifier is supported on ingress interfaces only.

Note:

The loss-priority action modifier is not supported in combination with the policer action.

policer policer-name

Send packets to a policer (for the purpose of applying rate limiting).

You can specify a policer for ingress port, VLAN, IPv4 (inet), IPv6 (inet6), and MPLS filters.

Note:

The policer action modifier is not supported in combination with the loss-priority action.

port-mirror

(ELS platforms) Mirror traffic (copy packets) to an output interface configured in a port-mirroring instance at the [edit forwarding-options port-mirroring] hierarchy level.

You can specify port mirroring for ingress port, VLAN, and IPv4 (inet) firewall filters only.

port-mirror-instance port-mirror-instance-name

(ELS platforms) Mirror traffic to a port-mirroring instance configured at the [edit forwarding-options port-mirroring] hierarchy level.

You can specify port mirroring for ingress port, VLAN, and IPv4 (inet) firewall filters only.

Note:

This action modifier is not supported on OCX series switches.

syslog

Log an alert for this packet.

Note:

The syslog action modifier is supported on ingress interfaces only.

three-color-policer three-color-policer-name

Send packets to a three-color policer (for the purpose of applying rate limiting).

You can specify a three-color policer for ingress and egress port, VLAN, IPv4 (inet), IPv6 (inet6), and MPLS filters.

Note:

The policer action modifier is not supported in combination with the loss-priority action.

See Also

Firewall Filter Match Conditions and Actions (QFX5220, QFX5700 and the QFX5130-32CD)

This topic describes the supported firewall filter match conditions, actions, and action modifiers for the QFX5220-CD, QFX5220-128C, and QFX5130-32CD switches.

Each term in a firewall filter consists of match conditions and an action. Match conditions are the fields and values that a packet must contain to be considered a match. You can define single or multiple match conditions in match statements. You can also include no match statement, in which case the term matches all packets.

When a packet matches a filter, a switch takes the action specified in the term. If you apply no match condition, the switch accepts the packet by default.

  • Table 5 shows the match conditions for IPv4 (inet) and the IPv6 (inet6) interfaces. It also contains the match conditions for ports and VLANs (ethernet-switching).

  • Table 6 shows the actions and the action modifiers that you can specify in a term.

Note:

For match conditions, some of the numeric range and the bit-field match conditions allow you to specify a text synonym. To see a list of all the synonyms for a match condition, type ? at the appropriate place in a statement.

Table 5: Supported Match Conditions (QFX5220, QFX5700, and QFX5130-32CD Switches)

Match Condition

Description

Direction and Interface

arp-type

ARP request packet or an ARP reply packet.

Ingress and egress ports and VLANs

destination-address ip-address

IP destination address field, which is the address of the final destination node.

Ingress and egress IPv4 and IPv6 interfaces

Ingress ports and VLANs

destination-mac-address mac-address

Destination MAC address of the packet.

Ingress and egress ports and VLANs

destination-port value

TCP or UDP destination port field. You must specify this match with the protocol match statement for IPv4 traffic, or the next-header match statement for IPv6 traffic.

For the following well-known ports and port numbers you can specify text synonyms.

afs (1483), bgp (179), biff (512), bootpc (68), bootps (67),

cmd (514), cvspserver (2401),

dhcp (67), domain (53),

eklogin (2105), ekshell (2106), exec (512),

finger (79), ftp (21), ftp-data (20),

http (80), https (443),

ident (113), imap (143),

kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544),

ldap (389), login (513),

mobileip-agent (434), mobilip-mn (435), msdp (639),

netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123),

pop3 (110), pptp (1723), printer (515),

radacct (1813),radius (1812), rip (520), rkinit (2108),

smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514),

tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525),

who (513),

xdmcp (177),

zephyr-clt (2103), zephyr-hm (2104)

Ingress and egress IPv4 interfaces

Ingress IPv6 interfaces.

Ingress ports and VLANs

destination-port range-optimize range

Match a range of the TCP or UDP port ranges while using the available memory more efficiently. Using this condition allows you to configure more firewall filters than if you configure individual destination ports. (Not supported with filter-based forwarding.)

Ingress IPv4 interfaces

destination-prefix-list prefix-list

IP destination prefix list field. You can define a list of IP address prefixes under a prefix-list alias for frequent use. Define this list at the [edit policy-options] hierarchy level.

Ingress and egress IPv4 and IPv6 interfaces

Ingress ports and VLANs.

dscp value

Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most-significant 6 bits of this byte form the DSCP.

You can specify DSCP in hexadecimal, binary, or decimal form.

In place of the numeric value, you can specify one of the following text synonyms and field listed.

  • be—best effort (default)

  • ef (46)—as defined in RFC 3246, An Expedited Forwarding PHB.

  • af11 (10), af12 (12), af13 (14);

    af21 (18), af22 (20), af23 (22);

    af31 (26), af32 (28), af33 (30);

    af41 (34), af42 (36), af43 (38)

    These four classes, with three drop precedences in each class, for a total of 12 code points, are defined in RFC 2597, Assured Forwarding PHB.

  • cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, cs5

Ingress and egress IPv4 interfaces

Ingress ports and VLANs

ether-type value

Ethernet type field of a packet. The EtherType value specifies what protocol is being transported in the Ethernet frame. In place of the numeric value, you can specify one of the following text synonyms. The field values are also listed.

  • aarp (0x80F3)—EtherType value AARP

  • appletalk (0x809B)—EtherType value AppleTalk

  • arp (0x0806)—EtherType value ARP

  • fcoe (0x8906)—EtherType value FCoE

  • fip (0x8914)—EtherType value FIP

  • ipv4 (0x0800)—EtherType value IPv4

  • ipv6 (0x08DD)—EtherType value IPv6

  • mpls-multicast (0x8848)—EtherType value MPLS multicast

  • mpls-unicast (0x8847)—EtherType value MPLS unicast

  • oam (0x88A8)—EtherType value OAM

  • ppp (0x880B)—EtherType value PPP

  • pppoe-discovery (0x8863)—EtherType value PPPoE Discovery Stage

  • pppoe-session (0x8864)—EtherType value PPPoE Session Stage

  • sna (0x80D5)—EtherType value SNA

Ingress and egress ports and VLANs

first-fragment

Match if the packet is the first fragment of a fragmented packet. Avoiding matching the packet if it is a trailing fragment of a fragmented packet. The first fragment of a fragmented packet has a fragment offset value of 0.

This match condition is an alias for the bit-field match condition fragment-offset 0 match condition.

To match both first and trailing fragments, you can use two terms that specify different match conditions: first-fragment and is-fragment.

Ingress IPv4 interfaces

icmp-code value

ICMP code field. Because the meaning of the value depends upon the associated icmp-type, you must specify a value for icmp-type along with a value for icmp-code. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

  • IPv4: parameter-problem—ip-header-bad (0), required-option-missing (1)

  • IPv6: parameter-problem—ip6-header-bad (0), unrecognized-next-header (1), unrecognized-option (2)

  • redirectredirect-for-network (0), redirect-for-host (1), redirect-for-tos-and-net (2), redirect-for-tos-and-host (3)

  • time-exceededttl-eq-zero- during-reassembly (1), ttl-eq-zero-during-transit (0)

  • IPv4: unreachable—network-unreachable (0), host-unreachable (1), protocol-unreachable (2), port-unreachable (3), fragmentation-needed (4), source-route-failed (5), destination-network-unknown (6), destination-host-unknown (7), source-host-isolated (8), destination-network-prohibited (9), destination-host-prohibited (10), network-unreachable-for-TOS (11), host-unreachable-for-TOS (12), communication-prohibited-by-filtering (13), host-precedence-violation (14), precedence-cutoff-in-effect (15)

  • IPv6: unreachable—address-unreachable (3), administratively-prohibited (1), no-route-to-destination (0), port-unreachable (4)

Ingress and egress IPv4 interfaces

Ingress IPv6 interfaces

Ingress ports and VLANs

icmp-type value

ICMP message type field. You must specify this match along with the protocol match statement. This match determines which protocol is being used on the port for IPv4 traffic, or the next-header match statement for IPv6 traffic.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

IPv4: echo-reply (0), destination unreachable (3), source-quench (4), redirect (5), echo-request (8), IPv4 (inet)-advertisement (9), IPv4 (inet)-solicit (10), time-exceeded (11), parameter-problem (12), timestamp (13), timestamp-reply (14), info-request (15), info-reply (16), mask-request (17), mask-reply (18)

IPv6: destination-unreachable (1), packet-too-big (2), time-exceeded (3), parameter-problem (4), echo-request (128), echo-reply (129), membership-query (130), membership-report (131), membership-termination (132), router-solicit (133), router-advertisement (134), neighbor-solicit (135), neighbor-advertisement (136), redirect (137), router-renumbering (138), node-information-request (139), node-information-reply (140)

See also icmp-code variable.

Ingress and egress IPv4 interfaces

Ingress IPv6 interfaces

Ingress ports and VLANs

interface interface-name

Interface on which the packet is received, including the logical unit. You can include the wildcard character (*) as part of an interface name or logical unit.

Note:

An interface from which a packet is sent cannot be used as a match condition.

Ingress ports and VLANs

ip-destination-address address

IPv4 address that is the final destination node address for the packet.

Ingress ports and VLANs

ip-options

Specify any to create a match if anything is specified in the options field in the IP header.

Ingress IPv4 interfaces

ip-protocol number

IP protocol field.

Ingress ports and VLANs

ip-precedence ip-precedence-field

IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00).

Ingress ports and VLANs

ip-source-address address

IPv4 address of the source node sending the packet.

Ingress ports and VLANs

ip-version address

IP version of the packet. Use this condition to match IPv4 or IPv6 header fields in traffic that arrives on a Layer 2 port or VLAN interface.

Ingress ports and VLANs

is-fragment

Using this condition causes a match if the More Fragments flag is enabled in the IP header or if the fragment offset is not zero.

Ingress and egress IPv4 interfaces (QFX5220)

Ingress IPv4 interfaces (QFX5130)

learn-vlan-id number

VLAN identifier for MAC learning.

Ingress and egress ports and VLANs (QFX5220)

Ingress ports and VLANS (QFX5130)

learn-vlan-1p-priority value

Match on the IEEE 802.1p learned VLAN priority bits in the provider VLAN tag (the only tag in a single-tag frame with 802.1Q VLAN tags or the outer tag in a dual-tag frame with 802.1Q VLAN tags). Specify a single value or multiple values from 0 through 7.

Ingress ports and VLANs

next-header

IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

hop-by-hop (0),icmp (1), icmp6 (58), igmp (2), ipip (4), tcp (6), egp (8), udp (17), ipv6 (41), routing (43), fragment (44),rsvp (46), gre (47), esp (50), ah (51), icmp6 (58), no-next-header (59), dstopts (60), ospf (89), pim (103), vrrp (112), sctp (132)

Ingress and egress IPv6 interfaces

packet-length

Packet length in bytes. You must enter a value between 0 and 65535.

Ingress IPv4 and IPv6 interfaces

precedence value

IP precedence bits in the type-of-service (ToS) byte in the IP header. (This byte can also used for the DiffServ DSCP.) In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

  • routine (0)

  • priority (1)

  • immediate (2)

  • flash (3)

  • flash-override (4)

  • critical-ecp (5)

  • internet-control (6)

  • net-control (7)

Ingress and egress IPv4 interfaces

protocol type

IP protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

hop-by-hop (0),icmp (1), icmp6, igmp (2), ipip (4), tcp (6), egp (8), udp (17), ipv6 (41), routing (43), fragment (44),rsvp (46), gre (47), esp (50), ah (51), icmp6 (58), no-next-header (59), dstopts (60), ospf (89), pim (103), vrrp (112), sctp (132)tcp (4)

Ingress and egress IPv4 interfaces.

Ingress IPv4 interfaces and VLANs

source-address ip-address

IP source address field, which is the address of the node that sent the packet.

Ingress and egress IPv4 interfaces

Ingress IPv6 interfaces

Ingress ports and VLANs

source-mac-address mac-address

Source media access control (MAC) address of the packet.

Ingress and egress IPv4 interfaces and VLANs

source-port value

TCP or UDP source port. You must specify this match in conjunction with the protocol match statement for IPv4 traffic, or the next-header match statement for IPv6 traffic.

In place of the numeric field, you can specify one of the text synonyms listed under destination-port.

Ingress and egress IPv4 interfaces

Ingress IPv6 interfaces

Ingress ports and VLANs

source-port range-optimize range

Match a range of TCP or UDP port ranges while using the available memory more efficiently. Using this condition allows you to configure more firewall filters than if you configure individual source ports. (Not supported with filter-based forwarding.)

Ingress IPv4 interfaces

source-prefix-list prefix-list

IP source prefix list. You can define a list of IP address prefixes under a prefix-list alias for frequent use. Define this list at the [edit policy-options] hierarchy level.

Ingress and egress IPv4 interfaces

Ingress IPv6 interfaces

Ingress ports and VLANs

tcp-established

Match TCP packets of an established TCP session (packets other than the first packet of a connection). This is an alias for tcp-flags "(ack | rst)".

This match condition does not implicitly check that the protocol is TCP. To check this, specify the protocol tcp match condition.

Ingress and egress IPv4 interfaces (QFX5220)

Ingress and egress IPv4 interfaces (QFX5130)

Ingress IPv6 interfaces (QFX5130)

tcp-flags value

TCP flags (only one value is supported):

  • ack (0x10)

  • fin (0x01)

  • push (0x08)

  • rst (0x04)

  • syn (0x02)

  • urgent (0x20)

Ingress and egress IPv4 interfaces

Ingress IPv6 interfaces

Ingress ports and VLANs

tcp-initial

Match the first TCP packet of a connection. A match occurs when the TCP flag SYN is set and the TCP flag ACK is not set.

When you specify tcp-initial, a switch does not implicitly verify that the protocol is TCP. You must also specify the protocol tcp match condition. See protocol type.

Ingress and egress IPv4 interfaces (QFX5220)

Ingress and egress IPv4 interfaces, Ingress IPv6 interfaces (QFX5130)

traffic-class

8-bit field that specifies the class-of-service (CoS) priority of the packet. The traffic-class field is used to specify a DiffServ code point (DSCP) value. This field was previously used as the type-of-service (ToS) field in IPv4, and, the semantics of this field (for example, DSCP) are identical to those of IPv4.

You can specify one of the following text synonyms (the field values are also listed):

af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs0 (0), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), ef (46)

Ingress and egress IPv6 interfaces

ttl value

IP Time-to-live (TTL) field in decimal. The value can be 1-255.

Ingress and egress IPv4 interfaces

user-vlan-id number

Matches the ID of the inner (customer) VLAN for a Q-in-Q VLAN. The acceptable values are 1-4095.

Ingress ports and VLANs (QFX5130)

user-vlan-1p-priority value

Matches the specified 802.1p VLAN priority in the range 0-7.

Ingress ports and VLANs (QFX5130)

Use then statements to define actions that should occur if a packet matches all conditions in a from statement. Table 6 shows the actions that you can specify in a term. (If you do not include a then statement, the system accepts packets that match the filter.)

Note:

For egress IPv4 interfaces, IPv6 interfaces, and egress ports, you can only apply the accept, discard, and count actions. For egress VLANs, you can only apply the accept action.

Table 6: Actions and Action Modifiers

Action

Description

accept

Accept a packet. This is the default action for packets that match a term.

apply-groups-except

Specify which groups not to inherit configuration data from. You can specify more than one group name.

count counter-name

Count the number of packets that match the term.

discard

Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message.

forwarding-class class

Classify the packet in one of the following default forwarding classes, or in a user-defined forwarding class:

  • best-effort

  • fcoe

  • mcast

  • network-control

  • no-loss

Note:

To configure a forwarding class, you must also configure loss priority.

log

Log the packet's header information in the Routing Engine. To view this information, enter the show firewall log operational mode command.

loss-priority (low | medium-low | medium-high | high)

Set the packet loss priority (PLP).

Note:

The loss-priority action modifier is supported on ingress IPv4 interfaces only.

Note:

The loss-priority action modifier is not supported in combination with the policer action.

policer policer-name

Send packets to a policer (for the purpose of applying rate limiting).

Note:

The policer action modifier is not supported in combination with the loss-priority action.

port-mirror

Mirror traffic (copy packets) to an output interface configured in a port-mirroring instance at the [edit forwarding-options port-mirroring] hierarchy level.

port-mirror-instance port-mirror-instance-name

Mirror traffic to a port-mirroring instance configured at the [edit forwarding-options port-mirroring] hierarchy level.

You can specify port mirroring for ingress port, VLAN, and IPv4 (inet) firewall filters only.

reject message-type

Discard a packet and send a “destination unreachable” ICMPv4 message (type 3). To log rejected packets, configure the syslog action modifier.

You can specify one of the following message types: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed.

If you do not specify a message type, the ICMP notification “destination unreachable” is sent with the default message “communication administratively filtered.”

Note:

The reject action is supported on ingress IPv4 interfaces only.

three-color-policer three-color-policer-name

Send packets to a three-color policer (for the purpose of applying rate limiting).

Note:

The policer action modifier is not supported in combination with the loss-priority action.

Note:

The color-aware and color-blind policers are not supported. By default, traffic is treated as color-blind.

vlan VLAN-name

Forward matched packets to a specific VLAN.

To activate this action profile on these platforms, you have to apply the set system packet-forwarding-options firewall profiles actions ethernet-switching profile1 configuration. You can configure the vlan vlanID action in port and VLAN firewall filter rules.

Note:

The vlan action is only supported on ingress ports and VLANs.

See Also

arrow_backward PREVIOUS Planning the Number of Firewall Filters to Create
NEXT arrow_forward Firewall Filter Match Conditions and Actions (QFX10000 Switches)
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top