Supported Platforms
Example: Configuring a Firewall Filter for Packet Capture
This example shows how to configure a firewall filter for packet capture and apply it to a logical interface.
Requirements
Before you begin:
- Establish basic connectivity. See the Getting Started Guide for your device.
- Configure network interfaces. See Junos OS Interfaces Library for Security Devices.
Overview
In this example, you set a firewall filter called dest-all and a term name called dest-term to capture packets from a specific destination address, which is 192.168.1.1/32. You define the match condition to accept the sampled packets. Finally, you apply the dest-all filter to all of the outgoing packets on interface fe-0/0/1.
 | Note: If you apply a firewall filter on the loopback interface, it affects all traffic to and from the Routing Engine. If the firewall filter has a sample action, packets to and from the Routing Engine are sampled. If packet capture is enabled, then packets to and from the Routing Engine are captured in the files created for the input and output interfaces. |
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure a firewall filter for packet capture and apply it to a logical interface:
- Specify the firewall filter and its destination address.[edit]user@host# edit firewalluser@host# set filter dest-all term dest-term from destination-address 192.168.1.1/32
- Define the match condition and its action.[edit firewall]user@host# set filter dest-all term dest-term then sample accept
- Apply the filter to all the outgoing packets.[edit interfaces]user@host# set interfaces fe-0/0/1 unit 0 family inet filter output dest-all
Results
From configuration mode, confirm your configuration by entering the show firewall filter dest-all command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying the Firewall Filter for Packet Capture Configuration
Purpose
Confirm that the configuration is working properly.
Verify that the firewall filter for packet capture is configured.
Action
From configuration mode, enter the show firewall filter dest-all command. Verify that the output shows the intended configuration of the firewall filter for capturing packets sent to the destination address.
