Related Documentation
Guidelines for Configuring Service Filters
This topic covers the following information:
Statement Hierarchy for Configuring Service Filters
To configure a service filter, include the service-filter service-filter-name statement at the [edit firewall family (inet | inet6)] hierarchy level:
Individual statements supported under the service-filter service-filter-name statement are described separately in this topic and are illustrated in the example of configuring and applying a service filter.
Service Filter Protocol Families
You can configure service filters to filter IPv4 traffic (family inet) and IPv6 traffic (family inet6) only. No other protocol families are supported for service filters.
Service Filter Names
Under the family inet or family inet6 statement, you can include service-filter service-filter-name statements to create and name service filters. The filter name can contain letters, numbers, and hyphens (-) and be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (“ ”).
Service Filter Terms
Under the service-filter service-filter-name statement, you can include term term-name statements to create and name filter terms.
- You must configure at least one term in a firewall filter.
- You must specify a unique name for each term within a firewall filter. The term name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (“ ”).
- The order in which you specify terms within a firewall filter configuration is important. Firewall filter terms are evaluated in the order in which they are configured. By default, new terms are always added to the end of the existing filter. You can use the insert configuration mode command to reorder the terms of a firewall filter.
Service Filter Match Conditions
Service filter terms support only a subset of the IPv4 and IPv6 match conditions that are supported for standard stateless firewall filters.
If you specify an IPv6 address in a match condition (the address, destination-address, or source-address match conditions), use the syntax for text representations described in RFC 4291, IP Version 6 Addressing Architecture. For more information about IPv6 addresses, see “IPv6 Overview” and “IPv6 Standards” in the Junos OS Routing Protocols Configuration Guide.
Service Filter Terminating Actions
When configuring a service filter term, you must specify one of the following filter-terminating actions:
- service
- skip
 | Note: These actions are unique to service filters. |
Service filter terms support only a subset of the IPv4 and IPv6 nonterminating actions that are supported for standard stateless firewall filters:
- count counter-name
- log
- port-mirror
- sample
Service filters do not support the next action.
