Supported Platforms
Related Documentation
Configuring Firewall Filter Bypass
You can streamline the filter process, decrease the amount of packet handling for each filter in a chain, and effectively bypass unnecessary filters by using the service-filter-hit match/action combination at the [edit firewall family family-name filter filter-name term term-name] hierarchy level.
To bypass firewall filters using the service-filter-hit match/action combination, you configure the service-filter-hit action in at least one filter in the chain and configure service-filter-hit match condition in any subsequent filters that you want to bypass. All packets must pass through each filter in a chain. However, after the service-filter-hit flag is set in a packet, the packet “bypasses” any subsequent filters that contain the service-filter-hit match condition and more efficiently passes (accepts) marked packets and accelerating the filter process.
 | Note: When using the service-filter-hit match/action combination, the order in which the filters are applied is important. You can ensure the order in which the filters are processed by specifying a filter precedence value for the interface. See Defining Dynamic Filter Processing Order for more information about dynamic filter processing. |
To bypass filter processing:
- Specify the service-filter-hit action for any
filters in a filter chain.[edit firewall family inet filter video term 1]user@host# set then service-filter-hit
When the match conditions for the filter are met, the service-filter-hit action is set to indicate to subsequent filters that further processing is unnecessary.
- Specify the service-filter-hit match condition
in any filters with a lower precedence (that is, a higher precedence statement value) that you want to detect service-filter-hit actions applied from previous filters in the chain.[edit firewall family inet filter data term 1]user@host# set from service-filter-hit
- Configure the filter to pass (accept) any packet that
has a service-filter-hit action applied from any previous
filters.[edit firewall family inet filter data term 1]user@host# set then accept
