Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

enhanced-mode

Syntax

enhanced-mode;

Hierarchy Level

[edit firewall filter filter-name], [edit firewall family family-name filter filter-name], [edit logical-systems logical-system-name firewall filter filter-name], [edit logical-systems logical-system-name firewall family family-name filter filter-name]

Release Information

Statement introduced in Junos OS Release 11.4.

Statement introduced in Junos OS Release 12.3R2 for EX Series switches.

Description

Limit static service filters or API-client filters to term-based filter format only for inet or inet6 families when enhanced network services mode is configured at the [edit chassis network-services] hierarchy level. When used with one of the chassis enhanced network services modes, firewall filters are generated in term-based format for use with MPC modules.

If enhanced network services are not configured for the chassis, the enhanced-mode statement is ignored and any enhanced mode firewall filters are generated in both term-based and, the default, compiled format. Only term-based (enhanced) firewall filters will be generated, regardless of the setting of the enhanced-mode statement at the [edit chassis network-services] hierarchy level, if any of the following are true:

  • Flexible filter match conditions are configured at the [edit firewall family family-name filter filter-name term term-name from] or [edit firewall filter filter-name term term-name from] hierarchy levels.
  • A tunnel header push or pop action, such as GRE encapsulate or decapsulate is configured at the [edit firewall family family-name filter filter-name term term-name then] hierarchy level.
  • Payload-protocol match conditions are configured at the [edit firewall family family-name filter filter-name term term-name from] or [edit firewall filter filter-name term term-name from] hierarchy levels.
  • An extension-header match is configured at the [edit firewall family family-name filter filter-name term term-name from] or [edit firewall filter filter-name term term-name from] hierarchy levels.
  • A match condition is configured that only works with MPC cards, such as firewall bridge filters for IPv6 traffic.

Note: You cannot attach enhanced mode filters to local loopback, management, or MS-DPC interfaces. These interfaces are processed by the Routing Engine kernel and DPC modules and can accept only compiled firewall filter format.

Required Privilege Level

firewall—To view this statement in the configuration.

firewall-control—To add this statement to the configuration.

 

Related Documentation

 

Published: 2014-09-16

Previous Page Next Page