Supported Platforms
Related Documentation
- ACX, EX, M, MX, PTX, T Series
- Guidelines for Configuring Firewall Filters
- EX, M, MX, PTX, T Series
- Firewall Filter Terminating Actions
Firewall Filter Nonterminating Actions
Firewall filters support different sets of nonterminating actions for each protocol family.
 | Note: You cannot configure the next term action with a terminating action in the same filter term. However, you can configure the next term action with another nonterminating action in the same filter term. Nonterminating actions carry with them an implicit accept action. In this context, nonterminating means that other actions can follow these actions whereas no other actions can follow a terminating action. |
Table 1 describes the nonterminating actions you can configure for a firewall filter term.
Table 1: Nonterminating Actions for Firewall Filters
Nonterminating Action | Description | Protocol Families |
|---|---|---|
count counter-name | Count the packet in the named counter. |
|
dscp value | Set the IPv4 Differentiated Services code point (DSCP) bit. You can specify a numerical value from 0 through 63. To specify the value in hexadecimal form, include 0x as a prefix. To specify the value in binary form, include b as a prefix. The default DSCP value is best effort, that is, be or 0. You can also specify one of the following text synonyms:
Note: This action is not supported on PTX Series Packet Transport Routers. Note: The actions dscp 0 and dscp be are supported only on T320, T640, T1600, TX Matrix, TX Matrix Plus. and M320 routers and on the 10-Gigabit Ethernet Modular Port Concentrators (MPC), 60-Gigabit Ethernet MPC, 60-Gigabit Ethernet Queuing MPC, and 60-Gigabit Ethernet Enhanced Queuing MPC on MX Series routers (and EX Series switches). However, these actions are not supported on Enhanced III Flexible PIC Concentrators (FPCs) on M320 routers. Note: On T4000 routers, the dscp 0 action is not supported during the interoperation between a T1600 Enhanced Scaling Type 4 FPC and a T4000 Type 5 FPC. | family inet |
forwarding-class class-name | Classify the packet to the named forwarding class:
|
|
ipsec-sa ipsec-sa | Use the specified IPsec security association. Note: This action is not supported on MX Series routers and EX Series switches, Type 5 FPCs on T4000 routers, and PTX Series Packet Transport Routers. | family inet |
load-balance group-name | Use the specified load-balancing group. Note: This action is not supported on MX Series routers, EX Series switches, or PTX Series Packet Transport Routers. | family inet |
log | Log the packet header information in a buffer within the Packet Forwarding Engine. You can access this information by issuing the show firewall log command at the command-line interface (CLI). |
|
logical-system logical-system-name | Direct packets to a specific logical system. |
|
loss-priority (high | medium-high | medium-low | low) | Set the packet loss priority (PLP) level. You cannot also configure the three-color-policer nonterminating action for the same firewall filter term. These two nonterminating actions are mutually exclusive. Supported on M120 and M320 routers; M7i and M10i routers with the Enhanced CFEB (CFEB-E); and MX Series routers. For IP traffic on M320, MX Series, and T Series routers with Enhanced II Flexible PIC Concentrators (FPCs), and EX Series switches, you must include the tri-color statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. If the tri-color statement is not enabled, you can only configure the high and low levels. This applies to all protocol families. For information about the tri-color statement and using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see BA Classifier Overview. |
|
next-hop-group group-name | Use the specified next-hop group. |
|
next-interface interface-name | (MX Series routers and EX Series switches) Direct packets to the specified outgoing interface. |
|
next-ip ip-address | (MX Series routers and EX Series switches) Direct packets to the specified destination IPv4 address. | family inet |
next-ip6 ipv6-address | (MX Series routers and EX Series switches) Direct packets to the specified destination IPv6 address. | family inet6 |
packet-mode | Updates a bit field in the packet key buffer, which specifies traffic that will bypass flow-based forwarding. Packets with the packet-mode action modifier follow the packet-based forwarding path and bypass flow-based forwarding completely. For more information about selective stateless packet-based services, see the Junos OS Security Configuration Guide. | family any |
policer policer-name | Name of policer to use to rate-limit traffic. |
|
port-mirror instance-name | Port-mirror the packet based on the specified family. Supported on M120 routers, M320 routers configured with Enhanced III FPCs, MX Series routers, and PTX Series Packet Transport Routers only. |
|
port-mirror-instance instance-name | Port mirror a packet for an instance. This action is only supported on the MX series routers. |
|
prefix-action action-name | Count or police packets based on the specified action name. Note: This action is not supported on PTX Series Packet Transport Routers. | family inet |
routing-instance routing-instance-name | Direct packets to the specified routing instance. |
|
sample | Sample the packet. Note: The Junos OS does not sample packets originating from the router or switch. If you configure a filter and apply it to the output side of an interface, then only the transit packets going through that interface are sampled. Packets that are sent from the Routing Engine to the Packet Forwarding Engine are not sampled. |
|
service-accounting | Count the packet for service accounting. The count is applied to a specific named counter (__junos-dyn-service-counter) that RADIUS can obtain. Note: This action is not supported on T4000 Type 5 FPCs and PTX Series Packet Transport Routers. |
|
service-filter-hit | (Only if the service-filter-hit flag is marked by a previous filter in the current type of chained filters) Direct the packet to the next type of filters. Indicate to subsequent filters in the chain that the packet was already processed. This action, coupled with the service-filter-hit match condition in receiving filters, helps to streamline filter processing. Note: This action is not supported on T4000 Type 5 FPCs and PTX Series Packet Transport Routers. |
|
syslog | Log the packet to the system log file. |
|
three-color-policer (single-rate | two-rate) policer-name | Police the packet using the specified single-rate or two-rate three-color-policer. You cannot also configure the loss-priority action for the same firewall filter term. These two actions are mutually exclusive. |
|
traffic-class value | Specify the traffic-class code point. You can specify a numerical value from 0 through 63. To specify the value in hexadecimal form, include 0x as a prefix. To specify the value in binary form, include b as a prefix. The default traffic-class value is best effort, that is, be or 0. In place of the numeric value, you can specify one of the following text synonyms:
Note: The actions traffic-class 0and traffic-class be are supported only on T Series and M320 routers and on the 10-Gigabit Ethernet Modular Port Concentrator (MPC), 60-Gigabit Ethernet MPC, 60-Gigabit Ethernet Queuing MPC, and 60-Gigabit Ethernet Enhanced Queuing MPC on MX Series routers (and EX Series switches). However, these actions are not supported on Enhanced III Flexible PIC Concentrators (FPCs) on M320 routers. | family inet6 |
Related Documentation
- ACX, EX, M, MX, PTX, T Series
- Guidelines for Configuring Firewall Filters
- EX, M, MX, PTX, T Series
- Firewall Filter Terminating Actions
Published: 2014-10-14
Supported Platforms
Related Documentation
- ACX, EX, M, MX, PTX, T Series
- Guidelines for Configuring Firewall Filters
- EX, M, MX, PTX, T Series
- Firewall Filter Terminating Actions
