Displaying Firewall Filter Statistics

Purpose

Verify that packets are being policed and counted.

Action

From operational mode in the CLI, enter the show firewall filter filter-name command.

The value of the counter, icmp-counter, and the number of packets discarded by the policers in the stateless firewall filter configured in Configuring a Routing Engine Firewall Filter to Protect Against TCP and ICMP Floods are displayed in the following sample output.

Sample Output

Filter: protect-RE                                                  
Counters:
Name                                                Bytes              Packets
icmp-counter                                      1040000                 5600
Policers:
Name                                              Packets 
tcp-connection-policer                          643254873
icmp-policer                                         7391

Meaning

Verify the following information:

• Next to Filter, the name of the firewall filter is correct.
• Under Counters:
  • Under Name, the names of any counters configured in the firewall filter are correct.
  • Under Bytes, the number of bytes that match the filter term containing the count counter-name action are shown.
  • Under Packets, the number of packets that match the filter term containing the count counter-name action are shown.
• Under Policers:
  • Under Name, the names of any policers configured in the firewall filter are correct.
  • Under Packets, the number of packets that match the conditions specified for the policer are shown.

Related Topics

For a complete description of the show firewall filter command and output, see the JUNOS Routing Protocols and Policies Command Reference.