Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

enhanced-mode

Syntax

Hierarchy Level

Description

Limit static service filters or API-client filters to term-based filter format only for inet or inet6 families when enhanced network services mode is configured at the [edit chassis network-services] hierarchy level. You cannot attach enhanced mode filters to local loopback, management, or MS-DPC interfaces. These interfaces are processed by the Routing Engine and DPC modules and can accept only compiled firewall filter format. In cases where both filter formats are needed for dynamic service filters, you can use the enhanced-mode-override statement on the specific filter definition to override the default filter term-based only format of chassis network-service enhanced IP mode.The enhanced-mode and the enhanced-mode-override statements are mutually exclusive; you can define the filter with either enhanced-mode or enhanced-mode-override, but not both.

Note:

For MX Series routers with MPCs, you need to initialize Trio-only match filters (that is, a filter that includes at least one match condition or action that is only supported by the Trio chipset) by walking the corresponding SNMP MIB. For example, for any filter that is configured or changed with respect to their Trio only filters, you need to run a command such as the following: show snmp mib walk (ascii | decimal) object-id. This forces Junos to learn the filter counters and ensure that the filter statistics are displayed. This guidance applies to all enhanced-mode firewall filters. It also applies to Firewall Filter Match Conditions for IPv4 Traffic with flexible match filter terms for offset-range or offset-mask, gre-key, and Firewall Filter Match Conditions for IPv6 Traffic with any of the following match conditions: payload-protocol, extension headers, is_fragment. It also applies to filters with either of the following Firewall Filter Terminating Actions: encapsulate or decapsulate, or either of the following Firewall Filter Nonterminating Actions: policy-map, and clear-policy-map.

When used with one of the chassis enhanced network services modes, firewall filters are generated in term-based format for use with MPC modules. Do not use enhanced mode for firewall filters that are intended for control plane traffic. Control plane filtering is handled by the Routing Engine kernel, which cannot use the term-based format of the enhanced mode filters.

If enhanced network services are not configured for the chassis, the enhanced-mode statement is ignored and any enhanced mode firewall filters are generated in both term-based and the default, compiled format. Only term-based (enhanced) firewall filters will be generated, regardless of the setting of the enhanced-mode statement at the [edit chassis network-services] hierarchy level, if any of the following are true:

  • Flexible filter match conditions are configured at the [edit firewall family family-name filter filter-name term term-name from] or [edit firewall filter filter-name term term-name from] hierarchy levels.

  • A tunnel header push or pop action, such as GRE encapsulate or decapsulate is configured at the [edit firewall family family-name filter filter-name term term-name then] hierarchy level.

  • Payload-protocol match conditions are configured at the [edit firewall family family-name filter filter-name term term-name from] or [edit firewall filter filter-name term term-name from] hierarchy levels.

  • An extension-header match is configured at the [edit firewall family family-name filter filter-name term term-name from] or [edit firewall filter filter-name term term-name from] hierarchy levels.

  • A match condition is configured that only works with MPC cards, such as firewall bridge filters for IPv6 traffic.

For packets sourced from the Routing Engine, the Routing Engine processes Layer 3 packets by applying output filters to the packets and forwards Layer 2 packets to the Packet Forwarding Engine for transmission. By configuring the enhanced mode filter, you explicitly specify that only the term-based filter format is used, which also implies that the Routing Engine cannot use this filter.

Required Privilege Level

firewall—To view this statement in the configuration.

firewall-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 11.4.

Statement introduced in Junos OS Release 23.2 for SRX4600, SRX5400, SRX5600, and SRX5800.

Related Documentation