Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

transient-filter

Syntax

Hierarchy Level

Description

Configure a transient firewall filter for a parent firewall filter.

When the parent firewall filter is modified, the make-before-break (MBB) process of the system reprograms the modified parent firewall filter in the hardware. Depending on the size of the parent firewall filter, this process may take time. In the interim, the transient firewall filter is used in lieu of the parent firewall filter. The transient filter is expected to have a smaller memory footprint. After the MBB operation completes, the parent firewall filter resumes operation.

A transient firewall filter can only be paired with one parent firewall filter. The transient firewall filter is implicitly bound to the same interface as its parent firewall filter. A transient firewall filter cannot be configured as an interface specific firewall filter. Transient firewall filters can also be configured for fast-lookup parent firewall filters.

A transient firewall filter should be configured under the same firewall filter family as its parent firewall filter. During the modification of a parent firewall filter, any firewall filter statistics that is generated, will be attributed to the transient firewall filter. After the modification completes, the firewall filter statistics are retained and made available to the modified parent firewall filter when it resumes operation.

Deletion of the parent firewall filter will not delete its transient firewall filter. Instead, the transient firewall filter is dissociated with the parent firewall filter, and treated as any regular firewall filter, and its counters will be reset. A transient firewall filter cannot be deleted if it is associated with a parent firewall filter. A parent firewall filter with a transient firewall filter can be bound on ports, VLANs, and layer 3 interfaces in ingress or egress directions.

If a firewall filter is part of a filter-chain, input-list or output-list, it cannot be made a transient firewall filter. However, the parent firewall filter can be part of a firewall filter chain, input-list or output-list. Transient firewall filters are supported on loopback interfaces in the ingress direction. Transient filters are not supported on management interfaces. A transient firewall filter can only be a non-interface specific filter, whereas its parent firewall filter can be interface specific or non-interface specific firewall filter. If firewall filters of an input-list or output-list have associated transient firewall filters, then a consolidated transient firewall filter is created.

Required Privilege Level

interface—To view this statement in the configuration.

interface-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Evolved 24.1R1