So if I have a source-address and destination-address both defined, do both have to be true for the THEN clause to be executed?
ANS - If you have a source and destination defined, they will use the AND logic and both have to be true for the "then" action to be executed.
Second: how does the above change when instead of source-address/destination-address you use prefix-list - NOT source-prefix-list or destination-prefix-list?
-What exactly do you mean by a prefix list here ?
Last - for now as I reserve the right to ask further questions: Is there a way other than inserting syslog or counts to tell that a term was actually "hit" and acted upon?
- This can be checked in the security flow traceoptions. It will be easier to put a counter in the filter though.
I'll reserve the question of putting filter-lists on an interface until later unless that would be better explained here as well.
-The device evaluates a packet against the filters in a list sequentially, beginning with the first filter in the list until either a terminating action occurs or the packet is implicitly discarded.
More details on filter listst at :- https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-option-multiple-listed-overview.html
Please mark my response as Solution if it Helps, Kudos are Appreciated as well
Thanks for posting your queries here.
Please find below the answers in which i have tried to answer your queries-
Hope above answers your queries. 🙂
Thanks,Pulkit BhandariPlease mark my response as Solution Accepted if it Helps, Kudos are Appreciated too.
Thanks for the reply guys. Exactly what I was looking for! That explains some of the behavior I've been seeing with my lab setup.
So the simple explanation is that if one wants full granular control, always use source- and destination- functions and put in as many terms as possible to ensure the packet is what you were looking for.
For some of the more lenient rules, a simple port and protocol may suffice - for example allowing 80/443 traffic to leave the network. By extenstion of your explanations, putting just tcp-80 and tcp-443 in the filter without any addresses should accomplish this.
Thanks again for not only the quick response but a complete response. You both get credit for the correct sollution - not sure how to mark that though.
Mark one so we don't keep checking to see if question has been answered. Generally guest will read most if not all the comments. Just to mud this up a little bit more:)
If you specify "port" only it will match in either direction and may not accomplish exactly what you want. Better to specify destination-port or source-port if you need that granularity.
"Second: how does the above change when instead of source-address/destination-address you use prefix-list - NOT source-prefix-list or destination-prefix-list? "
Similar thing here it will match source or destination address using the prefix-list.
Additionally, if there is a non-terminating action without a discard or reject, the packet will be accepted.