Routing

Expand all | Collapse all

Firewall rule processing when called in a group

Jump to Best Answer
  • 1.  Firewall rule processing when called in a group

    Posted 11-06-2019 08:30

    Hi,

     

    filter pm_alp_classes_internet {
                apply-groups [ cm_trusted_links  cm_alp_class3_protocol ];
            }
    
    
    show configuration groups cm_trusted_links 
    firewall {
        family bridge {
            filter <*> {        
                        term al_trust_class_default_dscp {
                            from {
    
                                    interface ge-0/0/3.0;
                            }
                    then {
                        count al_trust_class_default_dscp;
                        loss-priority low;
                        forwarding-class class4;
                        accept;
                    }
                }
            }
        }
    }
    
    show configuration groups cm_alp_class3_protocol
    firewall {
        family bridge {
            filter <*> { 
                        term al_alp_return_class3_protocol_seq_100 {
                        from {
                                ip-destination-address {
                                0.0.0.0/0;
                        }
                        ip-address {
                            0.0.0.0/0;
                        }
                        ip-protocol tcp;
                        source-port [ 647 1352 1494 2598 7911 ];
                    }
                    then {
                        count al_alp_return_class3_protocol_seq_100;
                        loss-priority low;
                        forwarding-class class3;
                        accept;
                    }
                }
            }
        }
    }

    I have two firewall filters being called in a group and the group is applied to interface ge-0/0/3. 

     

    Scenario:

    Source IP: 192.168.1.1

    Destination IP: 192.168.1.10

    Source port: TCP 647

    A packet arrives on interface ge-0/0/3 and I get a hit on counter al_trust_class_default_dscp. There is no hit on the second firewall filter even though condition is a better match. Does it mean when processing stops when there is match. 



  • 2.  RE: Firewall rule processing when called in a group
    Best Answer

     
    Posted 11-06-2019 08:53

    Hi,

    Yes, in junos fw filter once a term is matched the packet is not longer processed against the remaining term. The action in the first matching term is executed. If you want to continue processing you can use the then next term action.

    Below link will provide more details - 

    https://www.juniper.net/documentation/en_US/junos/topics/concept/policy-routing-policies-chain-evaluation-method.html

     

    Thanks,

    Mayank

     

    If this resolves your issue please mark as solution so others can benefit from the post



  • 3.  RE: Firewall rule processing when called in a group

     
    Posted 11-06-2019 08:56


  • 4.  RE: Firewall rule processing when called in a group

     
    Posted 11-06-2019 09:05

    Hi Rohit,

     

    Since you have accept term after first rule the packet is getting accepeted right there and it won't go for furter processing that's why you don't see any further hit.

     

    Thanks

    Vishal