Dear community, I need your help....
I don't understand what does mean "pfe" for the colum "filter" in the "show firewall log" output.
admin@QFX5K-VCF> show firewall log
Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
10:24:44 pfe D ae2.0 UDP 172.16.255.203 172.16.255.103
10:24:44 pfe D ae2.0 UDP 172.16.255.203 172.16.255.103
10:24:44 pfe D ae2.0 UDP 172.16.255.203 172.16.255.103
10:24:44 pfe D ae1.0 UDP 172.16.255.203 172.16.255.103
10:24:44 pfe D ae2.0 UDP 172.16.255.203 172.16.255.103
10:24:44 pfe D ae2.0 UDP 172.16.255.203 172.16.255.103
10:24:44 pfe D ae1.0 UDP 172.16.255.203 172.16.255.103
I don't understand the Juniper documentation (https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-firewall-log.html) saying :
Filter
Displays the name of a configured firewall filter or service filter only if the packet hit the filter’s log action in a kernel filter (in the control plane). For any traffic that reaches the Routing Engine, the packets hit the log action in the kernel.
For all other logged packets (packet hit the filter’s log action in the Packet Forwarding Engine), this field displays pfe instead of a configured filter name.
From my understanding, the firwall filter applied to a loopback only appy to trafic from/to the routing-engine.
In the output below don't understand why this traffic is dropped (UDP from 172.16.255.203 to 172.16.255.103). 172.16.255.103 is the switch (VCF QFX5100) where the output come from.
admin@QFX5K-VCF> show firewall log
Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
10:34:54 pfe D ae1.0 UDP 172.16.255.203 172.16.255.103
10:34:54 pfe D ae2.0 UDP 172.16.255.203 172.16.255.103
10:34:54 pfe D ae2.0 UDP 172.16.255.203 172.16.255.103
admin@QFX5K-VCF> show firewall log detail
Time of Log: 2017-10-27 10:34:56 CEST, Filter: pfe, Filter action: discard, Name of interface: ae1.0
Name of protocol: UDP, Packet Length: 32768, Source address: 172.16.255.203:31213, Destination address: 172.16.255.103:4789
Time of Log: 2017-10-27 10:34:56 CEST, Filter: pfe, Filter action: discard, Name of interface: ae1.0
Name of protocol: UDP, Packet Length: 25088, Source address: 172.16.255.203:14805, Destination address: 172.16.255.103:4789
If we look at the firewall filter configuration, I have a term that "accept" VXLAN trafic : destination port 4789 with protocol UDP. The filter is applied to the input of the loopback interface
However, the counter associated to the VXLAN "accept" doesn't increment which I supposed that the VXLAN trafic is not handle by the RE, but pfe...
family inet {
filter ACCESS-CONTROL {
term ACCEPT-SSH {
from {
source-prefix-list {
SSH-LIST;
}
protocol tcp;
destination-port ssh;
}
then {
policer LIMIT-5M;
count ACCEPT-SSH;
accept;
}
}
term ACCEPT-OSPF {
from {
source-prefix-list {
ROUTER-IPV4;
}
destination-prefix-list {
OSPF-ADDRESS;
ROUTER-IPV4;
}
protocol ospf;
}
then accept;
}
term ACCEPT-BFD-MH {
from {
source-prefix-list {
BGP-NEIGHBOR;
}
destination-prefix-list {
LOOPBACK;
}
protocol udp;
destination-port [ 4784 3784 ];
}
then accept;
}
term ACCEPT-BGP {
from {
source-prefix-list {
BGP-NEIGHBOR;
}
protocol tcp;
}
then accept;
}
term ACCEPT-VXLAN {
from {
protocol udp;
destination-port 4789;
}
then {
count ACCEPT-VXLAN;
accept;
}
}
term DISCARD-VRRP {
from {
destination-prefix-list {
VRRP;
}
protocol [ vrrp ah ];
}
then {
discard;
}
}
term ACCEPT-SNMP {
from {
source-prefix-list {
SNMP-CLIENT-LISTS;
SNMP-COMMUNITY-CLIENTS;
}
destination-prefix-list {
LOCAL-MANAGEMENT;
}
protocol udp;
destination-port snmp;
}
then {
policer LIMIT-5M;
count ACCEPT-SNMP;
accept;
}
}
term ACCEPT-NTP {
from {
source-prefix-list {
NTP-SERVER;
NTP-BOOT-SERVER;
}
destination-prefix-list {
LOCAL-MANAGEMENT;
}
protocol udp;
destination-port ntp;
}
then {
policer LIMIT-1M;
count ACCEPT-NTP;
accept;
}
}
term ACCEPT-TRACEROUTE-UDP {
from {
protocol udp;
ttl 1;
destination-port 33435-33450;
}
then {
policer LIMIT-1M;
count ACCEPT-TRACEROUTE-UDP;
accept;
}
}
term ACCEPT-TRACEROUTE-ICMP {
from {
protocol icmp;
ttl 1;
icmp-type [ echo-request timestamp time-exceeded ];
}
then {
policer LIMIT-1M;
count ACCEPT-TRACEROUTE-ICMP;
accept;
}
}
term ACCEPT-RADIUS {
from {
source-prefix-list {
RADIUS-SERVERS;
}
destination-prefix-list {
LOCAL-MANAGEMENT;
}
protocol udp;
source-port radius;
}
then {
policer LIMIT-1M;
count ACCEPT-RADIUS;
accept;
}
}
term ACCEPT-TACACS {
from {
source-prefix-list {
TACACS-SERVERS;
}
destination-prefix-list {
LOCAL-MANAGEMENT;
}
protocol [ tcp udp ];
source-port [ tacacs tacacs-ds ];
tcp-established;
}
then {
policer LIMIT-1M;
count ACCEPT-TACACS;
accept;
}
}
term ACCEPT-DNS {
from {
source-prefix-list {
DNS-SERVERS;
}
destination-prefix-list {
LOCAL-MANAGEMENT;
}
protocol [ udp tcp ];
source-port 53;
}
then {
policer LIMIT-1M;
count ACCEPT-DNS;
accept;
}
}
term NO-ICMP-FRAGMENTS {
from {
is-fragment;
protocol icmp;
}
then {
count NO-ISCP-FRAG;
discard;
}
}
term ACCEPT-ICMP {
from {
protocol icmp;
icmp-type [ echo-reply echo-request time-exceeded unreachable source-quench router-advertisement parameter-problem ];
}
then {
policer LIMIT-5M;
count ACCEPT-ICMP;
accept;
}
}
term ALL-MCAST-HOST {
from {
destination-prefix-list {
ALL-MCAST-HOSTS;
}
}
then accept;
}
term DISCARD-TTL_1-UNKNOWN {
from {
ttl 1;
}
then {
count DISCARD-ALL-TTL_1-UNKNOWN;
log;
discard;
}
}
term DISCARD-TCP {
from {
protocol tcp;
}
then {
count DISCARD-TCP;
log;
discard;
}
}
term DISCARD-NETBIOS {
from {
protocol [ tcp udp ];
destination-port [ 137 138 139 ];
}
then {
count DISCARD-NETBIOS;
discard;
}
}
term DISCARD-HSRP {
from {
destination-prefix-list {
HSRP;
MCAST-ROUTERS;
}
protocol udp;
destination-port 1985;
}
then {
discard;
}
}
term DISCARD-UDP {
from {
protocol udp;
}
then {
count DISCARD-UDP;
log;
discard;
}
}
term DISCARD-ICMP {
from {
protocol icmp;
}
then {
count DISCARD-ICMP;
log;
discard;
}
}
term DISCARD-IP-OPTIONS {
from {
ip-options any;
}
then {
count DISCARD-IP-OPTIONS;
log;
discard;
}
}
term DISCARD-UNKNOWN {
then {
count DISCARD-UNKNOWN;
log;
discard;
}
}
}
}
policer LIMIT-1M {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 256k;
}
then discard;
}
policer LIMIT-5M {
if-exceeding {
bandwidth-limit 5m;
burst-size-limit 512k;
}
then discard;
}
policer LIMIT-10M {
if-exceeding {
bandwidth-limit 10m;
burst-size-limit 1m;
}
then discard;
}
Ho can help me to uderstand this drop ?
Regards,
Salah