Routing

Expand all | Collapse all

Firewall filter : filter "pfe" ?

  • 1.  Firewall filter : filter "pfe" ?

     
    Posted 10-27-2017 01:58

    Dear community, I need your help....

     

    I don't understand what does mean "pfe" for the colum "filter" in the "show firewall log" output.

     

     

    admin@QFX5K-VCF> show firewall log
    Log :
    Time      Filter    Action Interface     Protocol        Src Addr                         Dest Addr
    10:24:44  pfe       D      ae2.0         UDP             172.16.255.203                   172.16.255.103
    10:24:44  pfe       D      ae2.0         UDP             172.16.255.203                   172.16.255.103
    10:24:44  pfe       D      ae2.0         UDP             172.16.255.203                   172.16.255.103
    10:24:44  pfe       D      ae1.0         UDP             172.16.255.203                   172.16.255.103
    10:24:44  pfe       D      ae2.0         UDP             172.16.255.203                   172.16.255.103
    10:24:44  pfe       D      ae2.0         UDP             172.16.255.203                   172.16.255.103
    10:24:44  pfe       D      ae1.0         UDP             172.16.255.203                   172.16.255.103
    

     

     

    I don't understand the Juniper documentation (https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-firewall-log.html) saying :

     

    Filter
        Displays the name of a configured firewall filter or service filter only if the packet hit the filter’s log action in a kernel filter (in the control plane). For any traffic that reaches the Routing Engine, the packets hit the log action in the kernel.
    
        For all other logged packets (packet hit the filter’s log action in the Packet Forwarding Engine), this field displays pfe instead of a configured filter name.

     

     

    From my understanding, the firwall filter applied to a loopback only appy to trafic from/to the routing-engine.

     

    In the output below don't understand why this traffic is dropped (UDP from 172.16.255.203 to 172.16.255.103). 172.16.255.103 is the switch (VCF QFX5100) where the output come from.

     

    admin@QFX5K-VCF> show firewall log
    Log :
    Time      Filter    Action Interface     Protocol        Src Addr                         Dest Addr
    10:34:54  pfe       D      ae1.0         UDP             172.16.255.203                   172.16.255.103
    10:34:54  pfe       D      ae2.0         UDP             172.16.255.203                   172.16.255.103
    10:34:54  pfe       D      ae2.0         UDP             172.16.255.203                   172.16.255.103
    

     

     

     

    admin@QFX5K-VCF> show firewall log detail
    Time of Log: 2017-10-27 10:34:56 CEST, Filter: pfe, Filter action: discard, Name of interface: ae1.0 Name of protocol: UDP, Packet Length: 32768, Source address: 172.16.255.203:31213, Destination address: 172.16.255.103:4789 Time of Log: 2017-10-27 10:34:56 CEST, Filter: pfe, Filter action: discard, Name of interface: ae1.0 Name of protocol: UDP, Packet Length: 25088, Source address: 172.16.255.203:14805, Destination address: 172.16.255.103:4789

     

    If we look at the firewall filter configuration, I have a term that "accept" VXLAN trafic : destination port 4789 with protocol UDP. The filter is applied to the input of the loopback interface

     

    However, the counter associated to the VXLAN "accept" doesn't increment which I supposed that the VXLAN trafic is not handle by the RE, but pfe...

    family inet {
        filter ACCESS-CONTROL {
            term ACCEPT-SSH {
                from {
                    source-prefix-list {
                        SSH-LIST;
                    }
                    protocol tcp;
                    destination-port ssh;
                }
                then {
                    policer LIMIT-5M;
                    count ACCEPT-SSH;
                    accept;
                }
            }
            term ACCEPT-OSPF {
                from {
                    source-prefix-list {
                        ROUTER-IPV4;
                    }
                    destination-prefix-list {
                        OSPF-ADDRESS;
                        ROUTER-IPV4;
                    }
                    protocol ospf;
                }
                then accept;
            }
            term ACCEPT-BFD-MH {
                from {
                    source-prefix-list {
                        BGP-NEIGHBOR;
                    }
                    destination-prefix-list {
                        LOOPBACK;
                    }
                    protocol udp;
                    destination-port [ 4784 3784 ];
                }
                then accept;
            }
            term ACCEPT-BGP {
                from {
                    source-prefix-list {
                        BGP-NEIGHBOR;
                    }
                    protocol tcp;
                }
                then accept;
            }
            term ACCEPT-VXLAN {
                from {
                    protocol udp;
                    destination-port 4789;
                }
                then {
                    count ACCEPT-VXLAN;
                    accept;
                }
            }
            term DISCARD-VRRP {
                from {
                    destination-prefix-list {
                        VRRP;
                    }
                    protocol [ vrrp ah ];
                }
                then {
                    discard;
                }
            }
            term ACCEPT-SNMP {
                from {
                    source-prefix-list {
                        SNMP-CLIENT-LISTS;
                        SNMP-COMMUNITY-CLIENTS;
                    }
                    destination-prefix-list {
                        LOCAL-MANAGEMENT;
                    }
                    protocol udp;
                    destination-port snmp;
                }
                then {
                    policer LIMIT-5M;
                    count ACCEPT-SNMP;
                    accept;
                }
            }
            term ACCEPT-NTP {
                from {
                    source-prefix-list {
                        NTP-SERVER;
                        NTP-BOOT-SERVER;
                    }
                    destination-prefix-list {
                        LOCAL-MANAGEMENT;
                    }
                    protocol udp;
                    destination-port ntp;
                }
                then {
                    policer LIMIT-1M;
                    count ACCEPT-NTP;
                    accept;
                }
            }
            term ACCEPT-TRACEROUTE-UDP {
                from {
                    protocol udp;
                    ttl 1;
                    destination-port 33435-33450;
                }
                then {
                    policer LIMIT-1M;
                    count ACCEPT-TRACEROUTE-UDP;
                    accept;
                }
            }
            term ACCEPT-TRACEROUTE-ICMP {
                from {
                    protocol icmp;
                    ttl 1;
                    icmp-type [ echo-request timestamp time-exceeded ];
                }
                then {
                    policer LIMIT-1M;
                    count ACCEPT-TRACEROUTE-ICMP;
                    accept;
                }
            }
            term ACCEPT-RADIUS {
                from {
                    source-prefix-list {
                        RADIUS-SERVERS;
                    }
                    destination-prefix-list {
                        LOCAL-MANAGEMENT;
                    }
                    protocol udp;
                    source-port radius;
                }
                then {
                    policer LIMIT-1M;
                    count ACCEPT-RADIUS;
                    accept;
                }
            }
            term ACCEPT-TACACS {
                from {
                    source-prefix-list {
                        TACACS-SERVERS;
                    }
                    destination-prefix-list {
                        LOCAL-MANAGEMENT;
                    }
                    protocol [ tcp udp ];
                    source-port [ tacacs tacacs-ds ];
                    tcp-established;
                }
                then {
                    policer LIMIT-1M;
                    count ACCEPT-TACACS;
                    accept;
                }
            }
            term ACCEPT-DNS {
                from {
                    source-prefix-list {
                        DNS-SERVERS;
                    }
                    destination-prefix-list {
                        LOCAL-MANAGEMENT;
                    }
                    protocol [ udp tcp ];
                    source-port 53;
                }
                then {
                    policer LIMIT-1M;
                    count ACCEPT-DNS;
                    accept;
                }
            }
            term NO-ICMP-FRAGMENTS {
                from {
                    is-fragment;
                    protocol icmp;
                }
                then {
                    count NO-ISCP-FRAG;
                    discard;
                }
            }
            term ACCEPT-ICMP {
                from {
                    protocol icmp;
                    icmp-type [ echo-reply echo-request time-exceeded unreachable source-quench router-advertisement parameter-problem ];
                }
                then {
                    policer LIMIT-5M;
                    count ACCEPT-ICMP;
                    accept;
                }
            }
            term ALL-MCAST-HOST {
                from {
                    destination-prefix-list {
                        ALL-MCAST-HOSTS;
                    }
                }
                then accept;
            }
            term DISCARD-TTL_1-UNKNOWN {
                from {
                    ttl 1;
                }
                then {
                    count DISCARD-ALL-TTL_1-UNKNOWN;
                    log;
                    discard;
                }
            }
            term DISCARD-TCP {
                from {
                    protocol tcp;
                }
                then {
                    count DISCARD-TCP;
                    log;
                    discard;
                }
            }
            term DISCARD-NETBIOS {
                from {
                    protocol [ tcp udp ];
                    destination-port [ 137 138 139 ];
                }
                then {
                    count DISCARD-NETBIOS;
                    discard;
                }
            }
            term DISCARD-HSRP {
                from {
                    destination-prefix-list {
                        HSRP;
                        MCAST-ROUTERS;
                    }
                    protocol udp;
                    destination-port 1985;
                }
                then {
                    discard;
                }
            }
            term DISCARD-UDP {
                from {
                    protocol udp;
                }
                then {
                    count DISCARD-UDP;
                    log;
                    discard;
                }
            }
            term DISCARD-ICMP {
                from {
                    protocol icmp;
                }
                then {
                    count DISCARD-ICMP;
                    log;
                    discard;
                }
            }
            term DISCARD-IP-OPTIONS {
                from {
                    ip-options any;
                }
                then {
                    count DISCARD-IP-OPTIONS;
                    log;
                    discard;
                }
            }
            term DISCARD-UNKNOWN {
                then {
                    count DISCARD-UNKNOWN;
                    log;
                    discard;
                }
            }
        }
    }
    policer LIMIT-1M {
        if-exceeding {
            bandwidth-limit 1m;
            burst-size-limit 256k;
        }
        then discard;
    }
    policer LIMIT-5M {
        if-exceeding {
            bandwidth-limit 5m;
            burst-size-limit 512k;
        }
        then discard;
    }
    policer LIMIT-10M {
        if-exceeding {
            bandwidth-limit 10m;
            burst-size-limit 1m;
        }
        then discard;
    }
    
    

    Ho can help me to uderstand this drop ?

     

    Regards,

     

    Salah

     

     

     



  • 2.  RE: Firewall filter : filter "pfe" ?

    Posted 10-27-2017 02:24

    @Daboss wrote:

    From my understanding, the firwall filter applied to a loopback only appy to trafic from/to the routing-engine.

    Regards,

     

    Salah

     

     


     

    Hi , filter applied to lo0 interface also applied on PFE level.



  • 3.  RE: Firewall filter : filter "pfe" ?

     
    Posted 10-27-2017 02:52

    Thanks for your quick reply.

     

    What doesn't it mean ? It affect traffic transit ? Or we may have traffic that is destinated to the router but that this not handle by the routing-engine but the pfe. example : VXLAN ?

     

    Why my VXLAN packet are dropped if I have a term that allow this trafic ? How I can "accept" this packet destinated to the pfe ?

     

    --

    Salah



  • 4.  RE: Firewall filter : filter "pfe" ?

    Posted 10-27-2017 18:28

    filter applied on lo0 never affect transit traffic , but it is also programmed to PFE and affect traffic that should be handled by RE or localy pfe. Some protocols offloaded to PFE (LACP, bfd and some other) also,  filter applied to PFE will affect these packets also.



  • 5.  RE: Firewall filter : filter "pfe" ?

    Posted 09-21-2020 12:13

    Hi! I have the same question about Firewall Filter on interface lo0.

    My configuration is:

    MX480> show configuration firewall family inet filter ACCESS_CONTROL
    set firewall family inet filter ACCESS_CONTROL term SNMP from source-prefix-list PERMIT_ADDRESS
    set firewall family inet filter ACCESS_CONTROL term SNMP from protocol udp
    set firewall family inet filter ACCESS_CONTROL term SNMP from destination-port snmp
    set firewall family inet filter ACCESS_CONTROL term SNMP then accept
    set firewall family inet filter ACCESS_CONTROL term OTHER then count DROP
    set firewall family inet filter ACCESS_CONTROL term OTHER then log
    set firewall family inet filter ACCESS_CONTROL term OTHER then discard
    set interfaces lo0 unit 0 family inet filter input ACCESS_CONTROL

     

    If I test this filter by doing a SNMPWALK from a source IP that does´t match in PERMIT_ADDRESS, and to a destination IP in a physical Interface (ge-2/0/0.0), 'DROP' counter doesn't count and it makes me think that this traffic isn't goign through firewall filter ACCESS_CONTROL for some reason that I can't explain.

     

    Also, I have this message:

    Sep 21 15:29:44 MX480> snmpd[6836]: SNMPD_AUTH_FAILURE: nsa_log_community: unauthorized SNMP community from 2.2.2.2 to 1.1.1.1 (COMMUNITY)

    Where 2.2.2.2 is the source IP and 1.1.1.1 destination IP configured in ge-2/0/0.0. 

    Do you have any suggestion?

     

    Thanks

    MM