Hi,
We have a qfx that we have protected with firewall rules and then applied to the interface. Here is the ICMP/SSH Policy:
set policy-options prefix-list mgmt-icmp-ip-filter xxx.xxx.xxx.xxx - Please note we have about 20 lines that cover all of our itnernal networks under this prefix-list.
set firewall family inet filter icmp-test term allow_icmp from source-prefix-list mgmt-icmp-ip-filter
set firewall family inet filter re-secure term allow_icmp from protocol icmp
set firewall family inet filter icmp-test term allow_icmp from icmp-type echo-request
set firewall family inet filter icmp-test term allow_icmp from icmp-type echo-reply
set firewall family inet filter icmp-test term allow_icmp from icmp-type unreachable
set firewall family inet filter icmp-test term allow_icmp from icmp-type time-exceeded
set firewall family inet filter icmp-test term allow_icmp from icmp-type source-quench
set firewall family inet filter icmp-test term allow_icmp then accept
set firewall family inet filter icmp-test term deny_icmp from protocol icmp
set firewall family inet filter icmp-test term deny_icmp then discard
set interfaces xe-0/0/10 unit 0 family inet filter input-list icmp-list
set firewall family inet filter re-secure term allow_ssh from source-prefix-list mgmt-ssh-ip-filter
set firewall family inet filter re-secure term allow_ssh from protocol tcp
set firewall family inet filter re-secure term allow_ssh from destination-port ssh
set firewall family inet filter re-secure term allow_ssh then accept
set firewall family inet filter re-secure term deny_ssh from protocol tcp
set firewall family inet filter re-secure term deny_ssh from destination-port ssh
set firewall family inet filter re-secure term deny_ssh then discard
set interfaces xe-0/0/10 unit 0 family inet filter input-list re-secure
But we are still getting a lot of hists to the routing-engine when I complete:
monitor traffic interface xe-0/0/10 size 1500 no-resolve
Do the filters look good and why would I still be getting this amount of traffic hitting the qfx when none should be for ICMP and SSH except from the prefix-list addresses?
Many thanks
------------------------------
Clive Gwyther
------------------------------