Junos
Reply
New User
gavin.yap@ericsson.com
Posts: 1
Registered: ‎02-06-2011
0

"show fire logs" shows accepts and discards for the same condition

Hi,


I've some Juniper Router question would like to enquire.


Below is a sample config of a firewall filter, which I've applied to a Juniper M120 egress interface.

set firewall filter test-out term permit-ms-out from source-address 0.0.0.0/0

set firewall filter test-out term permit-ms-out from destination-prefix-list test_target_pool
set firewall filter test-out term permit-ms-out then accept
set firewall filter test-out term permit_ospf from protocol ospf
set firewall filter test-out term permit_ospf then accept
set firewall filter test-out term default then log
set firewall filter test-out term default then discard
set policy-options prefix-list test_target_pool 74.125.235.52/32
set policy-options prefix-list test_target_pool 74.125.235.51/32
set policy-options prefix-list test_target_pool 74.125.235.50/32
set policy-options prefix-list test_target_pool 74.125.235.49/32
set policy-options prefix-list test_target_pool 74.125.235.48/32


When I do a "show firewall log", I'm seeing both accepts and discards, where I should see all discards as indicated in blue.

10:40:29  pfe       D      local         TCP      202.78.56.2                           60.250.149.172 

10:40:29  pfe       A      local         TCP      202.78.56.2                           118.168.164.143
10:40:29  pfe       D      local         TCP      202.78.56.2                           218.167.74.77
10:40:29  pfe       D      local         TCP      202.78.56.2                           174.36.30.23
10:40:29  pfe       D      local         TCP      202.78.56.2                           118.167.5.185
10:40:28  pfe       D      local         TCP      202.78.56.2                           118.168.164.143
10:40:28  pfe       A      local         TCP      202.78.56.2                           60.250.149.172
10:40:28  pfe       D      local         TCP      202.78.56.2                           218.167.74.77
10:40:28  pfe       D      local         TCP      202.78.56.2                           118.167.5.185
10:40:26  pfe       D      local         ICMP     202.78.56.2                           203.84.219.114
10:40:26  pfe       D      local         TCP      202.78.56.2                           60.250.149.172
10:40:26  pfe       D      local         TCP      202.78.56.2                           118.168.164.143
10:40:26  pfe       A      local         TCP      202.78.56.2                           218.167.74.77
10:40:26  pfe       A      local         TCP      202.78.56.2                           174.36.30.23
10:40:26  pfe       A      local         TCP      202.78.56.2                           118.167.5.185
10:40:25  pfe       D      local         TCP      202.78.56.2                           60.250.149.172
10:40:25  pfe       D      local         TCP      202.78.56.2                           118.168.164.143
10:40:25  pfe       A      local         TCP      202.78.56.2                           218.167.74.77
10:40:25  pfe       D      local         TCP      202.78.56.2                           118.167.5.185
10:40:24  pfe       D      local         TCP      202.78.56.2                           174.36.30.23
10:40:24  pfe       D      local         TCP      202.78.56.2                           174.36.30.23
10:40:22  pfe       D      local         ICMP     202.78.56.2                           203.84.219.114

 

Can anyone explain on these?

Thanks.

Regards,

Gavin

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.