SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Contributor
Posts: 18
Registered: ‎07-26-2016
0 Kudos
Accepted Solution

Firewall filter precedence

I'm trying to understand the precedence of firewall filters. First, are the items within a term processed as AND or OR? So if I have a source-address and destination-address both defined, do both have to be true for the THEN clause to be executed? If not, what is the logic to determine if the term is true or false. Same question for ports. Second: how does the above change when instead of source-address/destination-address you use prefix-list - NOT source-prefix-list or destination-prefix-list? Last - for now as I reserve the right to ask further questions: Is there a way other than inserting syslog or counts to tell that a term was actually "hit" and acted upon? I'll reserve the question of putting filter-lists on an interface until later unless that would be better explained here as well. Thanks guys!!!!
Recognized Expert
Posts: 200
Registered: ‎04-03-2015

Re: Firewall filter precedence

Hi,

 

So if I have a source-address and destination-address both defined, do both have to be true for the THEN clause to be executed?

ANS - If you have a source and destination defined, they will use the AND logic and both have to be true for the "then" action to be executed.

 

Second: how does the above change when instead of source-address/destination-address you use prefix-list - NOT source-prefix-list or destination-prefix-list?

-What exactly do you mean by a prefix list here ?

 

Last - for now as I reserve the right to ask further questions: Is there a way other than inserting syslog or counts to tell that a term was actually "hit" and acted upon?

- This can be checked in the security flow traceoptions. It will be easier to put a counter in the filter though.

 

I'll reserve the question of putting filter-lists on an interface until later unless that would be better explained here as well.

-The device evaluates a packet against the filters in a list sequentially, beginning with the first filter in the list until either a terminating action occurs or the packet is implicitly discarded.

More details on filter listst at :- https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-option-multiple-lis...

 

Regards,

Sahil Sharma

Please mark my response as Solution if it Helps, Kudos are Appreciated as well

Super Contributor
Posts: 111
Registered: ‎01-19-2015

Re: Firewall filter precedence

Hi Alfonso,

 

 

Thanks for posting your queries here.

 

Please find below the answers in which i have tried to answer your queries-

 

  1. When you define source-address and destination-address both defined then both of them have to be true at the same for the THEN clause/action to take place. The case is same when you specfiy source-port and destination-port. To summarize it is an AND operation which takes place with the attrributes that you specify in the match condition.
  2. The above changes when you use prefix-list (not source/destination prefix-list but a general prefix-list) in a way that if any of the IP addresses you specify in the prefix list are matched with either source or destination of a packet the THEN clause/action takes effect. Hence OR operation takes place within the prefix list but AND operation is still happpening if you have specfied any other condition to match the traffic.
  3. No, There is no way to tell if a filter was hit other than enabling syslogs or counts.

Hope above answers your queries. Smiley Happy

 

Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. Smiley Happy

 

Contributor
Posts: 18
Registered: ‎07-26-2016
0 Kudos

Re: Firewall filter precedence

Thanks for the reply guys. Exactly what I was looking for! That explains some of the behavior I've been seeing with my lab setup.

 

So the simple explanation is that if one wants full granular control, always use source- and destination- functions and put in as many terms as possible to ensure the packet is what you were looking for.

 

For some of the more lenient rules, a simple port and protocol may suffice - for example allowing 80/443 traffic to leave the network. By extenstion of your explanations, putting just tcp-80 and tcp-443 in the filter without any addresses should accomplish this.

 

Thanks again for not only the quick response but a complete response. You both get credit for the correct sollution - not sure how to mark that though.

Distinguished Expert
Posts: 1,912
Registered: ‎06-06-2011
0 Kudos

Re: Firewall filter precedence

Mark one so we don't keep checking to see if question has been answered. Generally guest will read most if not all the comments. Just to  mud this up a little bit moreSmiley Happy

If you specify "port" only it will match in either direction and may not accomplish exactly what you want. Better to specify destination-port or source-port if you need that granularity.

"Second: how does the above change when instead of source-address/destination-address you use prefix-list - NOT source-prefix-list or destination-prefix-list? "

Similar thing here it will match source or destination address using the prefix-list.

Additionally, if there is a non-terminating action without a discard or reject, the packet will be accepted.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]