SRX Services Gateway
Reply
Contributor
Greg_
Posts: 12
Registered: ‎03-12-2012
0
Accepted Solution

firewall filters - in the 'from' does any or all produce a match?


I'm defining filters under the firewall section.   I have done some
reading but it appears as if behavior changes depending on which code
you are on.

the question:  in SRX land,   do we need to match all the 'condition
values' for the 'then' actions to be invoked,  or will any match work?


here is the config bit in question:

  filter DMZFILTER {
     term QOS {
         from {
             dscp [ af43 af11 af21 af22 af23 ];
         }
         then {
             routing-instance routing-table-ISP2;
         }
     }


  would matching any of the listed DSCP values be considered a match and whatever is
defined by 'then' will be invoked,  or would this filter never produce a match?

Distinguished Expert
MMcD
Posts: 630
Registered: ‎07-20-2010
0

Re: firewall filters - in the 'from' does any or all produce a match?

Hi there,

 

A match would occur if any of the DSCP terms are met.

 

http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic-collections/config-guide-p...

 

Are you seeing different on different OS versions?

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Contributor
Greg_
Posts: 12
Registered: ‎03-12-2012
0

Re: firewall filters - in the 'from' does any or all produce a match?

Hi MMcD,

 

Thanks for the quick responce.     I was looking at a document speaking about how firewall filters are evaluated,  which said they all need to match,  but other documents such as the one you posted state any match will do.

 

here is the document I speak of:

 

http://www.juniper.net/techpubs/en_US/junos9.4/topics/concept/firewall-filter-ex-series-evaluation-u...

 

at the top,  point #2 states "If the packet matches all the conditions in the term...."  which was the source of my confusion.

 

I now see this document is for the EX switches,  but it is junOS,  which the SRX  also runs.   I'm new to Juniper land,   forgive me.  8)

 

-g

 

 

Distinguished Expert
MMcD
Posts: 630
Registered: ‎07-20-2010
0

Re: firewall filters - in the 'from' does any or all produce a match?

If a firewall filter term contains multiple match conditions, a packet must meet all match conditions to be considered a match for the firewall filter term.

 

If a single match condition is configured with multiple values, such as a range of values(like yours), a packet must match only one of the values to be considered a match for the firewall filter term.

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Contributor
Greg_
Posts: 12
Registered: ‎03-12-2012
0

Re: firewall filters - in the 'from' does any or all produce a match?

makes sence.   thanks again.  :smileyhappy:

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.