Junos
Highlighted
Junos

Firewall filter

‎06-29-2019 05:56 PM

In the following certification question example (you can safely read this as brain-dump)  

-- Exhibit --
[edit firewall family inet filter input-filter]
user@router# show
term my-policy {
from {
source-address {
151.43.62.0/24;
}
}
then {
count;
}
}
term else {
then {
discard;
}
}
-- Exhibit --

Which two tasks are accomplished by the firewall filter shown in the exhibit? (Choose two.)

  • A. Traffic matching the my-policy term will be counted and accepted.
  • B. Traffic matching the my-policy term will be counted and discarded.
  • C. Traffic not matching the my-policy term will be discarded.
  • D. Traffic not matching the my-policy term will be accepted.

Answers A and C was chosen... but in my point of view <count> is a non-terminating action so packet evaluation should be continued and the incoming packet  should be dropped by term else

https://www.juniper.net/documentation/en_US/junos/topics/reference/general/firewall-filter-actions-t... -->

A filter-terminating action halts all evaluation of a firewall filter for a specific packet. The router performs the specified action, and no additional terms are examined.

Explained clearly but nothing for non-terminating actions... meanwhile: https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-stateless-evaluate-... --> 

If the matched term does not include the next term action, evaluation of the packet against the given firewall filter ends at this term. The device does not evaluate the packet against any subsequent terms in this filter.

 

Can someone explain to me how firewall filters are applied in the above perspective let say for MX routers (because SRX and EX are ... different creatures) ?

Sorry for asking obvious questions but no option to test in real or in a lab

6 REPLIES 6
Junos

Re: Firewall filter

‎06-30-2019 02:45 AM

Answers are right.

"Nonterminating actions carry the implicit terminating action of accept. When applied to a firewall filter term without an explicit terminating action, the default action of accept will be used.  This could cause unintended packet processing side effects if you are just looking to sample or log a packet. To avoid the implicit accept action, use the next term action to allow further processing of the packets within the firewall filter" 

I verified your example in my lab and it works as mentioned in the answer. (There are some syntax issues in the given example, but the logic is right)

Reference Page no: 77 of  Day One Book: Configuring Junos Policies and Firewall Filters

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Junos

Re: Firewall filter

‎06-30-2019 05:38 AM

Just a reminder that "Brain Dumps" are cheating and using them can make you ineligiable to hold any Juniper certification.

 

Brain dumps are created by people making copies of the actual certification questions in order to pre-share those questions with correct answers that people then memorize rather than learn the underlying concepts.

 

You seem to be approaching the process correctly by tyring to understand why answers are correct.  But downloading and using brain dumps put your ability to hold Juniper certifcations at risk.  I encourage you to delete them and use other study methods instead.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Junos

Re: Firewall filter

[ Edited ]
‎06-30-2019 05:48 AM

We all knew that Smiley Happy even more - holding certification without knowledge and XP is like visit dentist to fix your liver Smiley Happy but I don't care I'm trying to create internal assessment tests and brain dumps sounds like the easiest way in addition of company-specific questions and tasks  

Junos

Re: Firewall filter

‎06-30-2019 06:07 AM

Thank you! Now that makes sense and give some answers and new sight on nasty workarounds back in time ...

A day when I learn something new, update my knowledge or correct my delusions is not dissipated! 

Junos

Re: Firewall filter

‎06-30-2019 06:11 AM

Since you want to create your own tests then a better source of questions would be the offical Junos genius application.  this gives both the questions and answers and does not violate any of the NDA or cheating policies.  The free version has a number of example exams.

 

https://www.juniper.net/us/en/training/junos-genius/

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Junos

Re: Firewall filter

‎06-30-2019 06:35 AM

No one uses such configuration. This is only going to cause confusion. To be frank, in my experience with Juniper exams of any level, I don't recall similar tricky questions. As other experts suggested, good job done and keep the momentum to your next level certificate. 


Mengzhe Hu
JNCIE x 3 (SP DC ENT)