Routing
Highlighted
Routing

Firewall rule processing when called in a group

‎11-06-2019 08:30 AM

Hi,

 

filter pm_alp_classes_internet {
            apply-groups [ cm_trusted_links  cm_alp_class3_protocol ];
        }


show configuration groups cm_trusted_links 
firewall {
    family bridge {
        filter <*> {        
                    term al_trust_class_default_dscp {
                        from {

                                interface ge-0/0/3.0;
                        }
                then {
                    count al_trust_class_default_dscp;
                    loss-priority low;
                    forwarding-class class4;
                    accept;
                }
            }
        }
    }
}

show configuration groups cm_alp_class3_protocol
firewall {
    family bridge {
        filter <*> { 
                    term al_alp_return_class3_protocol_seq_100 {
                    from {
                            ip-destination-address {
                            0.0.0.0/0;
                    }
                    ip-address {
                        0.0.0.0/0;
                    }
                    ip-protocol tcp;
                    source-port [ 647 1352 1494 2598 7911 ];
                }
                then {
                    count al_alp_return_class3_protocol_seq_100;
                    loss-priority low;
                    forwarding-class class3;
                    accept;
                }
            }
        }
    }
}

I have two firewall filters being called in a group and the group is applied to interface ge-0/0/3. 

 

Scenario:

Source IP: 192.168.1.1

Destination IP: 192.168.1.10

Source port: TCP 647

A packet arrives on interface ge-0/0/3 and I get a hit on counter al_trust_class_default_dscp. There is no hit on the second firewall filter even though condition is a better match. Does it mean when processing stops when there is match. 

3 REPLIES 3
Highlighted
Routing
Solution
Accepted by topic author Rohit Verma
‎11-07-2019 06:56 AM

Re: Firewall rule processing when called in a group

‎11-06-2019 08:52 AM

Hi,

Yes, in junos fw filter once a term is matched the packet is not longer processed against the remaining term. The action in the first matching term is executed. If you want to continue processing you can use the then next term action.

Below link will provide more details - 

https://www.juniper.net/documentation/en_US/junos/topics/concept/policy-routing-policies-chain-evalu...

 

Thanks,

Mayank

 

If this resolves your issue please mark as solution so others can benefit from the post

Routing

Re: Firewall rule processing when called in a group

‎11-06-2019 08:55 AM
Highlighted
Routing

Re: Firewall rule processing when called in a group

‎11-06-2019 09:04 AM

Hi Rohit,

 

Since you have accept term after first rule the packet is getting accepeted right there and it won't go for furter processing that's why you don't see any further hit.

 

Thanks

Vishal

Feedback