I have a firewall filter that I was trying to clean up:
set firewall filter isp1-in term 1 from source-prefix-list blocked-access
set firewall filter isp1-in term 1 then discard
set firewall filter isp1-in term 2 from destination-address 12.13.200.20/32
set firewall filter isp1-in term 2 from source-prefix-list mgmnt-access
set firewall filter isp1-in term 2 from protocol tcp
set firewall filter isp1-in term 2 from destination-port 22
set firewall filter isp1-in term 2 from destination-port 443
set firewall filter isp1-in term 2 then accept
set firewall filter isp1-in term 3 from destination-address 12.13.200.20/32
set firewall filter isp1-in term 3 from protocol tcp
set firewall filter isp1-in term 3 from destination-port 22
set firewall filter isp1-in term 3 from destination-port 443
set firewall filter isp1-in term 3 then discard
set firewall filter isp1-in term 4 then accept
Which works fine (only IP's defined in mgmnt-access can access the ssh/https ports at 12.13.200.20).
When I tried the method below, term 2 never worked and everyone (mgmnt IP's and anyone else) was still able to access ssh/https to 12.13.200.20. Is there something I missed?
set firewall filter isp1-in term 1 from source-prefix-list blocked-access
set firewall filter isp1-in term 1 then discard
set firewall filter isp1-in term 2 from destination-address 12.13.200.20/32
set firewall filter isp1-in term 2 from source-prefix-list mgmnt-access except
set firewall filter isp1-in term 2 from protocol tcp
set firewall filter isp1-in term 2 from destination-port 22
set firewall filter isp1-in term 2 from destination-port 443
set firewall filter isp1-in term 2 then discard
set firewall filter isp1-in term 3 then accept