SRX

I'm defining filters under the firewall section.   I have done some
reading but it appears as if behavior changes depending on which code
you are on.

the question:  in SRX land,   do we need to match all the 'condition
values' for the 'then' actions to be invoked,  or will any match work?


here is the config bit in question:

  filter DMZFILTER {
     term QOS {
         from {
             dscp [ af43 af11 af21 af22 af23 ];
         }
         then {
             routing-instance routing-table-ISP2;
         }
     }


  would matching any of the listed DSCP values be considered a match and whatever is
defined by 'then' will be invoked,  or would this filter never produce a match?

Hi there,

A match would occur if any of the DSCP terms are met.

http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic-collections/config-guide-policy/policy-configuring-match-conditions-in-firewall-filter-terms.html

Are you seeing different on different OS versions?

Hi MMcD,

Thanks for the quick responce.     I was looking at a document speaking about how firewall filters are evaluated,  which said they all need to match,  but other documents such as the one you posted state any match will do.

here is the document I speak of:

http://www.juniper.net/techpubs/en_US/junos9.4/topics/concept/firewall-filter-ex-series-evaluation-understanding.html

at the top,  point #2 states "If the packet matches all the conditions in the term...."  which was the source of my confusion.

I now see this document is for the EX switches,  but it is junOS,  which the SRX  also runs.   I'm new to Juniper land,   forgive me.  😎

-g

If a firewall filter term contains multiple match conditions, a packet must meet all match conditions to be considered a match for the firewall filter term.

If a single match condition is configured with multiple values, such as a range of values(like yours), a packet must match only one of the values to be considered a match for the firewall filter term.

makes sence.   thanks again.