How Juniper Standard Firewall Filters Evaluate Packets

July 28, 2018 at 1:00 pm

Juniper

This post is critical for those students studying for their Enterprise Routing and Switching Certifications.

Firewall Filter Packet Evaluation Overview

The following sequence describes how the device evaluates a packet entering or exiting an interface if the input or output traffic at a device interface is associated with a firewall filter.

Packet evaluation proceeds as follows:

  1. The device evaluates the packet against the terms in the firewall filter sequentially, beginning with the first term in the filter.
  2. If the packet matches all the conditions specified in a term, the device performs all the actions specified in that term.
  3. If the packet does not match all the conditions specified in a term, the device proceeds to the next term in the filter (if a subsequent term exists) and evaluates the packet against that term.
  4. If the packet does not match any term in the firewall filter, the device implicitly discards the packet.

Unlike service filters and simple filters, firewall filters support the next term action, which is neither a terminating action nor a nonterminating action but a flow control action.

If the matched term includes the next term action, the device continues evaluation of the packet at the next term within the firewall filter.

If the matched term does not include the next term action, evaluation of the packet against the given firewall filter ends at this term. The device does not evaluate the packet against any subsequent terms in this filter.

A maximum of 1024 next term actions are supported per firewall filter configuration. If you configure a firewall filter that exceeds this limit, your candidate configuration results in a commit error.

The device stops evaluating a packet against a given firewall filter when either the packet matches a term without the next term action or the packet fails to match the last term in the firewall filter.