Knowledge Search


Firewall terms might not be evaluated sequentially

  [JSA10313] Show Article Properties

Legacy Advisory Id:
Product Affected:
All M-series and T-series routers with firewall filters that contain both from source-address and from address match conditions.
When a firewall filter term includes the from address
match condition and a subsequent term includes the from source-address
match condition for the same address, packets might be processed by the latter term before they are evaluated by any intervening terms. Therefore, packets that should be rejected by the intervening terms may be accepted, or packets that should be accepted may be rejected.

This behavior occurs because of an optimization within the firewall compiler. It is being tracked by PR/28108
There is no solution at this time. Juniper Networks is continuing to investigate this problem.
As a workaround, for every firewall filter term that contains the from address
match condition, replace that term with two separate terms, one that contains the from source-address
match condition and one that contains the from destination-address
match condition.
Related Links: