Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

SRX Getting Started - Stateless Firewall Filters (ACLs) Use Case



Article ID: KB16685 KB Last Updated: 29 Aug 2014Version: 7.0

This article describes why you would configure stateless firewall filters (ACLs) on SRX Series devices.


Determine why you would configure stateless firewall filters (ACLs).



A stateless firewall filter, also known as an access control list (ACL), is a long-standing Junos feature used to define stateless packet filtering and quality of service (QoS). A stateless firewall filter statically evaluates packet contents. A stateful firewall filter uses connection state information derived from past communications and other applications to make dynamic control decisions.

You can configure stateless firewall filters on SRX Series devices to do the following:

  • Filter, mark, or count traffic that matches specific definitions
  • Enforce policing
NOTE: Firewall filters are not supported in Transparent/bridge mode

Firewall filters (ACLs) are applied before the Flow services module, as depicted in the following diagram.

The Policer and Input filter modules represent firewall filters (ACLs), and the Flow Services Module includes security policies.

As you can see from the diagram, packet processing using the firewall filters (ACLs) is performed, and then the packet is processed by security policies in the Flow Services Module. If a packet gets blocked by firewall filters, it will never make it to the Flow Services Module. Depending on the objective of the firewall filters, a security policy may or may not be needed. For example firewall filters can be configured and applied on the loopback interface which would apply to traffic ingress to the router via all interfaces and hence no security policy is needed. For a more detailed explanation of the Stateful and Stateless Data Processing, refer to Understanding Stateful and Stateless Data Processing for J Series Services Routers.

Example of the firewall filter implementing policer

The following is an example for a firewall filter which police PIM traffic, counts the number of packets hitting this term and queues this packet in the forwarding-class called network-control.   Note that a security policy is also needed for the stateful session to be created.
user@host# show interfaces 
ge-0/0/0 {
    unit 0 {
        family inet {
            filter {
                input pim-traffic-filter;
                output pim-traffic-filter;

user@host# show firewall 
family inet {
    filter pim-traffic-filter {
        term pim {
            from {
                source-address {
                destination-address {
                protocol pim;
            then {
                policer network-control-5m;
                count pim-pkts;
                loss-priority low;
                forwarding-class network-control;
policer network-control-5m {
    if-exceeding {  
        bandwidth-limit 5m;
        burst-size-limit 1m;
    then discard;

Technical Documentation

For information about stateless firewall filters, see:
Stateless Firewall Filter Types

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search