Knowledge Search


×
 

[SRX] Example Firewall Filter used to count the number of incoming packets

  [KB21872] Show Article Properties


Summary:

This article is helpful for determining if a packet with the following parameters has reached the SRX or not.

  • Source IP
  • Destination IP
  • Protocol (eg. TCP, UDP, ICMP, ESP etc)

The Resolution Guides for SRX NAT refer to this article.


Symptoms:

Symptom:

SRX configuration appears correct, but we are not sure if the packet is coming to the SRX
One method to check is to use a Firewall Filter and count the number of incoming packets.

Cause:

Solution:

Setting up a Firewall Filter requires you to identify the following:

  1. Which interface the packet is expected at
  2. What is the packet going to look like in detail

For Example:

  1. The packet is expected on the public interface ge-0/0/0.0
  2. The packet has the following properties:
  3.      Destination IP = 1.1.1.1
         Source IP = 3.3.3.3
         Protocol = ICMP

Step 1. The Firewall Filter can be setup with the following configuration mode commands:

set firewall family inet filter icmp-filter term 1 from source-address 3.3.3.3
set firewall family inet filter icmp-filter term 1 from destination-address 1.1.1.1
set firewall family inet filter icmp-filter term 1 from protocol icmp
set firewall family inet filter icmp-filter term 1 then accept
set firewall family inet filter icmp-filter term 1 then count icmp-counter
set firewall family inet filter icmp-filter term default then accept

Step 2. The Firewall Filter is applied to the interface ge-0/0/0.0 with this command:

set interfaces ge-0/0/0.0 family inet filter input icmp-filter
The resulting configuration looks like this:
# show interfaces ge-0/0/0
ge-0/0/0 {
   unit 0 {
      family inet {
         filter {
            input icmp-filter;
         }
         address 1.1.1.1/30; ## This address was already set on the interface
} } } # show firewall family inet filter icmp-filter icmp-filter { term 1 { ## This is the main term which will count the packets. from { source-address 3.3.3.3; destination-address 1.1.1.1; protocol icmp; } then { count icmp-counter; ## The icmp-counter will show the bytes/packets incrementing accept; ## This will accept the packets if you don't want them to be dropped. You can use - "drop" or "reject" and/or "log" here. } } term default { ## This term will ensure that the other traffic is not affected. then { accept; } } }

Step 3.  Let the traffic be initiated.


Step 4. Then the Firewall Filter stats can be checked with the

show firewall filter icmp-filter 
Counter                         Bytes          Packets 
icmp-counter                    84             1 
. 
.

>>Hit the command again<<

.
.
show firewall filter icmp-filter
Counter                         Bytes          Packets
icmp-counter                    168            2
.
.
.

Step 4.  After the use of the Firewall Filters, remove them from the interfaces:

#delete interfaces ge-0/0/0.0 family inet filter
#commit


For more information on Firewall Filters, refer to http://www.juniper.net/techpubs/en_US/junos11.2/topics/concept/firewall-filter-overview.html.

Related Links: