Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Example Firewall Filter used to count the number of incoming packets

0

0

Article ID: KB21872 KB Last Updated: 30 Jun 2020Version: 7.0
Summary:

This article is helpful for determining if a packet with the following parameters has reached the SRX device or not.

  • Source IP address
  • Destination IP address
  • Protocol (for example TCP, UDP, ICMP, ESP and so on)

Note: The Resolution Guides for SRX NAT refer to this article.

Symptoms:

The SRX configuration appears to be correct, but we are not sure if the packet is coming to the SRX device.

One method to check is to use a Firewall Filter and count the number of incoming packets.

Solution:

Setting up a Firewall Filter requires you to identify the following:

  1. Which interface the packet is expected at
  2. What is the packet going to look like in detail

For Example:

  1. The packet is expected on the public interface ge-0/0/0.0.
  2. The packet has the following properties:
    1. Destination IP = 1.1.1.1
    2. Source IP = 3.3.3.3
    3. Protocol = ICMP

Step 1. The Firewall Filter can be setup with the following configuration mode commands:

set firewall family inet filter icmp-filter term 1 from source-address 3.3.3.3
set firewall family inet filter icmp-filter term 1 from destination-address 1.1.1.1
set firewall family inet filter icmp-filter term 1 from protocol icmp
set firewall family inet filter icmp-filter term 1 then accept
set firewall family inet filter icmp-filter term 1 then count icmp-counter
set firewall family inet filter icmp-filter term default then accept

Step 2. The Firewall Filter is applied to the interface ge-0/0/0.0 with this command:

set interfaces ge-0/0/0.0 family inet filter input icmp-filter

The resulting configuration looks like this:

# show interfaces ge-0/0/0
ge-0/0/0 {
   unit 0 {
      family inet {
         filter {
            input icmp-filter;
         }
         address 1.1.1.1/30; ## This address was already set on the interface
      }
   }
}

# show firewall family inet filter icmp-filter
icmp-filter {
   term 1 { ## This is the main term which will count the packets.
      from {
         source-address 3.3.3.3;
         destination-address 1.1.1.1;
         protocol icmp;
      }
      then {
         count icmp-counter; ## The icmp-counter will show the bytes/packets incrementing
         accept; ## This will accept the packets if you don't want them to be dropped. You can use - "drop" or "reject" and/or "log" here.
      }
   }
   term default { ## This term will ensure that the other traffic is not affected.      
         then {
              accept;
            }
        }
  }

Step 3.  Let traffic be initiated.

Step 4. Then the Firewall Filter stats can be checked with the following:

show firewall filter icmp-filter 
Counter                         Bytes          Packets 
icmp-counter                    84             1 
. 
.

Enter the command again:

.
.
show firewall filter icmp-filter
Counter                         Bytes          Packets
icmp-counter                    168            2
.
.
.

Note: After the use of Firewall Filters, remove them from the interfaces as follows:

#delete interfaces ge-0/0/0.0 family inet filter
#commit

For more information about Firewall Filters, refer to Stateless Firewall Filter Overview.

 

Modification History:

2020-06-30: Removed J-Series references.
2020-03-25: Article checked for accuracy. Found to be valid and relevant; no changes made.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search