Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[M/MX/T] Firewall counter or policer is not shown in 'show firewall' output

0

0

Article ID: KB32521 KB Last Updated: 27 Mar 2018Version: 1.0
Summary:

A number of terms are configured in a firewall filter, but they are not included in the "show firewall" command output. This article explains why and provides an example of how to correct it.

Symptoms:

The following configuration is created, but the policer "BESTEFFORT" and counter "BESTEFFORTCOUNTER" are not shown in the output of 'show firewall'.

FIREWALL CONFIGURATION

# show firewall 
family inet {
    filter testfilter {
        interface-specific;
        term VOICE {
            from {
                forwarding-class VOICE;
            }
            then {
                policer VOICE;
                count VOICECOUNTER;
                loss-priority low;
                accept;
            }
        }
        term STANDARD {
            then {
                policer STANDARD;
                count STANDARDCOUNTER;
                loss-priority low;
                accept;
            }                           
        }
        term BESTEFFORT {
            from {
                forwarding-class BestEffort;
            }
            then {
                policer BESTEFFORT;
                count BESTEFFORTCOUNTER;
                loss-priority high;
                forwarding-class BestEffort;
                accept;
            }
        }
    }
}
policer VOICE {
    if-exceeding {
        bandwidth-limit 390k;
        burst-size-limit 625k;
    }
    then discard;
}
policer STANDARD {                      
    if-exceeding {
        bandwidth-limit 390k;
        burst-size-limit 625k;
    }
    then discard;
}
policer BESTEFFORT {
    if-exceeding {
        bandwidth-limit 390k;
        burst-size-limit 625k;
    }
    then discard;
}

SHOW FIREWALL

# run show firewall 

Filter: __default_bpdu_filter__                                

Filter: testfilter-ge-1/2/4.0-i                                
Counters:
Name                                                Bytes              Packets
STANDARDCOUNTER-ge-1/2/4.0-i                            0                    0
VOICECOUNTER-ge-1/2/4.0-i                               0                    0
Policers:
Name                                                Bytes              Packets
STANDARD-STANDARD-ge-1/2/4.0-i                          0                    0
VOICE-VOICE-ge-1/2/4.0-i                                0                    0

Note that the policer "BESTEFFORT" and counter "BESTEFFORTCOUNTER" are not shown.

Cause:

This behavior is expected because no traffic can be matched by the term "BESTEFFORT". All traffic would be matched by the term "STANDARD"; therefore the policer and counter in the term will not be shown.

Solution:

The configuration can be improved by defining match criteria for the term STANDARD. Here's an example.

FIREWALL CONFIGURATION

# show firewall 
family inet {
    filter testfilter {
        interface-specific;
        term VOICE {
            from {
                forwarding-class VOICE;
            }
            then {
                policer VOICE;
                count VOICECOUNTER;
                loss-priority low;
                accept;
            }
        }
        term STANDARD {
            from {
                forwarding-class STANDARD;    //Define match criteria
            }
            then {
                policer STANDARD;
                count STANDARDCOUNTER;
                loss-priority low;
                accept;
            }                           
        }
        term BESTEFFORT {
            from {
                forwarding-class BestEffort;
            }
            then {
                policer BESTEFFORT;
                count BESTEFFORTCOUNTER;
                loss-priority high;
                forwarding-class BestEffort;
                accept;
            }
        }
    }
}
policer VOICE {
    if-exceeding {
        bandwidth-limit 390k;
        burst-size-limit 625k;
    }
    then discard;
}
policer STANDARD {                      
    if-exceeding {
        bandwidth-limit 390k;
        burst-size-limit 625k;
    }
    then discard;
}
policer BESTEFFORT {
    if-exceeding {
        bandwidth-limit 390k;
        burst-size-limit 625k;
    }
    then discard;
}

SHOW FIREWALL

# run show firewall                     

Filter: __default_bpdu_filter__                                

Filter: testfilter-ge-1/2/4.0-i                                
Counters:
Name                                                Bytes              Packets
BESTEFFORTCOUNTER-ge-1/2/4.0-i                          0                    0
STANDARDCOUNTER-ge-1/2/4.0-i                            0                    0
VOICECOUNTER-ge-1/2/4.0-i                               0                    0
Policers:
Name                                                Bytes              Packets
BESTEFFORT-BESTEFFORT-ge-1/2/4.0-i                      0                    0
STANDARD-STANDARD-ge-1/2/4.0-i                          0                    0
VOICE-VOICE-ge-1/2/4.0-i                                0                    0

Now, the all the policers and counters configured are shown.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search