Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[QFX] Commit warning for EX2300 on QFX5100 platform

0

0

Article ID: KB33785 KB Last Updated: 22 Mar 2019Version: 1.0
Summary:

This article explains why the "warning: a firewall filter term includes log/syslog and accept. A packet matching the firewall filter would not be routed across EX2300 switch" commit warning is issued on QFX5100 platforms, and indicates whether any action must be taken to clear the warning.

 

Symptoms:

When committing any change on QFX5100 that is running Junos OS release 18.3R1.9, a warning message appears for an EX2300 Series switch:

{master:0}
root@switch> configure
Entering configuration mode

{master:0}[edit]
root@switch# set interfaces xe-0/0/0 description test

{master:0}[edit]
root@switch# commit
[edit firewall family inet filter PROTECT-RE term ALLOW-SSH then]
  'accept'
    warning: a firewall filter term includes log/syslog and accept. A packet matching the firewall filter would not be routed across EX2300 switch.
[edit firewall family inet filter PROTECT-RE term ALLOW-SSH then]
  'accept'
    warning: a firewall filter term includes log/syslog and accept. A packet matching the firewall filter would not be routed across EX2300 switch.
[edit firewall family inet filter PROTECT-RE term ALLOW-SSH then]
  'accept'
    warning: a firewall filter term includes log/syslog and accept. A packet matching the firewall filter would not be routed across EX2300 switch.
configuration check succeeds
commit complete

 

Cause:

These messages were added to the QFX platform by design to raise awareness about a known bug in the EX2300 Series switches where if a firewall filter term that has log or syslog with accept is assigned to an interface, traffic might be dropped without any warning when commit or commit-check is issued.

{master:0}
root@switch> show configuration firewall family inet filter PROTECT-RE
term ALLOW-SSH {
    from {
        source-address {
            10.0.0.0/8;
        }
        destination-port ssh;
    }
    then {
        count ALLOW-SSH;
        log;
        accept;
    }
}
term ALLOW-IP-FRAGMENTS {
    then log;
}
term DENY-ALL {
    then {
        count DENY-ALL;
        log;
        discard;
    }
}

 

Solution:

These messages are harmless and can be ignored.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search