Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos] Changes to firewall filter refreshes the respective filter causing delay in SNMP Walk

0

0

Article ID: KB35882 KB Last Updated: 29 Jul 2020Version: 1.0
Summary:

Any changes to firewall filter term or changes to Policers or prefix-list which are called under filter will refresh the respective filter causing a delay in SNMP Walk based on the size of the filter. 

Symptoms:

As per firewall filter test-filter, it has 1200 terms. The changes made on any term will refresh complete filter.

set policy-options prefix-list PL_8 10.10.10.0/24
set policy-options prefix-list PL_8 11.11.11.22/32
set firewall family inet filter test-filter term 8 from source-prefix-list PL_8
set firewall family inet filter test-filter term 8 then policer 30M
set firewall family inet filter test-filter term 8 then accept
 
root@jtac-lab> show snmp mib walk jnxFWCounterDisplayName              
jnxFWCounterDisplayName.11.116.101.115.116.45.102.105.108.116.101.114.5.51.48.77.45.49.3 = 30M-1
jnxFWCounterDisplayName.11.116.101.115.116.45.102.105.108.116.101.114.5.51.48.77.45.50.3 = 30M-2
jnxFWCounterDisplayName.11.116.101.115.116.45.102.105.108.116.101.114.5.51.48.77.45.51.3 = 30M-3
jnxFWCounterDisplayName.11.116.101.115.116.45.102.105.108.116.101.114.5.51.48.77.45.52.3 = 30M-4
jnxFWCounterDisplayName.11.116.101.115.116.45.102.105.108.116.101.114.5.51.48.77.45.53.3 = 30M-5
jnxFWCounterDisplayName.11.116.101.115.116.45.102.105.108.116.101.114.5.51.48.77.45.54.3 = 30M-6
jnxFWCounterDisplayName.11.116.101.115.116.45.102.105.108.116.101.114.5.51.48.77.45.55.3 = 30M-7
jnxFWCounterDisplayName.11.116.101.115.116.45.102.105.108.116.101.114.5.51.48.77.45.56.3 = 30M-8
…
.
 
root@jtac-lab> show snmp mib walk jnxFWCounterDisplayName | count   
Count: 1200 lines
 
Deleting the prefix from prefix-list which is called under term 8:
labroot@jtac-lab# show | compare
[edit policy-options prefix-list PL_8]
-    10.10.10.0/24;
 
root@jtac-lab# commit
 
The filter gets re-applied:
root@jtac-lab> show snmp mib walk jnxFWCounterDisplayName | count   
Count: 200 lines
 
root@jtac-lab> show snmp mib walk jnxFWCounterDisplayName | count   
Count: 678 lines
 
root@jtac-lab> show snmp mib walk jnxFWCounterDisplayName | count   
Count: 1200 lines
Solution:

This is an expected behavior of the firewall filter. The filter have to be re-programmed, which results in a delay in SNMP walk depending on the size of the filter. 

Here are the supporting logs where the firewall filter is ​re-read and re-applied. This can be validated from /var/log/messages:

Jun 17 10:11:40.825754 re-reading configuration, PID 9024
Jun 17 10:11:40.827123 mib2d_read_config: Done reading config...code:0
Jun 17 10:11:40.851572 fw_async_callback_gencfg: Incoming object with major type 15 minor type 21
Jun 17 10:11:40.851617 fw_async_callback_gencfg: Got filter name f1 with filter index 2, is_remote=0
Jun 17 10:11:40.851626 fw_async_callback_gencfg: filter: f1, filter index: 2, template_index 0, op: 2
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search