Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Syslog Message - "PFE_FW_SYSLOG_ETH_IP" when firewall filter is configured with syslog action

0

0

Article ID: KB36952 KB Last Updated: 10 May 2021Version: 1.0
Summary:

This article provides more details about the "PFE_FW_SYSLOG_ETH_IP" syslog message that may be logged in MX Series routers, while clarifying that the message is informational only with no action required for resolution.

Symptoms:

When users configure the following filter with a syslog action:

firewall {
    family inet {
        filter test {                  
            term 1 {
                then {
                    log;
                    syslog;  <<<
                    discard; <<<
                }
            }

They may see the syslog message PFE_FW_SYSLOG_ETH_IP:

fpc0 PFE_FW_SYSLOG_ETH_IP: FW: xe-5/0/0.0   D XXXX 00:00:ff:06:61:8c -> 45:00:00:6a:17:dd  tcp 22.22.22.2 11.11.11.2  1024  1024 (1 packets)

The following lab test uses two scenarios to demonstrate that the output field will differ depending on where the filter is applied:

jtac-mx104-r2007  (xe-0/1/0) ---- (xe-0/0/0) jtac-mx480-r2001(xe-5/0/0)  -----jtac-spirent-spt-n11u-part2-r2001:2/9
  1. Traffic passes from the tester to mx104. A filter is applied on the egress interface xe-0/0/0.0 of mx480:

Apr 24 10:34:00.926  jtac-mx480-r2001-re0 fpc0 PFE_FW_SYSLOG_ETH_IP: FW: xe-5/0/0.0   D XXXX 00:00:ff:06:61:b3 -> 45:00:00:6a:17:b6  tcp 22.22.22.2 11.11.11.2  1024  1024 (2 packets)    <<< Since a filter is not applied to the xe-5/0/0.0 interface, we see "XXXX" output.
  1. Traffic passes from the tester to mx104. A filter is applied on the ingress interface xe-5/0/0.0 of mx480:

Apr 24 11:11:12.369  jtac-mx480-r2001-re0 fpc5 PFE_FW_SYSLOG_ETH_IP: FW: xe-5/0/0.0   D 00c8:0800 00:10:94:00:00:02 -> 3c:94:d5:08:06:72  tcp 22.22.22.2 11.11.11.2  1024  1024 (982 packets) <<< A filter is applied to the xe-5/0/0.0 interface and the "00c8" value indicates the vlan-id in hex, which is 200.
Cause:

These syslog messages are informational and do not have any impact. The message basically provides information about a packet's L2 header and type. The meaning of each field in the syslog message is detailed below:

  • fpc0: Indicates the FPC on which the filter is applied

  • xe-5/0/0.0: Indicates the ingress interface

  • D: Stands for filter action such as discard/accept

  • XXXX: Indicates the L2 header information field

  • 00:00:ec:00:61:7c > 45:00:00:28:3a:7f: Indicates the source MAC and destination MAC addresses

  • tcp: Is the protocol type

  • 22.22.22.2 11.11.11.2: Indicates the source-IP and destination-IP address

  • 1024 1024: Indicates the source port and destination port

For the L2 header information field, the following options are available:

  • XXXX: The L2 header information is invalid.

  • 0800: The packet does not have a VLAN tag.

  • xxxx:0800: The packet has one VLAN tag (xxxx indicates the VLAN ID).

  • xxxx:xxxx:0800: The packet is QinQ (xxxx indicates the VLAN IDs).

For example:

Apr 24 11:11:12.369  jtac-mx480-r2001-re0 fpc5 PFE_FW_SYSLOG_ETH_IP: FW: xe-5/0/0.0   D 00c8:0800 00:10:94:00:00:02 -> 3c:94:d5:08:06:72  tcp 22.22.22.2 11.11.11.2  1024  1024 (982 packets) <<< "00c8" here indicates the vlan-id in hex, which is 200.
Solution:

These logs are only for information purposes and there is no service impact.

To prevent these log messages from being reported, you can remove the "syslog" action from the filter configuration as shown below:

# deactivate firewall family inet filter test term 1 then syslog
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search