Firewall filter counters are not incrementing when applied under input-list.

This article discusses the reason why Firewall filter counters donot increment when applied under “input-list”.

Firewall filter counters are not incrementing for second filter when applied under input-list.

Filter configuration:
set firewall filter test1 term ftp from destination-port ftp
set firewall filter test1 term ftp then count counter1
set firewall filter test1 term ftp then accept
set firewall filter test1 term accept-all then accept
set firewall filter test2 term ssh from destination-port ssh
set firewall filter test2 term ssh then count counter2
set firewall filter test2 term ssh then accept
set firewall filter test2 term accept-all then accept

Interface configuration:

Only first filter test1 counters are incrementing. Filter test2 counters are not incrementing when applied under input-list. But if Filter test2 is applied as an input filter as shown below, counters are incrementing. This indicates that there is no issue with filter configuration.

In first filter “test1”, we see a term “accept-all”.

All packets that donot match term1 of filter test1 will match the term “accept-all”. Because of this packets will never hit filter test2 in the input-list. This is the reason why only first counter increments.

You can also notice that only one counter “counter1-fe-0/0/3.0-i” is seen under “show firewall” output when term “accept-all” is configured. JUNOS checks the configuration and determines which filters will get hit in input-list. This is a good indicator to see if you configured the filters properly or not.

To see counters increment for both filters, delete the term “accept-all” from first filter. This ensures that packets hit the second filter and the counters increment accordingly.

After deleting “accept-all” term from first filter, we can now see both counters under “show firewall”. When traffic matches these filters, both the counters will increment.

 

About the author

James Palmer

Leave a Comment