This article discusses the reason why Firewall filter counters donot increment when applied under “input-list”.
Firewall filter counters are not incrementing for second filter when applied under input-list.
Filter configuration:
set firewall filter test1 term ftp from destination-port ftp
set firewall filter test1 term ftp then count counter1
set firewall filter test1 term ftp then accept
set firewall filter test1 term accept-all then accept
set firewall filter test2 term ssh from destination-port ssh
set firewall filter test2 term ssh then count counter2
set firewall filter test2 term ssh then accept
set firewall filter test2 term accept-all then accept
Interface configuration:
set interfaces fe-0/0/3 unit 0 family inet filter input-list test1 set interfaces fe-0/0/3 unit 0 family inet filter input-list test2
Only first filter test1 counters are incrementing. Filter test2 counters are not incrementing when applied under input-list. But if Filter test2 is applied as an input filter as shown below, counters are incrementing. This indicates that there is no issue with filter configuration.
set interfaces fe-0/0/3 unit 0 family inet filter input test2
In first filter “test1”, we see a term “accept-all”.
root@srx# set firewall filter test1 term accept-all then accept
All packets that donot match term1 of filter test1 will match the term “accept-all”. Because of this packets will never hit filter test2 in the input-list. This is the reason why only first counter increments.
You can also notice that only one counter “counter1-fe-0/0/3.0-i” is seen under “show firewall” output when term “accept-all” is configured. JUNOS checks the configuration and determines which filters will get hit in input-list. This is a good indicator to see if you configured the filters properly or not.
root@100-2# run show firewall Filter: __default_bpdu_filter__ Filter: test1 Counters: Name Bytes Packets counter1 0 0 Filter: test2 Counters: Name Bytes Packets counter2 0 0 Filter: fe-0/0/3.0-i Counters: Name Bytes Packets counter1-fe-0/0/3.0-i 0 0 <<<<< Only one counter is seen here instead of 2 counters
To see counters increment for both filters, delete the term “accept-all” from first filter. This ensures that packets hit the second filter and the counters increment accordingly.
root@srx# delete firewall filter test1 term accept-all then accept
After deleting “accept-all” term from first filter, we can now see both counters under “show firewall”. When traffic matches these filters, both the counters will increment.
[edit] root@100-2# run show firewall Filter: __default_bpdu_filter__ Filter: test1 Counters: Name Bytes Packets counter1 0 0 Filter: test2 Counters: Name Bytes Packets counter2 0 0 Filter: fe-0/0/3.0-i Counters: Name Bytes Packets counter1-fe-0/0/3.0-i 439 10 counter2-fe-0/0/3.0-i 4748 70 <<<< 2nd counter shows up after deleting "accept-all" term