Policy Framework Configuration Guide - Juniper Networks

Chapter 9: Firewall Filter Configuration
Table 35: Firewall Filter Actions (continued)
Action
Description
ipsec-sa ipsec-sa
(Family inet only) Use the specified IPsec security association.
NOTE: This action is not supported on MX Series routers.
load-balance
group-name
(Family inet only) Use the specified load-balancing group.
log
(Family inet and inet6 only) Log the packet header information in a buffer within the Packet Forwarding
Engine. You can access this information by issuing the show firewall log command at the command-line
interface (CLI).
logical-system
logical-system-name
Specify a logical system to which packets are forwarded.
loss-priority (high
| medium-high |
medium-low| low)
Set the loss priority level for packets.
Supported on MX Series routers; M120 and M320 routers; and M7i and M10i routers with the Enhanced
CFEB (CFEB-E).
On M320 routers, you must enable the tricolor statement at the [edit class-of-service] hierarchy level to
commit a PLP configuration with any of the four levels specified. If the tricolor statement is not referenced,
you can only configure the high and low levels. This applies to all protocol families.
You cannot also configure the three-color-policer nonterminating action for the same firewall filter term.
These two nonterminating actions are mutually exclusive.
next term
Continue to the next term for evaluation.
next-hop-group
group-name
(Family inet only) Use the specified next-hop group.
policer
policer-name
Rate-limit packets based on the specified policer.
port-mirror
(Family bridge, ccc, inet, inet6, and vpls only) Port-mirror packets based on the specified family. Supported
on M120 routers, M320 routers configured with Enhanced III FPCs, and MX Series routers only.
prefix-action name
(Family inet only) Count or police packets based on the specified action name.
reject
message-type
Discard a packet, sending an ICMPv4 or an ICMPv6 destination unreachable message. Rejected packets
can be logged or sampled if you configure either the sample or the syslog action modifier. You can specify
one of the following message codes: administratively-prohibited (default), bad-host-tos, bad-network-tos,
host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown,
network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable,
source-host-isolated, source-route-failed, or tcp-reset. If you specify tcp-reset, a Transmission Control
Protocol (TCP) reset is returned if the packet is a TCP packet. Otherwise, the default code of
administratively-prohibited, which has a value of 13, is returned.
Supported for family inet and inet6 only.
routing-instance
routing-instance
(Family inet and inet6 only) Specify a routing instance to which packets are forwarded.
Copyright © 2010, Juniper Networks, Inc.
229