3.2.24. fast-path firewall¶
fast-path¶
Note
requires a CG-NAT Application License.
Firewall configuration.
vsr running config# vrf <vrf> firewall fast-path
enabled¶
Enable Fast path firewall.
vsr running config# vrf <vrf> firewall fast-path
vsr running fast-path# enabled true|false
- Default value
true
conntrack-rule-set¶
Set a conntrack rule set.
vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-]
|
Set the name of the conntrack rule set. |
origin¶
Configure the origin direction.
vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] origin
action¶
Set a conntrack rule set action.
vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] origin action
set-mark¶
Apply a mark (i.e. user metadata) on the packet.
vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] origin action
vsr running action# set-mark SET-MARK
|
Description |
|---|---|
|
No description. |
|
No description. |
set-mss¶
Modify TCP SYN packet to limit the advertised MSS to the specified value.
vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] origin action
vsr running action# set-mss <uint32>
set-dscp¶
Update the DSCP field of the packet.
vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] origin action
vsr running action# set-dscp <uint32>
save-dscp¶
Record current packet DSCP into conntrack.
vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] origin action
vsr running action# save-dscp
restore-dscp¶
Restore previously recorded DSCP value (if any) into packet.
vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] origin action
vsr running action# restore-dscp
reply¶
Configure the reply direction.
vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] reply
action¶
Set a conntrack rule set action.
vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] reply action
set-mark¶
Apply a mark (i.e. user metadata) on the packet.
vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] reply action
vsr running action# set-mark SET-MARK
|
Description |
|---|---|
|
No description. |
|
No description. |
set-mss¶
Modify TCP SYN packet to limit the advertised MSS to the specified value.
vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] reply action
vsr running action# set-mss <uint32>
set-dscp¶
Update the DSCP field of the packet.
vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] reply action
vsr running action# set-dscp <uint32>
save-dscp¶
Record current packet DSCP into conntrack.
vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] reply action
vsr running action# save-dscp
restore-dscp¶
Restore previously recorded DSCP value (if any) into packet.
vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] reply action
vsr running action# restore-dscp
rule¶
Set a rule to handle packet.
vsr running config# vrf <vrf> firewall fast-path rule <string>
|
Set the name of the rule. |
accept¶
Accept packet and let pass it through the network stack.
vsr running config# vrf <vrf> firewall fast-path rule <string> accept
action¶
Apply actions on the packet.
vsr running config# vrf <vrf> firewall fast-path rule <string> accept action
set-mark¶
Apply a mark (i.e. user metadata) on the packet.
vsr running config# vrf <vrf> firewall fast-path rule <string> accept action
vsr running action# set-mark SET-MARK
|
Description |
|---|---|
|
No description. |
|
No description. |
set-dscp¶
Update the DSCP field of the packet.
vsr running config# vrf <vrf> firewall fast-path rule <string> accept action
vsr running action# set-dscp <uint32>
set-mss¶
Modify TCP SYN packet to limit the advertised MSS to the specified value.
vsr running config# vrf <vrf> firewall fast-path rule <string> accept action
vsr running action# set-mss SET-MSS
|
Description |
|---|---|
|
No description. |
|
Rely on path MTU for the mss value. |
drop¶
Drop the packet.
vsr running config# vrf <vrf> firewall fast-path rule <string> drop
action¶
Apply actions on the packet.
vsr running config# vrf <vrf> firewall fast-path rule <string> drop action
reject¶
Reject the packet and notify the sender.
vsr running config# vrf <vrf> firewall fast-path rule <string> reject
action¶
Apply actions on the packet.
vsr running config# vrf <vrf> firewall fast-path rule <string> reject action
track¶
Track the packet. It will create a conntrack.
vsr running config# vrf <vrf> firewall fast-path rule <string> track
apply¶
Apply the conntrack rule set.
vsr running config# vrf <vrf> firewall fast-path rule <string> track
vsr running track# apply <leafref>
action¶
Apply actions on the packet.
vsr running config# vrf <vrf> firewall fast-path rule <string> track action
match¶
Set packet filters.
vsr running config# vrf <vrf> firewall fast-path rule <string> match
family¶
Match IPv4, IPv6 packets or both.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family
ipv4¶
Match only IPv4 packets.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv4
Match source IPv4 address or IPv4 group.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv4
vsr running ipv4# source-address [not] VALUE
The IPv4 address or group name to match.
VALUE
|
Description |
|---|---|
|
An IPv4 address. |
|
A masked IPv4 address: address and prefix of that subnet. |
|
No description. |
|
No description. |
Match destination IPv4 address or IPv4 group.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv4
vsr running ipv4# destination-address [not] VALUE
The IPv4 address or group name to match.
VALUE
|
Description |
|---|---|
|
An IPv4 address. |
|
A masked IPv4 address: address and prefix of that subnet. |
|
No description. |
|
No description. |
Select protocol to match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv4 protocol
Invert the match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv4 protocol not
The protocol value to match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv4 protocol not
vsr running not# VALUE
|
Description |
|---|---|
|
Layer 4 protocol (TCP, UDP, ICMP or other). |
|
ICMP protocol. |
|
TCP protocol. |
|
UDP protocol. |
Match any protocol.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv4 protocol any
Source port match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv4 protocol any
vsr running any# source-port [not] VALUE
The port, port-range or service to match.
VALUE
|
Description |
|---|---|
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Service representing a port number. The list can be obtained from the ‘show filter services’ command or the show-filter-services rpc. |
Destination port match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv4 protocol any
vsr running any# destination-port [not] VALUE
The port, port-range or service to match.
VALUE
|
Description |
|---|---|
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Service representing a port number. The list can be obtained from the ‘show filter services’ command or the show-filter-services rpc. |
Match TCP protocol.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv4 protocol tcp
Source port match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv4 protocol tcp
vsr running tcp# source-port [not] VALUE
The port, port-range or service to match.
VALUE
|
Description |
|---|---|
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Service representing a port number. The list can be obtained from the ‘show filter services’ command or the show-filter-services rpc. |
Destination port match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv4 protocol tcp
vsr running tcp# destination-port [not] VALUE
The port, port-range or service to match.
VALUE
|
Description |
|---|---|
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Service representing a port number. The list can be obtained from the ‘show filter services’ command or the show-filter-services rpc. |
Match UDP protocol.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv4 protocol udp
Source port match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv4 protocol udp
vsr running udp# source-port [not] VALUE
The port, port-range or service to match.
VALUE
|
Description |
|---|---|
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Service representing a port number. The list can be obtained from the ‘show filter services’ command or the show-filter-services rpc. |
Destination port match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv4 protocol udp
vsr running udp# destination-port [not] VALUE
The port, port-range or service to match.
VALUE
|
Description |
|---|---|
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Service representing a port number. The list can be obtained from the ‘show filter services’ command or the show-filter-services rpc. |
Match ICMP protocol.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv4 protocol icmp
Match ICMP message type.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv4 protocol icmp
vsr running icmp# icmp-type [not] VALUE
The ICMP message type value to match.
VALUE
|
Description |
|---|---|
|
Any ICMP type. |
|
Echo request. |
|
Echo reply. |
|
Destination unreachable. |
|
Network unreachable. |
|
Host unreachable. |
|
Protocol unreachable. |
|
Port unreachable. |
|
Fragmentation needed. |
|
Source route failed. |
|
Network unknown. |
|
Host unknown. |
|
Network prohibited. |
|
Host prohibited. |
|
TOS network unreachable. |
|
TOS host unreachable. |
|
Communication prohibited. |
|
Host precedence violation. |
|
Precedence cutoff. |
|
Source quench. |
|
Redirect. |
|
Network redirect. |
|
Host redirect. |
|
TOS network redirect. |
|
TOS host redirect. |
|
Router advertisement. |
|
Router solicitation. |
|
TTL exceeded. |
|
Time to Live exceeded in Transit. |
|
Fragment Reassembly Time Exceeded. |
|
Parameter problem. |
|
Bad IP header. |
|
Missing a Required Option. |
|
Timestamp request. |
|
Timestamp reply. |
|
Information request reply. |
|
Information response reply. |
|
Address mask request. |
|
Address mask reply. |
|
No description. |
Match on protocol number.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv4 protocol number
The protocol number to match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv4 protocol number
vsr running number# <uint8>
Match on source application or application-group.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv4
vsr running ipv4# source-application VALUE
The application or application group to match.
VALUE
|
Description |
|---|---|
|
No description. |
|
No description. |
Match on destination application or application-group.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv4
vsr running ipv4# destination-application VALUE
The application or application group to match.
VALUE
|
Description |
|---|---|
|
No description. |
|
No description. |
ipv6¶
Match only IPv6 packets.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv6
Match source IPv6 address or IPv6 group.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv6
vsr running ipv6# source-address [not] VALUE
The IPv6 address or group address to match.
VALUE
|
Description |
|---|---|
|
An IPv6 address. |
|
A masked IPv6 address: address and prefix of that subnet. |
|
No description. |
|
No description. |
Match destination IPv6 address or IPv6 group.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv6
vsr running ipv6# destination-address [not] VALUE
The IPv6 address or group address to match.
VALUE
|
Description |
|---|---|
|
An IPv6 address. |
|
A masked IPv6 address: address and prefix of that subnet. |
|
No description. |
|
No description. |
Select protocol to match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv6 protocol
Invert the match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv6 protocol not
The protocol value to match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv6 protocol not
vsr running not# VALUE
|
Description |
|---|---|
|
Layer 4 protocol (TCP, UDP, ICMP or other). |
|
TCP protocol. |
|
UDP protocol. |
|
ICMPv6 protocol. |
Match any protocol.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv6 protocol any
Source port match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv6 protocol any
vsr running any# source-port [not] VALUE
The port, port-range or service to match.
VALUE
|
Description |
|---|---|
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Service representing a port number. The list can be obtained from the ‘show filter services’ command or the show-filter-services rpc. |
Destination port match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv6 protocol any
vsr running any# destination-port [not] VALUE
The port, port-range or service to match.
VALUE
|
Description |
|---|---|
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Service representing a port number. The list can be obtained from the ‘show filter services’ command or the show-filter-services rpc. |
Match TCP protocol.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv6 protocol tcp
Source port match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv6 protocol tcp
vsr running tcp# source-port [not] VALUE
The port, port-range or service to match.
VALUE
|
Description |
|---|---|
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Service representing a port number. The list can be obtained from the ‘show filter services’ command or the show-filter-services rpc. |
Destination port match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv6 protocol tcp
vsr running tcp# destination-port [not] VALUE
The port, port-range or service to match.
VALUE
|
Description |
|---|---|
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Service representing a port number. The list can be obtained from the ‘show filter services’ command or the show-filter-services rpc. |
Match UDP protocol.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv6 protocol udp
Source port match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv6 protocol udp
vsr running udp# source-port [not] VALUE
The port, port-range or service to match.
VALUE
|
Description |
|---|---|
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Service representing a port number. The list can be obtained from the ‘show filter services’ command or the show-filter-services rpc. |
Destination port match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv6 protocol udp
vsr running udp# destination-port [not] VALUE
The port, port-range or service to match.
VALUE
|
Description |
|---|---|
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Service representing a port number. The list can be obtained from the ‘show filter services’ command or the show-filter-services rpc. |
Match ICMPv6 protocol.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv6 protocol icmpv6
Match ICMPv6 message type.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv6 protocol icmpv6
vsr running icmpv6# icmp-type [not] VALUE
The ICMPv6 message type value to match.
VALUE
|
Description |
|---|---|
|
Echo request. |
|
Echo reply. |
|
Destination unreachable. |
|
Address unreachable. |
|
Port unreachable. |
|
No route to destination. |
|
Reject route to destination. |
|
Communication with destination administratively prohibited. |
|
Beyond scope of source address. |
|
Packet too big. |
|
Source address failed ingress/egress policy. |
|
TTL exceeded. |
|
Hop limit exceeded in transit. |
|
Fragment reassembly time exceeded. |
|
Parameter problem. |
|
Erroneous header field encountered. |
|
Unrecognized Next Header type encountered. |
|
Unrecognized IPv6 option encountered. |
|
Router solicitation. |
|
Router advertisement. |
|
Neighbor solicitation. |
|
Neighbor advertisement. |
|
Redirect message. |
|
No description. |
Match on protocol number.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv6 protocol number
The protocol number to match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv6 protocol number
vsr running number# <uint8>
Match on source application or application-group.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv6
vsr running ipv6# source-application VALUE
The application or application group to match.
VALUE
|
Description |
|---|---|
|
No description. |
|
No description. |
Match on destination application or application-group.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family ipv6
vsr running ipv6# destination-application VALUE
The application or application group to match.
VALUE
|
Description |
|---|---|
|
No description. |
|
No description. |
any¶
Match IPv4 and IPv6 packets.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family any
Select protocol to match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family any protocol
Invert the match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family any protocol not
The protocol value to match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family any protocol not
vsr running not# VALUE
|
Description |
|---|---|
|
Layer 4 protocol (TCP, UDP or other). |
|
TCP protocol. |
|
UDP protocol. |
Match any protocol.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family any protocol any
Source port match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family any protocol any
vsr running any# source-port [not] VALUE
The port, port-range or service to match.
VALUE
|
Description |
|---|---|
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Service representing a port number. The list can be obtained from the ‘show filter services’ command or the show-filter-services rpc. |
Destination port match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family any protocol any
vsr running any# destination-port [not] VALUE
The port, port-range or service to match.
VALUE
|
Description |
|---|---|
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Service representing a port number. The list can be obtained from the ‘show filter services’ command or the show-filter-services rpc. |
Match TCP protocol.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family any protocol tcp
Source port match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family any protocol tcp
vsr running tcp# source-port [not] VALUE
The port, port-range or service to match.
VALUE
|
Description |
|---|---|
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Service representing a port number. The list can be obtained from the ‘show filter services’ command or the show-filter-services rpc. |
Destination port match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family any protocol tcp
vsr running tcp# destination-port [not] VALUE
The port, port-range or service to match.
VALUE
|
Description |
|---|---|
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Service representing a port number. The list can be obtained from the ‘show filter services’ command or the show-filter-services rpc. |
Match UDP protocol.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family any protocol udp
Source port match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family any protocol udp
vsr running udp# source-port [not] VALUE
The port, port-range or service to match.
VALUE
|
Description |
|---|---|
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Service representing a port number. The list can be obtained from the ‘show filter services’ command or the show-filter-services rpc. |
Destination port match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family any protocol udp
vsr running udp# destination-port [not] VALUE
The port, port-range or service to match.
VALUE
|
Description |
|---|---|
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Port number or ports ranges. Examples: ‘1024-2048’. |
|
Service representing a port number. The list can be obtained from the ‘show filter services’ command or the show-filter-services rpc. |
Match on protocol number.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family any protocol number
The protocol number to match.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family any protocol number
vsr running number# <uint8>
Match on source application or application-group.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family any
vsr running any# source-application VALUE
The application or application group to match.
VALUE
|
Description |
|---|---|
|
No description. |
|
No description. |
Match on destination application or application-group.
vsr running config# vrf <vrf> firewall fast-path rule <string> match family any
vsr running any# destination-application VALUE
The application or application group to match.
VALUE
|
Description |
|---|---|
|
No description. |
|
No description. |
statistics (state only)¶
The statistics for this rule.
match (state only)¶
The number of packets and bytes that matched this rule.
packets (state only)¶
The number of packets that matched this rule.
vsr> show state vrf <vrf> firewall fast-path rule <string> statistics match packets
bytes (state only)¶
The number of bytes that matched this rule.
vsr> show state vrf <vrf> firewall fast-path rule <string> statistics match bytes
conntrack (state only)¶
The number of packets and bytes that matched a conntrack created by this rule.
origin (state only)¶
The number of packets and bytes that matched a conntrack in the origin way.
The number of packets that matched this rule.
vsr> show state vrf <vrf> firewall fast-path rule <string> statistics conntrack origin packets
The number of bytes that matched this rule.
vsr> show state vrf <vrf> firewall fast-path rule <string> statistics conntrack origin bytes
reply (state only)¶
The number of packets and bytes that matched a conntrack in the reply way.
The number of packets that matched this rule.
vsr> show state vrf <vrf> firewall fast-path rule <string> statistics conntrack reply packets
The number of bytes that matched this rule.
vsr> show state vrf <vrf> firewall fast-path rule <string> statistics conntrack reply bytes
interface¶
Configure the rules applying to an interface.
vsr running config# vrf <vrf> firewall fast-path interface <interface>
|
An interface name. |
ingress¶
Set the ingress rules.
vsr running config# vrf <vrf> firewall fast-path interface <interface> ingress
rule¶
Add a rule to this interface.
vsr running config# vrf <vrf> firewall fast-path interface <interface> ingress rule <uint32>
|
The priority of the rule. A higher number means a lower priority. |
rule-name¶
The name of the rule that should be applied.
vsr running config# vrf <vrf> firewall fast-path interface <interface> ingress rule <uint32>
vsr running rule <uint32># rule-name <leafref>
statistics (state only)¶
The statistics for this rule.
The number of packets and bytes that matched this rule.
The number of packets that matched this rule.
vsr> show state vrf <vrf> firewall fast-path interface <interface> ingress rule <uint32> statistics match packets
The number of bytes that matched this rule.
vsr> show state vrf <vrf> firewall fast-path interface <interface> ingress rule <uint32> statistics match bytes
The number of packets and bytes that matched a conntrack created by this rule.
The number of packets and bytes that matched a conntrack in the origin way.
The number of packets that matched this rule.
vsr> show state vrf <vrf> firewall fast-path interface <interface> ingress rule <uint32> statistics conntrack origin packets
The number of bytes that matched this rule.
vsr> show state vrf <vrf> firewall fast-path interface <interface> ingress rule <uint32> statistics conntrack origin bytes
The number of packets and bytes that matched a conntrack in the reply way.
The number of packets that matched this rule.
vsr> show state vrf <vrf> firewall fast-path interface <interface> ingress rule <uint32> statistics conntrack reply packets
The number of bytes that matched this rule.
vsr> show state vrf <vrf> firewall fast-path interface <interface> ingress rule <uint32> statistics conntrack reply bytes
egress¶
Set the egress rules.
vsr running config# vrf <vrf> firewall fast-path interface <interface> egress
rule¶
Add a rule to this interface.
vsr running config# vrf <vrf> firewall fast-path interface <interface> egress rule <uint32>
|
The priority of the rule. A higher number means a lower priority. |
rule-name¶
The name of the rule that should be applied.
vsr running config# vrf <vrf> firewall fast-path interface <interface> egress rule <uint32>
vsr running rule <uint32># rule-name <leafref>
statistics (state only)¶
The statistics for this rule.
The number of packets and bytes that matched this rule.
The number of packets that matched this rule.
vsr> show state vrf <vrf> firewall fast-path interface <interface> egress rule <uint32> statistics match packets
The number of bytes that matched this rule.
vsr> show state vrf <vrf> firewall fast-path interface <interface> egress rule <uint32> statistics match bytes
The number of packets and bytes that matched a conntrack created by this rule.
The number of packets and bytes that matched a conntrack in the origin way.
The number of packets that matched this rule.
vsr> show state vrf <vrf> firewall fast-path interface <interface> egress rule <uint32> statistics conntrack origin packets
The number of bytes that matched this rule.
vsr> show state vrf <vrf> firewall fast-path interface <interface> egress rule <uint32> statistics conntrack origin bytes
The number of packets and bytes that matched a conntrack in the reply way.
The number of packets that matched this rule.
vsr> show state vrf <vrf> firewall fast-path interface <interface> egress rule <uint32> statistics conntrack reply packets
The number of bytes that matched this rule.
vsr> show state vrf <vrf> firewall fast-path interface <interface> egress rule <uint32> statistics conntrack reply bytes
default¶
Add a rule to the default, called for packets matching no other rule.
vsr running config# vrf <vrf> firewall fast-path default
rule¶
Add a default rule.
vsr running config# vrf <vrf> firewall fast-path default rule <0-4294967294>
|
The priority of the rule. A higher number means a lower priority. |
rule-name (mandatory)¶
The name of the rule that should be applied.
vsr running config# vrf <vrf> firewall fast-path default rule <0-4294967294>
vsr running rule <0-4294967294># rule-name <leafref>
statistics (state only)¶
The statistics for this rule.
match (state only)¶
The number of packets and bytes that matched this rule.
The number of packets that matched this rule.
vsr> show state vrf <vrf> firewall fast-path default rule <0-4294967294> statistics match packets
The number of bytes that matched this rule.
vsr> show state vrf <vrf> firewall fast-path default rule <0-4294967294> statistics match bytes
conntrack (state only)¶
The number of packets and bytes that matched a conntrack created by this rule.
The number of packets and bytes that matched a conntrack in the origin way.
The number of packets that matched this rule.
vsr> show state vrf <vrf> firewall fast-path default rule <0-4294967294> statistics conntrack origin packets
The number of bytes that matched this rule.
vsr> show state vrf <vrf> firewall fast-path default rule <0-4294967294> statistics conntrack origin bytes
The number of packets and bytes that matched a conntrack in the reply way.
The number of packets that matched this rule.
vsr> show state vrf <vrf> firewall fast-path default rule <0-4294967294> statistics conntrack reply packets
The number of bytes that matched this rule.
vsr> show state vrf <vrf> firewall fast-path default rule <0-4294967294> statistics conntrack reply bytes