3.2.24. fast-path firewall

fast-path

Note

requires a CG-NAT Application License.

Firewall configuration.

vsr running config# vrf <vrf> firewall fast-path

enabled

Enable Fast path firewall.

vsr running config# vrf <vrf> firewall fast-path
vsr running fast-path# enabled true|false
Default value
true

conntrack-rule-set

Set a conntrack rule set.

vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-]

[a-zA-Z0-9_-]

Set the name of the conntrack rule set.

origin

Configure the origin direction.

vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] origin
action

Set a conntrack rule set action.

vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] origin action
set-mark

Apply a mark (i.e. user metadata) on the packet.

vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] origin action
vsr running action# set-mark SET-MARK

SET-MARK values

Description

0x<0-F>

No description.

<uint32>

No description.

set-mss

Modify TCP SYN packet to limit the advertised MSS to the specified value.

vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] origin action
vsr running action# set-mss <uint32>
set-dscp

Update the DSCP field of the packet.

vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] origin action
vsr running action# set-dscp <uint32>
save-dscp

Record current packet DSCP into conntrack.

vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] origin action
vsr running action# save-dscp
restore-dscp

Restore previously recorded DSCP value (if any) into packet.

vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] origin action
vsr running action# restore-dscp

reply

Configure the reply direction.

vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] reply
action

Set a conntrack rule set action.

vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] reply action
set-mark

Apply a mark (i.e. user metadata) on the packet.

vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] reply action
vsr running action# set-mark SET-MARK

SET-MARK values

Description

0x<0-F>

No description.

<uint32>

No description.

set-mss

Modify TCP SYN packet to limit the advertised MSS to the specified value.

vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] reply action
vsr running action# set-mss <uint32>
set-dscp

Update the DSCP field of the packet.

vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] reply action
vsr running action# set-dscp <uint32>
save-dscp

Record current packet DSCP into conntrack.

vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] reply action
vsr running action# save-dscp
restore-dscp

Restore previously recorded DSCP value (if any) into packet.

vsr running config# vrf <vrf> firewall fast-path conntrack-rule-set [a-zA-Z0-9_-] reply action
vsr running action# restore-dscp

rule

Set a rule to handle packet.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255}

<string>{1,255}

Set the name of the rule.

accept

Accept packet and let pass it through the network stack.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} accept
action

Apply actions on the packet.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} accept action
set-mark

Apply a mark (i.e. user metadata) on the packet.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} accept action
vsr running action# set-mark SET-MARK

SET-MARK values

Description

0x<0-F>

No description.

<uint32>

No description.

set-dscp

Update the DSCP field of the packet.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} accept action
vsr running action# set-dscp <uint32>
set-mss

Modify TCP SYN packet to limit the advertised MSS to the specified value.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} accept action
vsr running action# set-mss SET-MSS

SET-MSS values

Description

<uint32>

No description.

auto

Rely on path MTU for the mss value.

drop

Drop the packet.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} drop
action

Apply actions on the packet.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} drop action

reject

Reject the packet and notify the sender.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} reject
action

Apply actions on the packet.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} reject action

track

Track the packet. It will create a conntrack.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} track
apply

Apply the conntrack rule set.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} track
vsr running track# apply <leafref>
action

Apply actions on the packet.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} track action

match

Set packet filters.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match
family

Match IPv4, IPv6 packets or both.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family
ipv4

Match only IPv4 packets.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4
source-address

Match source IPv4 address or IPv4 group.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4
vsr running ipv4# source-address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The IPv4 address or group name to match.

VALUE

VALUE values

Description

<ipv4-address>

An IPv4 address.

<masked-ipv4-address>

A masked IPv4 address: address and prefix of that subnet.

<leafref>

No description.

<leafref>

No description.

destination-address

Match destination IPv4 address or IPv4 group.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4
vsr running ipv4# destination-address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The IPv4 address or group name to match.

VALUE

VALUE values

Description

<ipv4-address>

An IPv4 address.

<masked-ipv4-address>

A masked IPv4 address: address and prefix of that subnet.

<leafref>

No description.

<leafref>

No description.

protocol

Select protocol to match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4 protocol
not

Invert the match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4 protocol not
VALUE (mandatory)

The protocol value to match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4 protocol not
vsr running not# VALUE

VALUE values

Description

<uint8>

Layer 4 protocol (TCP, UDP, ICMP or other).

icmp

ICMP protocol.

tcp

TCP protocol.

udp

UDP protocol.

any

Match any protocol.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4 protocol any
source-port

Source port match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4 protocol any
vsr running any# source-port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port, port-range to match.

VALUE

VALUE values

Description

<uint16>

Port number or ports ranges. Examples: ‘1024-2048’.

<string>

Port number or ports ranges. Examples: ‘1024-2048’.

destination-port

Destination port match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4 protocol any
vsr running any# destination-port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port, port-range to match.

VALUE

VALUE values

Description

<uint16>

Port number or ports ranges. Examples: ‘1024-2048’.

<string>

Port number or ports ranges. Examples: ‘1024-2048’.

tcp

Match TCP protocol.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4 protocol tcp
source-port

Source port match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4 protocol tcp
vsr running tcp# source-port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port, port-range to match.

VALUE

VALUE values

Description

<uint16>

Port number or ports ranges. Examples: ‘1024-2048’.

<string>

Port number or ports ranges. Examples: ‘1024-2048’.

destination-port

Destination port match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4 protocol tcp
vsr running tcp# destination-port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port, port-range to match.

VALUE

VALUE values

Description

<uint16>

Port number or ports ranges. Examples: ‘1024-2048’.

<string>

Port number or ports ranges. Examples: ‘1024-2048’.

udp

Match UDP protocol.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4 protocol udp
source-port

Source port match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4 protocol udp
vsr running udp# source-port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port, port-range to match.

VALUE

VALUE values

Description

<uint16>

Port number or ports ranges. Examples: ‘1024-2048’.

<string>

Port number or ports ranges. Examples: ‘1024-2048’.

destination-port

Destination port match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4 protocol udp
vsr running udp# destination-port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port, port-range to match.

VALUE

VALUE values

Description

<uint16>

Port number or ports ranges. Examples: ‘1024-2048’.

<string>

Port number or ports ranges. Examples: ‘1024-2048’.

icmp

Match ICMP protocol.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4 protocol icmp
icmp-type

Match ICMP message type.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4 protocol icmp
vsr running icmp# icmp-type [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The ICMP message type value to match.

VALUE

VALUE values

Description

any

Any ICMP type.

echo-request

Echo request.

echo-reply

Echo reply.

destination-unreachable

Destination unreachable.

network-unreachable

Network unreachable.

host-unreachable

Host unreachable.

protocol-unreachable

Protocol unreachable.

port-unreachable

Port unreachable.

fragmentation-needed

Fragmentation needed.

source-route-failed

Source route failed.

network-unknown

Network unknown.

host-unknown

Host unknown.

network-prohibited

Network prohibited.

host-prohibited

Host prohibited.

TOS-network-unreachable

TOS network unreachable.

TOS-host-unreachable

TOS host unreachable.

communication-prohibited

Communication prohibited.

host-precedence-violation

Host precedence violation.

precedence-cutoff

Precedence cutoff.

source-quench

Source quench.

redirect

Redirect.

network-redirect

Network redirect.

host-redirect

Host redirect.

TOS-network-redirect

TOS network redirect.

TOS-host-redirect

TOS host redirect.

router-advertisement

Router advertisement.

router-solicitation

Router solicitation.

ttl-exceeded

TTL exceeded.

ttl-zero-during-transit

Time to Live exceeded in Transit.

ttl-zero-during-reassembly

Fragment Reassembly Time Exceeded.

parameter-problem

Parameter problem.

ip-header-bad

Bad IP header.

required-option-missing

Missing a Required Option.

timestamp-request

Timestamp request.

timestamp-reply

Timestamp reply.

information-request

Information request reply.

information-response

Information response reply.

address-mask-request

Address mask request.

address-mask-reply

Address mask reply.

<0-255>[/<0-255>]

No description.

number

Match on protocol number.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4 protocol number
<uint8> (mandatory)

The protocol number to match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4 protocol number
vsr running number# <uint8>
source-application

Match on source application or application-group.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4
vsr running ipv4# source-application VALUE
VALUE (mandatory)

The application or application group to match.

VALUE

VALUE values

Description

<leafref>

No description.

<leafref>

No description.

destination-application

Match on destination application or application-group.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4
vsr running ipv4# destination-application VALUE
VALUE (mandatory)

The application or application group to match.

VALUE

VALUE values

Description

<leafref>

No description.

<leafref>

No description.

dscp

Match only this dscp number.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv4
vsr running ipv4# dscp [not] <uint32>
not

Invert the match.

not
<uint32> (mandatory)

The dscp value to match.

<uint32>
ipv6

Match only IPv6 packets.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6
source-address

Match source IPv6 address or IPv6 group.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6
vsr running ipv6# source-address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The IPv6 address or group address to match.

VALUE

VALUE values

Description

<ipv6-address>

An IPv6 address.

<masked-ipv6-address>

A masked IPv6 address: address and prefix of that subnet.

<leafref>

No description.

<leafref>

No description.

destination-address

Match destination IPv6 address or IPv6 group.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6
vsr running ipv6# destination-address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The IPv6 address or group address to match.

VALUE

VALUE values

Description

<ipv6-address>

An IPv6 address.

<masked-ipv6-address>

A masked IPv6 address: address and prefix of that subnet.

<leafref>

No description.

<leafref>

No description.

protocol

Select protocol to match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6 protocol
not

Invert the match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6 protocol not
VALUE (mandatory)

The protocol value to match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6 protocol not
vsr running not# VALUE

VALUE values

Description

<uint8>

Layer 4 protocol (TCP, UDP, ICMP or other).

tcp

TCP protocol.

udp

UDP protocol.

icmpv6

ICMPv6 protocol.

any

Match any protocol.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6 protocol any
source-port

Source port match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6 protocol any
vsr running any# source-port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port, port-range to match.

VALUE

VALUE values

Description

<uint16>

Port number or ports ranges. Examples: ‘1024-2048’.

<string>

Port number or ports ranges. Examples: ‘1024-2048’.

destination-port

Destination port match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6 protocol any
vsr running any# destination-port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port, port-range to match.

VALUE

VALUE values

Description

<uint16>

Port number or ports ranges. Examples: ‘1024-2048’.

<string>

Port number or ports ranges. Examples: ‘1024-2048’.

tcp

Match TCP protocol.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6 protocol tcp
source-port

Source port match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6 protocol tcp
vsr running tcp# source-port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port, port-range to match.

VALUE

VALUE values

Description

<uint16>

Port number or ports ranges. Examples: ‘1024-2048’.

<string>

Port number or ports ranges. Examples: ‘1024-2048’.

destination-port

Destination port match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6 protocol tcp
vsr running tcp# destination-port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port, port-range to match.

VALUE

VALUE values

Description

<uint16>

Port number or ports ranges. Examples: ‘1024-2048’.

<string>

Port number or ports ranges. Examples: ‘1024-2048’.

udp

Match UDP protocol.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6 protocol udp
source-port

Source port match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6 protocol udp
vsr running udp# source-port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port, port-range to match.

VALUE

VALUE values

Description

<uint16>

Port number or ports ranges. Examples: ‘1024-2048’.

<string>

Port number or ports ranges. Examples: ‘1024-2048’.

destination-port

Destination port match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6 protocol udp
vsr running udp# destination-port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port, port-range to match.

VALUE

VALUE values

Description

<uint16>

Port number or ports ranges. Examples: ‘1024-2048’.

<string>

Port number or ports ranges. Examples: ‘1024-2048’.

icmpv6

Match ICMPv6 protocol.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6 protocol icmpv6
icmp-type

Match ICMPv6 message type.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6 protocol icmpv6
vsr running icmpv6# icmp-type [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The ICMPv6 message type value to match.

VALUE

VALUE values

Description

echo-request

Echo request.

echo-reply

Echo reply.

destination-unreachable

Destination unreachable.

address-unreachable

Address unreachable.

port-unreachable

Port unreachable.

no-route

No route to destination.

reject-route

Reject route to destination.

communication-prohibited

Communication with destination administratively prohibited.

beyond-scope

Beyond scope of source address.

packet-too-big

Packet too big.

failed-policy

Source address failed ingress/egress policy.

ttl-exceeded

TTL exceeded.

ttl-zero-during-transit

Hop limit exceeded in transit.

ttl-zero-during-reassembly

Fragment reassembly time exceeded.

parameter-problem

Parameter problem.

bad-header

Erroneous header field encountered.

unknown-header-type

Unrecognized Next Header type encountered.

unknown-option

Unrecognized IPv6 option encountered.

router-solicitation

Router solicitation.

router-advertisement

Router advertisement.

neighbor-solicitation

Neighbor solicitation.

neighbor-advertisement

Neighbor advertisement.

redirect

Redirect message.

<0-255>[/<0-255>]

No description.

number

Match on protocol number.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6 protocol number
<uint8> (mandatory)

The protocol number to match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6 protocol number
vsr running number# <uint8>
source-application

Match on source application or application-group.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6
vsr running ipv6# source-application VALUE
VALUE (mandatory)

The application or application group to match.

VALUE

VALUE values

Description

<leafref>

No description.

<leafref>

No description.

destination-application

Match on destination application or application-group.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6
vsr running ipv6# destination-application VALUE
VALUE (mandatory)

The application or application group to match.

VALUE

VALUE values

Description

<leafref>

No description.

<leafref>

No description.

dscp

Match only this dscp number.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family ipv6
vsr running ipv6# dscp [not] <uint32>
not

Invert the match.

not
<uint32> (mandatory)

The dscp value to match.

<uint32>
any

Match IPv4 and IPv6 packets.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family any
protocol

Select protocol to match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family any protocol
not

Invert the match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family any protocol not
VALUE (mandatory)

The protocol value to match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family any protocol not
vsr running not# VALUE

VALUE values

Description

<uint8>

Layer 4 protocol (TCP, UDP or other).

tcp

TCP protocol.

udp

UDP protocol.

any

Match any protocol.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family any protocol any
source-port

Source port match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family any protocol any
vsr running any# source-port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port, port-range to match.

VALUE

VALUE values

Description

<uint16>

Port number or ports ranges. Examples: ‘1024-2048’.

<string>

Port number or ports ranges. Examples: ‘1024-2048’.

destination-port

Destination port match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family any protocol any
vsr running any# destination-port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port, port-range to match.

VALUE

VALUE values

Description

<uint16>

Port number or ports ranges. Examples: ‘1024-2048’.

<string>

Port number or ports ranges. Examples: ‘1024-2048’.

tcp

Match TCP protocol.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family any protocol tcp
source-port

Source port match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family any protocol tcp
vsr running tcp# source-port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port, port-range to match.

VALUE

VALUE values

Description

<uint16>

Port number or ports ranges. Examples: ‘1024-2048’.

<string>

Port number or ports ranges. Examples: ‘1024-2048’.

destination-port

Destination port match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family any protocol tcp
vsr running tcp# destination-port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port, port-range to match.

VALUE

VALUE values

Description

<uint16>

Port number or ports ranges. Examples: ‘1024-2048’.

<string>

Port number or ports ranges. Examples: ‘1024-2048’.

udp

Match UDP protocol.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family any protocol udp
source-port

Source port match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family any protocol udp
vsr running udp# source-port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port, port-range to match.

VALUE

VALUE values

Description

<uint16>

Port number or ports ranges. Examples: ‘1024-2048’.

<string>

Port number or ports ranges. Examples: ‘1024-2048’.

destination-port

Destination port match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family any protocol udp
vsr running udp# destination-port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port, port-range to match.

VALUE

VALUE values

Description

<uint16>

Port number or ports ranges. Examples: ‘1024-2048’.

<string>

Port number or ports ranges. Examples: ‘1024-2048’.

number

Match on protocol number.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family any protocol number
<uint8> (mandatory)

The protocol number to match.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family any protocol number
vsr running number# <uint8>
source-application

Match on source application or application-group.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family any
vsr running any# source-application VALUE
VALUE (mandatory)

The application or application group to match.

VALUE

VALUE values

Description

<leafref>

No description.

<leafref>

No description.

destination-application

Match on destination application or application-group.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family any
vsr running any# destination-application VALUE
VALUE (mandatory)

The application or application group to match.

VALUE

VALUE values

Description

<leafref>

No description.

<leafref>

No description.

dscp

Match only this dscp number.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match family any
vsr running any# dscp [not] <uint32>
not

Invert the match.

not
<uint32> (mandatory)

The dscp value to match.

<uint32>
mark

Match only this mark.

vsr running config# vrf <vrf> firewall fast-path rule <string>{1,255} match
vsr running match# mark [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The mark value to match.

VALUE

VALUE values

Description

0x<0-F>

No description.

<uint32>

No description.

statistics (state only)

The statistics for this rule.

match (state only)

The number of packets and bytes that matched this rule.

packets (state only)

The number of packets that matched this rule.

vsr> show state vrf <vrf> firewall fast-path rule <string>{1,255} statistics match packets
bytes (state only)

The number of bytes that matched this rule.

vsr> show state vrf <vrf> firewall fast-path rule <string>{1,255} statistics match bytes
conntrack (state only)

The number of packets and bytes that matched a conntrack created by this rule.

origin (state only)

The number of packets and bytes that matched a conntrack in the origin way.

packets (state only)

The number of packets that matched this rule.

vsr> show state vrf <vrf> firewall fast-path rule <string>{1,255} statistics conntrack origin packets
bytes (state only)

The number of bytes that matched this rule.

vsr> show state vrf <vrf> firewall fast-path rule <string>{1,255} statistics conntrack origin bytes
reply (state only)

The number of packets and bytes that matched a conntrack in the reply way.

packets (state only)

The number of packets that matched this rule.

vsr> show state vrf <vrf> firewall fast-path rule <string>{1,255} statistics conntrack reply packets
bytes (state only)

The number of bytes that matched this rule.

vsr> show state vrf <vrf> firewall fast-path rule <string>{1,255} statistics conntrack reply bytes

interface

Configure the rules applying to an interface.

vsr running config# vrf <vrf> firewall fast-path interface <interface>

<interface>

An interface name.

ingress

Set the ingress rules.

vsr running config# vrf <vrf> firewall fast-path interface <interface> ingress
rule

Add a rule to this interface.

vsr running config# vrf <vrf> firewall fast-path interface <interface> ingress rule <uint32>

<uint32>

The priority of the rule. A higher number means a lower priority.

rule-name

The name of the rule that should be applied.

vsr running config# vrf <vrf> firewall fast-path interface <interface> ingress rule <uint32>
vsr running rule <uint32># rule-name <leafref>
statistics (state only)

The statistics for this rule.

match (state only)

The number of packets and bytes that matched this rule.

packets (state only)

The number of packets that matched this rule.

vsr> show state vrf <vrf> firewall fast-path interface <interface> ingress rule <uint32> statistics match packets
bytes (state only)

The number of bytes that matched this rule.

vsr> show state vrf <vrf> firewall fast-path interface <interface> ingress rule <uint32> statistics match bytes
conntrack (state only)

The number of packets and bytes that matched a conntrack created by this rule.

origin (state only)

The number of packets and bytes that matched a conntrack in the origin way.

packets (state only)

The number of packets that matched this rule.

vsr> show state vrf <vrf> firewall fast-path interface <interface> ingress rule <uint32> statistics conntrack origin packets
bytes (state only)

The number of bytes that matched this rule.

vsr> show state vrf <vrf> firewall fast-path interface <interface> ingress rule <uint32> statistics conntrack origin bytes
reply (state only)

The number of packets and bytes that matched a conntrack in the reply way.

packets (state only)

The number of packets that matched this rule.

vsr> show state vrf <vrf> firewall fast-path interface <interface> ingress rule <uint32> statistics conntrack reply packets
bytes (state only)

The number of bytes that matched this rule.

vsr> show state vrf <vrf> firewall fast-path interface <interface> ingress rule <uint32> statistics conntrack reply bytes

egress

Set the egress rules.

vsr running config# vrf <vrf> firewall fast-path interface <interface> egress
rule

Add a rule to this interface.

vsr running config# vrf <vrf> firewall fast-path interface <interface> egress rule <uint32>

<uint32>

The priority of the rule. A higher number means a lower priority.

rule-name

The name of the rule that should be applied.

vsr running config# vrf <vrf> firewall fast-path interface <interface> egress rule <uint32>
vsr running rule <uint32># rule-name <leafref>
statistics (state only)

The statistics for this rule.

match (state only)

The number of packets and bytes that matched this rule.

packets (state only)

The number of packets that matched this rule.

vsr> show state vrf <vrf> firewall fast-path interface <interface> egress rule <uint32> statistics match packets
bytes (state only)

The number of bytes that matched this rule.

vsr> show state vrf <vrf> firewall fast-path interface <interface> egress rule <uint32> statistics match bytes
conntrack (state only)

The number of packets and bytes that matched a conntrack created by this rule.

origin (state only)

The number of packets and bytes that matched a conntrack in the origin way.

packets (state only)

The number of packets that matched this rule.

vsr> show state vrf <vrf> firewall fast-path interface <interface> egress rule <uint32> statistics conntrack origin packets
bytes (state only)

The number of bytes that matched this rule.

vsr> show state vrf <vrf> firewall fast-path interface <interface> egress rule <uint32> statistics conntrack origin bytes
reply (state only)

The number of packets and bytes that matched a conntrack in the reply way.

packets (state only)

The number of packets that matched this rule.

vsr> show state vrf <vrf> firewall fast-path interface <interface> egress rule <uint32> statistics conntrack reply packets
bytes (state only)

The number of bytes that matched this rule.

vsr> show state vrf <vrf> firewall fast-path interface <interface> egress rule <uint32> statistics conntrack reply bytes

default

Add a rule to the default, called for packets matching no other rule.

vsr running config# vrf <vrf> firewall fast-path default

rule

Add a default rule.

vsr running config# vrf <vrf> firewall fast-path default rule <0-4294967294>

<0-4294967294>

The priority of the rule. A higher number means a lower priority.

rule-name (mandatory)

The name of the rule that should be applied.

vsr running config# vrf <vrf> firewall fast-path default rule <0-4294967294>
vsr running rule <0-4294967294># rule-name <leafref>
statistics (state only)

The statistics for this rule.

match (state only)

The number of packets and bytes that matched this rule.

packets (state only)

The number of packets that matched this rule.

vsr> show state vrf <vrf> firewall fast-path default rule <0-4294967294> statistics match packets
bytes (state only)

The number of bytes that matched this rule.

vsr> show state vrf <vrf> firewall fast-path default rule <0-4294967294> statistics match bytes
conntrack (state only)

The number of packets and bytes that matched a conntrack created by this rule.

origin (state only)

The number of packets and bytes that matched a conntrack in the origin way.

packets (state only)

The number of packets that matched this rule.

vsr> show state vrf <vrf> firewall fast-path default rule <0-4294967294> statistics conntrack origin packets
bytes (state only)

The number of bytes that matched this rule.

vsr> show state vrf <vrf> firewall fast-path default rule <0-4294967294> statistics conntrack origin bytes
reply (state only)

The number of packets and bytes that matched a conntrack in the reply way.

packets (state only)

The number of packets that matched this rule.

vsr> show state vrf <vrf> firewall fast-path default rule <0-4294967294> statistics conntrack reply packets
bytes (state only)

The number of bytes that matched this rule.

vsr> show state vrf <vrf> firewall fast-path default rule <0-4294967294> statistics conntrack reply bytes