4

I have some firewall filters on juniper devices- ex3300s make up the majority of them. I've been looking for an oid that will let me associate an IFL with the filters that are on it, and I've yet to find one.

Basically, I'm looking for an SNMP equivalent of a 'show interface filters' or something that can get me close enough. I'm aware that you can use RPC to get this information, but for uniformity of deployment I would really prefer to get this data over SNMP like everything else- otherwise we have to set up an entirely separate polling infrastructure.

Does this exist?

Improve this question
2
  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could provide and accept your own answer.
    – Ron Maupin
    Commented Apr 1, 2018 at 22:50
  • No, so far I've not found a definitive answer to this question.
    – user52544
    Commented Apr 3, 2018 at 19:24

1 Answer 1

Reset to default
2

So, it kind of does.

I don't have an EX3300 in front of me to test box-specific config, but on an MX at least, you can do this:

Your filter needs to have the interface-specific knob enabled and it needs to have a then count action associated with the term you want to monitor.

Eg:

firewall {
    family inet {
        filter NE-FILTER {
            interface-specific;
            term t1 {
                from {
                    address {
                        1.1.1.1/32;
                    }
                }
                then {
                    count HITS;
                    discard;
                }
            }
        }
    }
}

Now if you apply this to an interface (say ge-1/1/8.0 and then poll the jnxFirewallCounterTable[1], you will get a list of all counters, including one called HITS-ge-1/1/8.0-i under a filter called NE-FILTER-ge-1/1/8.0-i.

It's probably not exactly what you're after, but unfortunately it's about as close as you can get with the Juniper MIBs today.

[1]https://apps.juniper.net/mib-explorer/getMibContent.html?q=junos-os/14.1x53-D30/mib-jnx-firewall.txt

Improve this answer
3
  • Unfortunately, interface-specific filters cannot be used in our situation- we need to have the same filter applied across multiple interfaces, and the policers on those firewalls would break if the instantiations of those filters were interface-specific.
    – user52544
    Commented Mar 22, 2018 at 15:18
  • you could try it without interface-specific - I was reading your question above to mean you wanted to list the filters per interface (which this allows). If you have a single filter across all interfaces, then it will only be listed once in the above SNMPWalk with a total count for all interfaces
    – Benjamin Dale
    Commented Mar 23, 2018 at 1:30
  • If it's not interface-specific, you don't get any information about interfaces at all when doing the snmpwalk on an EX3300. just the filter name, counter/policer name, and if it's a policer, the term. None of our MXs concatenate the interface name without an interface-specific either.
    – user52544
    Commented Mar 23, 2018 at 15:01

Not the answer you're looking for? Browse other questions tagged or ask your own question.