In Junos OS, firewall filters are constructed using terms that specify match criteria (the from statement) and actions to be taken (the then statement). When a packet enters an interface where this filter is applied, the Packet Forwarding Engine (PFE) evaluates it against the defined terms. In this exhibit, the term limit-icmp targets packets sourced from the 172.25.11.0/24 network that specifically use the ICMP protocol.
When a packet meets both criteria, the actions defined in the then block are triggered:
count count-icmp; : This is a non-terminating action . It instructs the system to increment a specific software counter named count-icmp. This allows administrators to monitor exactly how many packets are hitting this specific term using the show firewall command.
discard; : This is a terminating action . It immediately stops any further evaluation of the packet and drops it. A key characteristic of the discard action in Junos is that it is a " silent " drop; the router simply deletes the packet from its buffer without notifying the sender.
Option D is incorrect because returning an ICMP destination unreachable message is the specific behavior of the reject action, not the discard action. Option C is incorrect because discard explicitly prevents the packet from being forwarded. Understanding the distinction between silent discards and active rejections is essential for architects when designing security policies that balance stealth with network transparency.
[Reference: Routing Policy and Firewall Filters, Firewall Filter Actions, Standard Firewall Filters., , , ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit