Re: Issues with firewall filter on Juniper EX4550

On loopback interface I have only 1  logical unit:

admin@4550-1# show interfaces lo0
unit 0 {
    family inet {
        filter {
            input RE-filter;
        }
    }
}

And as you can see the filter is applied there.

Filter is configured like this:

admin@4550-1# show firewall family inet filter RE-filter
term CLI-allow {
    from {
        source-prefix-list {
            CLI-SNMP-access;
        }
        protocol tcp;
        destination-port [ telnet ssh ];
    }
    then {
        count SSHpermit;
        accept;
    }
}
term CLI-deny {
    from {
        protocol tcp;
        destination-port [ telnet ssh ];
    }
    then {
        count SSHdeny;
        discard;
    }
}
term final {
    then accept;
}

But when I try to access to switсh from IP adress that is not included in CLI-SNMP-access prefix list, the access is permitted, but it must be filtered by RE-filter.

Also I see success and unsuccess count for this filter:

Filter: RE-filter
Counters:
Name                                                Bytes              Packets
SSHdeny                                           2922769                39508
SSHpermit                                         2522367                24812