逻辑系统中防火墙过滤器不支持的操作
表 1 介绍在层次结构级别受 [edit firewall] 支持但在层次结构级别不支持的 [edit logical-systems logical-system-name firewall] 防火墙过滤器操作。
防火墙过滤器操作 |
示例 |
Description |
|---|---|---|
| 逻辑系统中不支持的终止操作 | ||
|
[edit]
logical-systems {
ls1 {
firewall {
family inet {
filter foo {
term one {
from {
source-address 10.1.0.0/16;
}
then {
logical-system fred;
}
}
}
}
}
}
}
|
|
| 逻辑系统中不支持的非终止操作 | ||
|
[edit]
logical-systems {
ls1 {
firewall {
family inet {
filter foo {
term one {
from {
source-address 10.1.0.0/16;
}
then {
ipsec-sa barney;
}
}
}
}
}
}
}
|
|
|
[edit]
logical-systems {
ls1 {
firewall {
family inet {
filter foo {
term one {
from {
source-address 10.1.0.0/16;
}
then {
next-hop-group fred;
}
}
}
}
}
}
}
|
|
|
[edit]
logical-systems {
ls1 {
firewall {
family inet {
filter foo {
term one {
from {
source-address 10.1.0.0/16;
}
then {
port-mirror;
}
}
}
}
}
}
}
|
|
|
[edit]
logical-systems {
ls1 {
firewall {
family inet {
filter foo {
term one {
from {
source-address 10.1.0.0/16;
}
then {
sample;
}
}
}
}
}
}
}
|
在此示例中,操作 |
|
[edit]
logical-systems {
ls1 {
firewall {
family inet {
filter icmp-syslog {
term icmp-match {
from {
address {
192.168.207.222/32;
}
protocol icmp;
}
then {
count packets;
syslog;
accept;
}
}
term default {
then accept;
}
}
}
}
}
}
|
在此示例中,必须至少有一个系统日志( 由于此防火墙配置依赖于逻辑系统外部的配置, |