Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Supported Platforms

 

Related Documentation

 

References from a Firewall Filter in a Logical System to Nonfirewall Objects

This topic covers the following information:

Resolution of References from a Firewall Filter to Nonfirewall Objects

In many cases, a firewall configuration references objects outside the firewall configuration. As a general rule, the referenced object must be defined under the same logical system as the referencing object. However, there are cases when the configuration of the referenced object is not supported at the [edit logical-systems logical-system-name] hierarchy level.

Valid Reference to a Nonfirewall Object Outside of the Logical System

This example configuration illustrates an exception to the general rule that the objects referenced by a firewall filter in a logical system must be defined under the same logical system as the referencing object.

In the following scenario, the service filter inetsf1 is applied to IPv4 traffic associated with the service set fred at the logical interface fe-0/3/2.0, which is on an adaptive services interface.

  • Service filter inetsf1 is defined in ls-B and references prefix list prefix1.
  • Service set fred is defined at the main services hierarchy level, and the policy framework software searches the [edit services] hierarchy for the definition of the fred service set.

Because service rules cannot be configured in logical systems. firewall filter configurations in the [edit logical-systems logical-system logical-system-name] hierarchy are allowed to reference service sets outside the logical system hierarchy.

[edit]
logical-systems {ls-B {interfaces {fe-0/3/2 {unit 0 {family inet {service {input {service-set fred service-filter inetsf1;}}}}}}policy-options {prefix-list prefix1 {1.1.0.0/16;1.2.0.0/16;1.3.0.0/16;}}firewall { # Under logical-system ’ls-B’.family inet {filter filter1 {term one {from {source-address {12.1.0.0/16;}}then {reject host-unknown;}}term two {from {source-address {12.2.0.0/16;}}then policer pol1;}}service-filter inetsf1 {term term1 {from {source-prefix-list {prefix1;}}then count prefix1;}}}policer pol1 {if-exceeding {bandwidth-limit 401k;burst-size-limit 50k;}then discard;}}}} # End of logical systems configuration.
services { # Main services hierarchy level.service-set fred {max-flows 100;interface-service {service-interface sp-1/2/0.0;}}}
 

Related Documentation

 

Published: 2013-04-10

Supported Platforms

 

Related Documentation

 

Published: 2013-04-10

Previous Page Next Page