Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Supported Platforms

 

Related Documentation

 

References from a Nonfirewall Object in a Logical System to a Firewall Filter

This topic covers the following information:

Resolution of References from a Nonfirewall Object to a Firewall Filter

If a nonfirewall filter object in a logical system references an object in a firewall filter configured in a logical system, the reference is resolved using the following logic:

  • If the nonfirewall filter object is configured in a logical system that includes firewall filter configuration statements, the policy framework software searches the [edit logical-systems logical-system-name firewall] hierarchy level. Firewall filter configurations that belong to other logical systems or to the main [edit firewall] hierarchy level are not searched.
  • If the nonfirewall filter object is configured in a logical system that does not include any firewall filter configuration statements, the policy framework software searches the firewall configurations defined at the [edit firewall] hierarchy level.

Invalid Reference to a Firewall Filter Outside of the Logical System

This example configuration illustrates an unresolvable reference from a nonfirewall object in a logical system to a firewall filter.

In the following scenario, the stateless firewall filters filter1 and fred are applied to the logical interface fe-0/3/2.0 in the logical system ls-C.

  • Filter filter1 is defined in ls-C.
  • Filter fred is defined in the main firewall configuration.

Because ls-C contains firewall filter statements (for filter1), the policy framework software resolves references to and from firewall filters by searching the [edit logical systems ls-C firewall] hierarchy level. Consequently, the reference from fe-0/3/2.0 in the logical system to fred in the main firewall configuration cannot be resolved.

[edit]
logical-systems {ls-C {interfaces {fe-0/3/2 {unit 0 {family inet {filter {input-list [ filter1 fred ];}}}}}firewall { # Under logical system ’ls-C’.family inet {filter filter1 {term one {from {source-address 12.1.0.0/16;}then {reject host-unknown;}}term two {from {source-address 12.2.0.0/16;}then policer pol1;}}}policer pol1 {if-exceeding {bandwidth-limit 401k;burst-size-limit 50k;}then discard;}}}} # End of logical systems
firewall { # Under the main firewall hierarchy levelfamily inet {filter fred {term one {from {source-address 11.1.0.0/16;}then {log;reject host-unknown;}}}}} # End of main firewall configurations.

Valid Reference to a Firewall Filter Within the Logical System

This example configuration illustrates resolvable references from a nonfirewall object in a logical system to two firewall filter.

In the following scenario, the stateless firewall filters filter1 and fred are applied to the logical interface fe-0/3/2.0 in the logical system ls-C.

  • Filter filter1 is defined in ls-C.
  • Filter fred is defined in ls-C and also in the main firewall configuration.

Because ls-C contains firewall filter statements, the policy framework software resolves references to and from firewall filters by searching the [edit logical systems ls-C firewall] hierarchy level. Consequently, the references from fe-0/3/2.0 in the logical system to filter1 and fred use the stateless firewall filters configured in ls-C.

[edit]
logical-systems {ls-C {interfaces {fe-0/3/2 {unit 0 {family inet {filter {input-list [ filter1 fred ];}}}}}firewall { # Under logical system ’ls-C’.family inet {filter filter1 {term one {from {source-address 12.1.0.0/16;}then {reject host-unknown;}}term two {from {source-address 12.2.0.0/16;}then policer pol1;}}filter fred { # This ’fred’ is in ’ls-C’.term one {from {source-address 10.1.0.0/16;}then {log;reject host-unknown;}}}}policer pol1 {if-exceeding {bandwidth-limit 401k;burst-size-limit 50k;}then discard;}}}} # End of logical systems configurations.
firewall { # Main firewall filter hierarchy levelfamily inet {filter fred {term one {from {source-address 11.1.0.0/16;}then {log;reject host-unknown;}}}}} # End of main firewall configurations.

Valid Reference to a Firewall Filter Outside of the Logical System

This example configuration illustrates resolvable references from a nonfirewall object in a logical system to two firewall filter.

In the following scenario, the stateless firewall filters filter1 and fred are applied to the logical interface fe-0/3/2.0 in the logical system ls-C.

  • Filter filter1 is defined in the main firewall configuration.
  • Filter fred is defined in the main firewall configuration.

Because ls-C does not contain any firewall filter statements, the policy framework software resolves references to and from firewall filters by searching the [edit firewall] hierarchy level. Consequently, the references from fe-0/3/2.0 in the logical system to filter1 and fred use the stateless firewall filters configured in the main firewall configuration.

[edit]
logical-systems {ls-C {interfaces {fe-0/3/2 {unit 0 {family inet {filter {input-list [ filter1 fred ];}}}}}}} # End of logical systems configurations.
firewall { # Main firewall hierarchy level.family inet {filter filter1 {term one {from {source-address 12.1.0.0/16;}then {reject host-unknown;}}term two {from {source-address 12.2.0.0/16;}then policer pol1;}}filter fred {term one {from {source-address 11.1.0.0/16;}then {log;reject host-unknown;}}}}policer pol1 {if-exceeding {bandwidth-limit 701k;burst-size-limit 70k;}then discard;}} # End of main firewall configurations.
 

Related Documentation

 

Published: 2013-04-10

Supported Platforms

 

Related Documentation

 

Published: 2013-04-10

Previous Page Next Page