Configuring a Filter Within a Filter

You can configure a filter within the term of another filter to minimize the work needed to configure terms common to numerous filters. Each firewall filter consists of one or more terms. You can configure one filter with the common desired terms, and apply them to other filters. To make changes to the common desired terms, you need to make term modifications only to the filter with the common terms instead of changing terms on every filter.

To configure a filter within a filter, include the filter statement at the [edit firewall filter inet filter-name term term-name] hierarchy level:

term term-name {

    filter filter-name;

}

A filter within a filter cannot reference yet another filter. For example, the following configuration is NOT valid:

[edit]

firewall {

    filter filter-name {

        term t1 {

            filter filter-name2 {

                term t2 {

                    filter filter-name3;

                }

            }

        }

    }

}

You cannot configure the from or then option under the same filter term that references a filter within a filter. For example, the following configuration is NOT valid:

[edit]

firewall {

    filter filter-name {

        term t1 {

            filter filter-name2 {

            then {

                accept;

            }

        }

    }

}

The maximum number of filters within a filter is limited to 256.

Example: Configure a Filter Within A Filter

Define a filter common-filter and configure it into two separate filters:

[edit]

firewall {

    filter common-filter {

        term t1 {

            from {

                protocol udp;

                port tftp;

            }

            then {

                log;

                discard;

            }

        }

    }

    filter filter1 {

        term term1 {

            filter common-filter;

        }

    }

    filter filter2 {

        term term1 {

            filter common-filter;

        }

    }

}