Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

References from a Nonfirewall Object in a Logical System to a Firewall Filter

 

Resolution of References from a Nonfirewall Object to a Firewall Filter

If a nonfirewall filter object in a logical system references an object in a firewall filter configured in a logical system, the reference is resolved using the following logic:

  • If the nonfirewall filter object is configured in a logical system that includes firewall filter configuration statements, the policy framework software searches the [edit logical-systems logical-system-name firewall] hierarchy level. Firewall filter configurations that belong to other logical systems or to the main [edit firewall] hierarchy level are not searched.

  • If the nonfirewall filter object is configured in a logical system that does not include any firewall filter configuration statements, the policy framework software searches the firewall configurations defined at the [edit firewall] hierarchy level.

Invalid Reference to a Firewall Filter Outside of the Logical System

This example configuration illustrates an unresolvable reference from a nonfirewall object in a logical system to a firewall filter.

In the following scenario, the stateless firewall filters filter1 and fred are applied to the logical interface fe-0/3/2.0 in the logical system ls-C.

  • Filter filter1 is defined in ls-C.

  • Filter fred is defined in the main firewall configuration.

Because ls-C contains firewall filter statements (for filter1), the policy framework software resolves references to and from firewall filters by searching the [edit logical systems ls-C firewall] hierarchy level. Consequently, the reference from fe-0/3/2.0 in the logical system to fred in the main firewall configuration cannot be resolved.

Valid Reference to a Firewall Filter Within the Logical System

This example configuration illustrates resolvable references from a nonfirewall object in a logical system to two firewall filter.

In the following scenario, the stateless firewall filters filter1 and fred are applied to the logical interface fe-0/3/2.0 in the logical system ls-C.

  • Filter filter1 is defined in ls-C.

  • Filter fred is defined in ls-C and also in the main firewall configuration.

Because ls-C contains firewall filter statements, the policy framework software resolves references to and from firewall filters by searching the [edit logical systems ls-C firewall] hierarchy level. Consequently, the references from fe-0/3/2.0 in the logical system to filter1 and fred use the stateless firewall filters configured in ls-C.

Valid Reference to a Firewall Filter Outside of the Logical System

This example configuration illustrates resolvable references from a nonfirewall object in a logical system to two firewall filter.

In the following scenario, the stateless firewall filters filter1 and fred are applied to the logical interface fe-0/3/2.0 in the logical system ls-C.

  • Filter filter1 is defined in the main firewall configuration.

  • Filter fred is defined in the main firewall configuration.

Because ls-C does not contain any firewall filter statements, the policy framework software resolves references to and from firewall filters by searching the [edit firewall] hierarchy level. Consequently, the references from fe-0/3/2.0 in the logical system to filter1 and fred use the stateless firewall filters configured in the main firewall configuration.