Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Unsupported Actions for Firewall Filters in Logical Systems

 

Table 1 describes the firewall filter actions that are supported at the [edit firewall] hierarchy level, but not supported at the [edit logical-systems logical-system-name firewall] hierarchy level.

Table 1: Unsupported Actions for Firewall Filters in Logical Systems

Firewall Filter Action

Example

Description

Terminating Actions Not Supported in a Logical System

logical-system

[edit]
logical-systems {
ls1 {
firewall {
family inet {
filter foo {
term one {
from {
source-address 10.1.0.0/16;
}
then {
logical-system fred;
}
}
}
}
}
}
}

Because the logical-system action refers to fred—a logical system defined outside the local logical system—, this action is not supported.

Nonterminating Actions Not Supported in a Logical System

ipsec-sa

[edit]
logical-systems {
ls1 {
firewall {
family inet {
filter foo {
term one {
from {
source-address 10.1.0.0/16;
}
then {
ipsec-sa barney;
}
}
}
}
}
}
}

Because the ipsec-sa action modifier references barney—a security association defined outside the local logical system—this action is not supported.

next-hop-group

[edit]
logical-systems {
ls1 {
firewall {
family inet {
filter foo {
term one {
from {
source-address 10.1.0.0/16;
}
then {
next-hop-group fred;
}
}
}
}
}
}
}

Because the next-hop-group action refers to fred—an object defined at the [edit forwarding-options next-hop-group] hierarchy level—this action is not supported.

port-mirror

[edit]
logical-systems {
ls1 {
firewall {
family inet {
filter foo {
term one {
from {
source-address 10.1.0.0/16;
}
then {
port-mirror;
}
}
}
}
}
}
}

Because the port-mirror action relies on a configuration defined at the [edit forwarding-options port-mirroring] hierarchy level, this action is not supported.

sample

[edit]
logical-systems {
ls1 {
firewall {
family inet {
filter foo {
term one {
from {
source-address 10.1.0.0/16;
}
then {
sample;
}
}
}
}
}
}
}

In this example, the sample action depends on the sampling configuration defined under the [edit forwarding-options] hierarchy. Therefore, the sample action is not supported.

syslog

[edit]
logical-systems {
ls1 {
firewall {
family inet {
filter icmp-syslog {
term icmp-match {
from {
address {
192.168.207.222/32;
}
protocol icmp;
}
then {
count packets;
syslog;
accept;
}
}
term default {
then accept;
}
}
}
}
}
}

In this example, there must be at least one system log (system syslog file filename) with the firewall facility enabled for the icmp-syslog filter's logs to be stored.

Because this firewall configuration relies on a configuration outside the logical system, the syslog action modifier is not supported.