Unsupported Firewall Filter Statements for Logical Systems
Table 1 shows statements that are supported at the [edit firewall] hierarchy level but not at the [edit logical-systems logical-system-name firewall] hierarchy level.
Table 1: Unsupported Firewall Statements for Logical Systems
Statement | Example | Description |
|---|---|---|
accounting-profile | [edit] logical-systems { ls1 { firewall { family inet { filter myfilter { accounting-profile fw-profile; ... term accept-all { then { count counter1; accept; } } } } } } } | In this example, the accounting-profile statement is not allowed because the accounting profile fw-profile is configured under the [edit accounting-options] hierarchy. |
hierarchical-policer | [edit] logical-systems { lr1 { firewall { hierarchical-policer { ... } } } } | In this example, the hierarchical policer statement requires a class-of-service configuration, which is not supported under logical systems. |
load-balance-group | [edit] logical-systems { ls1 { firewall { load-balance-group lb-group { next-hop-group nh-group; } } } } | This configuration is not allowed because the next-hop-group nh-group statement must be configured at the [edit forwarding-options next-hop-group] hierarchy level—outside the [edit logical-systems logical-system-name firewall] hierarchy. Currently, the forwarding-options dhcp-relay statement is the only forwarding option supported for logical systems. |
virtual-channel | [edit] logical-systems { ls1 { firewall { family inet { filter foo { term one { from { source-address 10.1.0.0/16; } then { virtual-channel sammy; } } } } } } } | This configuration is not allowed because the virtual channel sammy refers to an object defined at the [edit class-of-service] hierarchy level, and class of service is not supported for logical systems. Note: The virtual-channel statement is supported for J Series devices only, provided the firewall filter is configured outside of a logical-system. |