Configuring Firewall Filters for Logical Systems

You can configure a separate set of firewall filters for each logical system on the router. To configure a firewall filter for a logical system, you must perform at least the following tasks:

• Configure firewall filters for the logical system—To configure firewall filters for the logical system, include the firewall statement at the [edit local-systems logical-system-name] hierarchy level:

  [edit logical-systems logical-system-name]

  firewall {

  family family-name {

  filter filter-name {

  accounting-profile name;

  interface-specific;

  term term-name {

  from {

  match-conditions;

  }

  then {

  action;

  action-modifiers;

  }

  }

  }

  }

  }

• Apply firewall filters to interfaces in the logical system—To have the firewall filter take effect, you must apply it to an interface in the logical system by including the filter statement at the [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family family-name] hierarchy level:

  [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family family-name]

  filter {

  input filter-name;

  output filter-name;

  }

To identify firewall objects configured under logical systems, operational show commands and firewall-related SNMP MIB objects include a __logical-system-name/ prefix in the object name. For example, firewall objects configured under the ls1 logical system include an __ls1/ prefix.

This section includes the following topics:

• Guidelines for Firewall Configuration in Logical Systems
• Unsupported Configuration Statements, Actions, and Action Modifiers

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.