[Contents] [Prev] [Next] [Index] [Report an Error]

Unsupported Configuration Statements, Actions, and Action Modifiers

Table 35 includes a list of additional statements that are supported at the [edit firewall] hierarchy level but not supported at the [edit logical-systems logical-system-name firewall] hierarchy level.

Table 35: Unsupported Firewall Statements for Logical Systems

Statement	Example	Description
accounting-profile	`[edit] logical-systems { ls1 { firewall { family inet { filter myfilter { accounting-profile fw_profile; ... term accept-all { then { count counter1; accept; } } } } } } }`	In this example, the accounting-profile statement is not allowed because the accounting profile fw-profile is configured under the [edit accounting-options] hierarchy.
load-balance-group	`[edit] logical-systems { ls1 { firewall { load-balance-group lb-group-name { next-hop-group [ nh-group-names ]; } } } }`	This configuration is not allowed because the next-hop-group nh-group-names statement must be configured at the [edit forwarding-options next-hop-group] hierarchy level—outside the [edit logical-systems logical-system-name firewall] hierarchy. Currently, the forwarding-options dhcp-relay statement is the only forwarding option supported for logical systems.
virtual-channel	`[edit] logical-systems { ls1 { firewall { family inet { filter foo { term one { from { source-address 10.1.0.0/16; } then { virtual-channel sammy; } } } } } } }`	This configuration is not allowed because the virtual channel sammy refers to an object defined at the [edit class-of-service] hierarchy level and class of service is not supported for logical systems.

Statement

Example

Description

accounting-profile



[edit]
logical-systems {


ls1 {


firewall {


family inet {


filter myfilter {
accounting-profile fw_profile;
...


term accept-all {


then {
count counter1;
accept;
}


}


}


}


}


}


}

In this example, the accounting-profile statement is not allowed because the accounting profile fw-profile is configured under the [edit accounting-options] hierarchy.

load-balance-group



[edit]
logical-systems {


ls1 {


firewall {


load-balance-group lb-group-name {
next-hop-group [ nh-group-names ];
}


}


}


}

This configuration is not allowed because the next-hop-group nh-group-names statement must be configured at the [edit forwarding-options next-hop-group] hierarchy level—outside the [edit logical-systems logical-system-name firewall] hierarchy.

Currently, the forwarding-options dhcp-relay statement is the only forwarding option supported for logical systems.

virtual-channel



[edit]
logical-systems {


ls1 {


firewall {


family inet {


filter foo {


term one {


from {
source-address 10.1.0.0/16;
}




then {
virtual-channel sammy;
}


}


}


}


}


}


}

This configuration is not allowed because the virtual channel sammy refers to an object defined at the [edit class-of-service] hierarchy level and class of service is not supported for logical systems.

Table 36 includes a list of the firewall filter actions and action modifiers that are supported at the [edit firewall] hierarchy level, but not supported at the [edit logical-systems logical-system-name firewall] hierarchy level.

Table 36: Unsupported Firewall Actions and Action Modifiers for Logical Systems

Acton or Action Modifier	Example	Description
analyzer	`[edit] logical-systems { ls1 { firewall { family inet { filter foo { term one { from { source-address 10.1.0.0/16; } then { analyzer; } } } } } } }`	(EX-series swtiches) Because the analyzer action relies on a configuration defined at the [edit ethernet-switching-options] hierarchy level, this action is not supported.
ipsec-sa	`[edit] logical-systems { ls1 { firewall { family inet { filter foo { term one { from { source-address 10.1.0.0/16; } then { ipsec-sa barney; } } } } } } }`	Because the ipsec-sa action modifier references barney, a security association defined outside the local logical system, this action is not supported.
logical-system	`[edit] logical-systems { ls1 { firewall { family inet { filter foo { term one { from { source-address 10.1.0.0/16; } then { logical-system fred; } } } } } } }`	Because the logical-system action refers to fred, a logical system defined outside the local logical system, this action is not supported.
next-hop-group	`[edit] logical-systems { ls1 { firewall { family inet { filter foo { term one { from { source-address 10.1.0.0/16; } then { next-hop-group fred; } } } } } } }`	Because the next-hop-group action refers to fred, an object defined at the [edit forwarding-options next-hop-group] hierarchy level, this action is not supported.
port-mirror	`[edit] logical-systems { ls1 { firewall { family inet { filter foo { term one { from { source-address 10.1.0.0/16; } then { port-mirror; } } } } } } }`	Because the port-mirror action relies on a configuration defined at the [edit forwarding-options port-mirroring] hierarchy level, this action is not supported.
sample	`[edit] logical-systems { ls1 { firewall { family inet { filter foo { term one { from { source-address 10.1.0.0/16; } then { sample; } } } } } } }`	In this example, the sample action depends on the sampling configuration defined under the [edit forwarding-options] hierarchy. Therefore, the sample action is not supported.
syslog	`[edit] logical-systems { ls1 { firewall { family inet { filter icmp-syslog { term icmp-match { from { address { 192.168.207.222/32; } protocol icmp; } then { count packets; syslog; accept; } } term default { then accept; } } } } } }`	In this example, there must be at least one system log (system syslog file filename) with the firewall facility enabled for the icmp-syslog filter's logs to be stored. Because this firewall configuration relies on a configuration outside the logical system, the syslog action modifier is not supported.

[Contents] [Prev] [Next] [Index] [Report an Error]