Guidelines for Firewall Configuration in Logical Systems

As a general rule, firewall filters configured under a logical system must be complete and self-contained. Typically, the filters cannot reference firewall elements configured at the [edit firewall] hierarchy level or at another [edit logical-systems logical-system-name] hierarchy level. If no firewall filters are configured for a logical system, the firewall filters at the [edit firewall] hierarchy level are applied.

In some situations, firewall statements that are valid under the [edit firewall] hierarchy are not supported under the [edit logical-systems logical-system-name firewall] hierarchy. There are three scenarios to consider:

• Scenario 1. An object in the firewall hierarchy references another object in the hierarchy; for example, when a firewall filter references a firewall policer.
• Scenario 2. An object outside the firewall references an object inside the firewall hierarchy; for example, a firewall filter is applied to an interface.
• Scenario 3. An object in the firewall hierarchy references an object outside the firewall hierarchy; for example, when a firewall filter references a prefix list (defined under the [edit policy-options] hierarchy).

This section includes the following topics:

• Scenario 1: Referencing Other Firewall Objects
• Scenario 2: Referencing Firewall Objects from Outside the Firewall Configuration
• Scenario 3: Firewall Objects That Reference Objects Outside the Firewall Configuration

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.