[Contents] [Prev] [Next] [Index] [Report an Error]

Scenario 2: Referencing Firewall Objects from Outside the Firewall Configuration

When an object is configured within a logical system (but is not included in the firewall configuration for the logical system) and that object references a firewall object, the following logic is used to resolve the configuration:

If firewall configuration statements are defined within the same logical system, the [edit logical-systems logical-system-name firewall] hierarchy is searched to resolve the configuration. The main [edit firewall] hierarchy is not searched.
If no firewall configuration statements are defined within the same logical system, the firewall configuration defined at the [edit firewall] hierarchy level is searched to resolve the configuration. This search option is provided for legacy purposes. The main [edit firewall] hierarchy is searched only if firewall configuration statements are not defined within the same logical system.
Firewall configurations that belong to other logical systems are not searched.

In the following example, the filter fred is applied to an interface in the logical system ls1. However, fred is defined in the main firewall configuration instead of in the ls1 firewall configuration. Therefore, in this first example, the configuration is not valid.



[edit]
logical-systems {


ls1 {


interfaces {


fe-0/3/2 {


unit 0 {


family inet {


filter {
input-list [ filter1 fred ];
}


}


}


}


}




firewall {


policer pol1 {


if-exceeding {
bandwidth-limit 401k;
burst-size-limit 50k;
}


then discard;
}




filter filter1 {


term one {


from {


source-address 12.1.0.0/16;


}




then {
reject host-unknown;
}


}




term two {


from {
source-address 12.2.0.0/16;
}


then policer pol1;
}


}


}


}


}
firewall {


policer pol1 {


if-exceeding {
bandwidth-limit 701k;
burst-size-limit 70k;
}


then discard;
}




family inet {


filter fred {


term one {


from {


source-address 11.1.0.0/16;


}




then {
log;
reject host-unknown;
}


}


}


}


}

To fix this example, define filter fred under logical system ls1. In this case, the filter fred applied to interface fe-0/3/2 looks for source address 10.1.0.0/16 rather than 11.1.0.0/16.



[edit]
logical-systems {


ls1 {


interfaces {


fe-0/3/2 {


unit 0 {


family inet {


filter {
input-list [ filter1 fred ];
}


}


}


}


}




firewall {


policer pol1 {


if-exceeding {
bandwidth-limit 401k;
burst-size-limit 50k;
}


then discard;
}




filter filter1 {


term one {


from {


source-address 12.1.0.0/16;


}




then {
reject host-unknown;
}


}




term two {


from {
source-address 12.2.0.0/16;
}


then policer pol1;
}


}




family inet {


filter fred {


term one {


from {


source-address 10.1.0.0/16;{


}




then {
log;
reject host-unknown;
}


}


}


}


}


}


}
firewall {


policer pol1 {


if-exceeding {
bandwidth-limit 701k;
burst-size-limit 70k;
}


then discard;
}




family inet {


filter fred {


term one {


from {


source-address {
11.1.0.0/16;
}


}




then {
log;
reject host-unknown;
}


}


}


}


}

If, however, the [edit logical-systems logical-system-name] hierarchy does not contain any firewall statements, then the main firewall configuration is used for any filter or policer references. For example, the following configuration is also allowed:



[edit]
logical-systems {


ls1 {


interfaces {


fe-0/3/2 {


unit 0 {


family inet {


filter {
input-list [ filter1 fred ];
}


}


}


}


}


}


}
firewall {


policer pol1 {


if-exceeding {
bandwidth-limit 701k;
burst-size-limit 70k;
}


then discard;
}




family inet {


filter fred {


term one {


from {


source-address 11.1.0.0/16;


}




then {
log;
reject host-unknown;
}


}


}




filter filter1 {


term one {


from {


source-address 12.1.0.0/16;


}




then {
reject host-unknown;
}


}




term two {


from {
source-address 12.2.0.0/16;
}


then policer pol1;
}


}


}


}

[Contents] [Prev] [Next] [Index] [Report an Error]