Technical Documentation

Supported Platforms
M Series
T Series

Configuring Firewall Filters for Logical Systems

You can configure a separate set of firewall filters for each logical system on the router. To configure a firewall filter for a logical system, you must perform at least the following tasks:

Configure firewall filters for the logical system—To configure firewall filters for the logical system, include the firewall statement at the [edit local-systems logical-system-name] hierarchy level:
[edit logical-systems logical-system-name]firewall {family family-name {filter filter-name {accounting-profile name;interface-specific;term term-name {from {match-conditions;}then {action;action-modifiers;}}}}}
Apply firewall filters to interfaces in the logical system—To have the firewall filter take effect, you must apply it to an interface in the logical system by including the filter statement at the [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family family-name] hierarchy level:
[edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family family-name]filter {input filter-name;output filter-name;}

To identify firewall objects configured under logical systems, operational show commands and firewall-related SNMP MIB objects include a __logical-system-name/ prefix in the object name. For example, firewall objects configured under the ls1 logical system include an __ls1/ prefix.

This section includes the following topics:

Guidelines for Firewall Configuration in Logical Systems

As a general rule, firewall filters configured under a logical system must be complete and self-contained. Typically, the filters cannot reference firewall elements configured at the [edit firewall] hierarchy level or at another [edit logical-systems logical-system-name] hierarchy level. If no firewall filters are configured for a logical system, the firewall filters at the [edit firewall] hierarchy level are applied.

In some situations, firewall statements that are valid under the [edit firewall] hierarchy are not supported under the [edit logical-systems logical-system-name firewall] hierarchy. There are three scenarios to consider:

Scenario 1. An object in the firewall hierarchy references another object in the hierarchy; for example, when a firewall filter references a firewall policer.
Scenario 2. An object outside the firewall references an object inside the firewall hierarchy; for example, a firewall filter is applied to an interface.
Scenario 3. An object in the firewall hierarchy references an object outside the firewall hierarchy; for example, when a firewall filter references a prefix list (defined under the [edit policy-options] hierarchy).

This section includes the following topics:

Scenario 1: Firewall Objects Reference Other Firewall Objects

If a firewall object references a subordinate object (for example, a policer or prefix list), that subordinate object must be defined within the firewall object. For example, if a firewall filter configuration references a policer, that policer must be configured under the same firewall object as the filter. This rule applies even if the same policer is configured under the main firewall configuration or if the same policer is configured as part of a firewall in another logical system.

In this example, the filter1 filter references the pol1 policer. Both filter1 and pol1 are defined under the same firewall object. This configuration is valid. If pol1 were defined under another firewall object, the configuration would not be valid.

[edit]logical systems {ls1 {firewall {policer pol1 {if-exceeding {bandwidth-limit 401k;burst-size-limit 50k;}then discard;}filter filter1 {term one {from {source-address 12.1.0.0/16;}then {reject host-unknown;}}term two {from {source-address 12.2.0.0/16;}then policer pol1;}}}}}

Scenario 2: Nonfirewall Objects Reference Firewall Objects

When an object is configured within a logical system (but is not included in the firewall configuration for the logical system) and that object references a firewall object, the following logic is used to resolve the configuration:

If firewall configuration statements are defined within the same logical system, the [edit logical-systems logical-system-name firewall] hierarchy is searched to resolve the configuration. The main [edit firewall] hierarchy is not searched.
If no firewall configuration statements are defined within the same logical system, the firewall configuration defined at the [edit firewall] hierarchy level is searched to resolve the configuration. This search option is provided for legacy purposes. The main [edit firewall] hierarchy is searched only if firewall configuration statements are not defined within the same logical system.
Firewall configurations that belong to other logical systems are not searched.

In the following example, the filter fred is applied to an interface in the logical system ls1. However, fred is defined in the main firewall configuration instead of in the ls1 firewall configuration. Therefore, in this first example, the configuration is not valid.

[edit]logical-systems {ls1 {interfaces {fe-0/3/2 {unit 0 {family inet {filter {input-list [ filter1 fred ];}}}}}firewall {policer pol1 {if-exceeding {bandwidth-limit 401k;burst-size-limit 50k;}then discard;}filter filter1 {term one {from {source-address 12.1.0.0/16;}then {reject host-unknown;}}term two {from {source-address 12.2.0.0/16;}then policer pol1;}}}}}firewall {policer pol1 {if-exceeding {bandwidth-limit 701k;burst-size-limit 70k;}then discard;}family inet {filter fred {term one {from {source-address 11.1.0.0/16;}then {log;reject host-unknown;}}}}}

To fix this example, define filter fred under logical system ls1. In this case, the filter fred applied to interface fe-0/3/2 looks for source address 10.1.0.0/16 rather than 11.1.0.0/16.

[edit]logical-systems {ls1 {interfaces {fe-0/3/2 {unit 0 {family inet {filter {input-list [ filter1 fred ];}}}}}firewall {policer pol1 {if-exceeding {bandwidth-limit 401k;burst-size-limit 50k;}then discard;}filter filter1 {term one {from {source-address 12.1.0.0/16;}then {reject host-unknown;}}term two {from {source-address 12.2.0.0/16;}then policer pol1;}}family inet {filter fred {term one {from {source-address 10.1.0.0/16; }then {log;reject host-unknown;}}}}}}}firewall {policer pol1 {if-exceeding {bandwidth-limit 701k;burst-size-limit 70k;}then discard;}family inet {filter fred {term one {from {source-address 11.1.0.0/16;}then {log;reject host-unknown;}}}}}

If, however, the [edit logical-systems logical-system-name] hierarchy does not contain any firewall statements, then the main firewall configuration is used for any filter or policer references. For example, the following configuration is also allowed:

[edit]logical-systems {ls1 {interfaces {fe-0/3/2 {unit 0 {family inet {filter {input-list [ filter1 fred ];}}}}}}}firewall {policer pol1 {if-exceeding {bandwidth-limit 701k;burst-size-limit 70k;}then discard;}family inet {filter fred {term one {from {source-address 11.1.0.0/16;}then {log;reject host-unknown;}}}filter filter1 {term one {from {source-address 12.1.0.0/16;}then {reject host-unknown;}}term two {from {source-address 12.2.0.0/16;}then policer pol1;}}}}

Scenario 3: Firewall Objects Reference Nonfirewall Objects

In many cases, a firewall configuration references objects outside the firewall configuration. As a general rule, the referenced object must be defined under the same logical system as the referencing object. However, there are cases when the configuration of the referenced object is not supported at the [edit logical-systems logical-system-name] hierarchy level.

In the following example, the service filter inetsf1 references prefix list prefix1. The service set fred cannot be defined under the logical system lr1. In this case, the [edit services] hierarchy is searched for the definition of the fred service set. This configuration is allowed because the [edit logical-systems logical-system logical-system-name] hierarchy already had the capability to reference service sets outside the logical system hierarchy.

[edit]logical-systems {ls1 {interfaces {fe-0/3/2 {unit 0 {family inet {service {input {service-set fred service-filter lr1inetsf1;}}}}}}policy-options {prefix-list prefix1 {1.1.0.0/16;1.2.0.0/16;1.3.0.0/16;}}firewall {policer pol1 {if-exceeding {bandwidth-limit 401k;burst-size-limit 50k;}then discard;}filter filter1 {term one {from {source-address 12.1.0.0/16;}then {reject host-unknown;}}term two {from {source-address 12.2.0.0/16;}then policer pol1;}}family inet {service-filter inetsf1 {term term1 {from {source-prefix-list {prefix1;}}then count prefix1;}}}}}}services {service-set fred {max-flows 100;interface-service {service-interface sp-1/2/0.0;}}}

Unsupported Configuration Statements, Actions, and Action Modifiers

Table 1 lists statements that are supported at the [edit firewall] hierarchy level but not at the [edit logical-systems logical-system-name firewall] hierarchy level.

Table 1: Unsupported Firewall Statements for Logical Systems

Statement	Example	Description
accounting-profile	[edit]logical-systems {ls1 {firewall {family inet {filter myfilter {accounting-profile fw-profile;...term accept-all {then {count counter1;accept;}}}}}}}	In this example, the accounting-profile statement is not allowed because the accounting profile fw-profile is configured under the [edit accounting-options] hierarchy.
load-balance-group	[edit]logical-systems {ls1 {firewall {load-balance-group lb-group {next-hop-group nh-group;}}}}	This configuration is not allowed because the next-hop-group nh-group statement must be configured at the [edit forwarding-options next-hop-group] hierarchy level—outside the [edit logical-systems logical-system-name firewall] hierarchy. Currently, the forwarding-options dhcp-relay statement is the only forwarding option supported for logical systems.
virtual-channel	[edit]logical-systems {ls1 {firewall {family inet {filter foo {term one {from {source-address 10.1.0.0/16;}then {virtual-channel sammy;}}}}}}}	This configuration is not allowed because the virtual channel sammy refers to an object defined at the [edit class-of-service] hierarchy level and class of service is not supported for logical systems.

Statement

Example

Description

accounting-profile

[edit]logical-systems {ls1 {firewall {family inet {filter myfilter {accounting-profile fw-profile;...term accept-all {then {count counter1;accept;}}}}}}}

In this example, the accounting-profile statement is not allowed because the accounting profile fw-profile is configured under the [edit accounting-options] hierarchy.

load-balance-group

[edit]logical-systems {ls1 {firewall {load-balance-group lb-group {next-hop-group nh-group;}}}}

This configuration is not allowed because the next-hop-group nh-group statement must be configured at the [edit forwarding-options next-hop-group] hierarchy level—outside the [edit logical-systems logical-system-name firewall] hierarchy.

Currently, the forwarding-options dhcp-relay statement is the only forwarding option supported for logical systems.

virtual-channel

[edit]logical-systems {ls1 {firewall {family inet {filter foo {term one {from {source-address 10.1.0.0/16;}then {virtual-channel sammy;}}}}}}}

This configuration is not allowed because the virtual channel sammy refers to an object defined at the [edit class-of-service] hierarchy level and class of service is not supported for logical systems.

Table 2 includes a list of the firewall filter actions and action modifiers that are supported at the [edit firewall] hierarchy level, but not supported at the [edit logical-systems logical-system-name firewall] hierarchy level.

Table 2: Unsupported Firewall Actions and Action Modifiers for Logical Systems

Action or Action Modifier	Example	Description
analyzer	[edit]logical-systems {ls1 {firewall {family inet {filter foo {term one {from {source-address 10.1.0.0/16;}then {analyzer;}}}}}}}	(EX Series switches) Because the analyzer action relies on a configuration defined at the [edit ethernet-switching-options] hierarchy level, this action is not supported.
ipsec-sa	[edit]logical-systems {ls1 {firewall {family inet {filter foo {term one {from {source-address 10.1.0.0/16;}then {ipsec-sa barney;}}}}}}}	Because the ipsec-sa action modifier references barney, a security association defined outside the local logical system, this action is not supported.
logical-system	[edit]logical-systems {ls1 {firewall {family inet {filter foo {term one {from {source-address 10.1.0.0/16;}then {logical-system fred;}}}}}}}	Because the logical-system action refers to fred, a logical system defined outside the local logical system, this action is not supported.
next-hop-group	[edit]logical-systems {ls1 {firewall {family inet {filter foo {term one {from {source-address 10.1.0.0/16;}then {next-hop-group fred;}}}}}}}	Because the next-hop-group action refers to fred, an object defined at the [edit forwarding-options next-hop-group] hierarchy level, this action is not supported.
port-mirror	[edit]logical-systems {ls1 {firewall {family inet {filter foo {term one {from {source-address 10.1.0.0/16;}then {port-mirror;}}}}}}}	Because the port-mirror action relies on a configuration defined at the [edit forwarding-options port-mirroring] hierarchy level, this action is not supported.
sample	[edit]logical-systems {ls1 {firewall {family inet {filter foo {term one {from {source-address 10.1.0.0/16;}then {sample;}}}}}}}	In this example, the sample action depends on the sampling configuration defined under the [edit forwarding-options] hierarchy. Therefore, the sample action is not supported.
syslog	[edit]logical-systems {ls1 {firewall {family inet {filter icmp-syslog {term icmp-match {from {address {192.168.207.222/32;}protocol icmp;}then {count packets;syslog;accept;}}term default {then accept;}}}}}}	In this example, there must be at least one system log (system syslog file filename) with the firewall facility enabled for the icmp-syslog filter's logs to be stored. Because this firewall configuration relies on a configuration outside the logical system, the syslog action modifier is not supported.