References from a Firewall Filter in a Logical System to Nonfirewall Objects

Resolution of References from a Firewall Filter to Nonfirewall Objects

In many cases, a firewall configuration references objects outside the firewall configuration. As a general rule, the referenced object must be defined under the same logical system as the referencing object. However, there are cases when the configuration of the referenced object is not supported at the [edit logical-systems logical-system-name] hierarchy level.

Valid Reference to a Nonfirewall Object Outside of the Logical System

This example configuration illustrates an exception to the general rule that the objects referenced by a firewall filter in a logical system must be defined under the same logical system as the referencing object.

In the following scenario, the service filter inetsf1 is applied to IPv4 traffic associated with the service set fred at the logical interface fe-0/3/2.0, which is on an adaptive services interface.

• Service filter inetsf1 is defined in ls-B and references prefix list prefix1.

• Service set fred is defined at the main services hierarchy level, and the policy framework software searches the [edit services] hierarchy for the definition of the fred service set.

Because service rules cannot be configured in logical systems. firewall filter configurations in the [edit logical-systems logical-system logical-system-name] hierarchy are allowed to reference service sets outside the logical system hierarchy.