Guidelines for Nesting References to Multiple Firewall Filters
Statement Hierarchy for Configuring Nested Firewall Filters
To reference a filter from within a filter, include the filter filter-name statement as a separate filter term:
firewall firewall-name {
family family-name {
filter filter-name {
term term-name {
filter filter-name;
}
}
}
}
You can include the firewall configuration at one of the following hierarchy levels:
[edit][edit logical-systems logical-system-name]
Filter-Defining Terms and Filter-Referencing Terms
You cannot configure a firewall filter term that both references another firewall filter and defines a match condition or action. If a firewall filter term includes the filter statement, then it cannot also include the from or then statement.
For example, the firewall filter term term term1 in the configuration is not valid:
[edit]
firewall {
family inet {
filter filter_1 {
term term1 {
filter filter_2;
from {
source-address 172.16.1.1/32;
}
then {
accept;
}
}
}
}
}
In order for term term1 to be a valid filter term, you must either remove the filter filter_2 statement or remove both the from and then stanzas.
Types of Filters Supported in Nested Configurations
Nested configurations of firewall filters support firewall filters only. You cannot use service filters or simple filters in a nested firewall filter configuration.
Number of Filter References in a Single Filter
The total number of filters referenced from within a filter cannot exceed 256.
Depth of Filter Nesting
The Junos OS supports a single level of firewall filter nesting. If filter_1 references filter_2, you cannot configure a filter that references a filter that references filter_1.