Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Unsupported Firewall Filter Statements for Logical Systems

Table 1 shows statements that are supported at the [edit firewall] hierarchy level but not at the [edit logical-systems logical-system-name firewall] hierarchy level.

Table 1: Unsupported Firewall Statements for Logical Systems

Statement

Example

Description

accounting-profile

 
[edit]
logical-systems {
    ls1 {
        firewall {
            family inet {
                filter myfilter {
                    accounting-profile fw-profile;
                    ...
                    term accept-all {
                        then {
                            count counter1;
                            accept;
                        }
                    }
                }
            }
        }
    }
}

In this example, the accounting-profile statement is not allowed because the accounting profile fw-profile is configured under the [edit accounting-options] hierarchy.

hierarchical-policer

 
[edit]
logical-systems {
    lr1 {
        firewall {
            hierarchical-policer {
                ...
            }
        }
    }
}

In this example, the hierarchical policer statement requires a class-of-service configuration, which is not supported under logical systems.

load-balance-group

 
[edit]
logical-systems {
    ls1 {
        firewall {
            load-balance-group lb-group {
                next-hop-group nh-group;
            }
        }
    }
}

This configuration is not allowed because the next-hop-group nh-group statement must be configured at the [edit forwarding-options next-hop-group] hierarchy level—outside the [edit logical-systems logical-system-name firewall] hierarchy.

Currently, the forwarding-options dhcp-relay statement is the only forwarding option supported for logical systems.

virtual-channel

 
[edit]
logical-systems {
    ls1 {
        firewall {
            family inet {
                filter foo {
                    term one {
                        from {
                            source-address 10.1.0.0/16;
                        }
                        then {
                            virtual-channel sammy;
                        }
                    }
                }
            }
        }
    }
}

This configuration is not allowed because the virtual channel sammy refers to an object defined at the [edit class-of-service] hierarchy level, and class of service is not supported for logical systems.

Note:

The virtual-channel statement is supported for J Series devices only, provided the firewall filter is configured outside of a logical-system.

Related Documentation