References from a Firewall Filter in a Logical System to Nonfirewall Objects
Resolution of References from a Firewall Filter to Nonfirewall Objects
In many cases, a firewall configuration references objects outside the firewall configuration. As a general rule, the referenced object must be defined under the same logical system as the referencing object. However, there are cases when the configuration of the referenced object is not supported at the [edit logical-systems logical-system-name]
hierarchy level.
Valid Reference to a Nonfirewall Object Outside of the Logical System
This example configuration illustrates an exception to the general rule that the objects referenced by a firewall filter in a logical system must be defined under the same logical system as the referencing object.
In the following scenario, the service filter inetsf1
is applied to IPv4 traffic associated with the service set fred
at the logical interface fe-0/3/2.0
, which is on an adaptive services interface.
Service filter
inetsf1
is defined inls-B
and references prefix listprefix1
.Service set
fred
is defined at the main services hierarchy level, and the policy framework software searches the[edit services]
hierarchy for the definition of thefred
service set.
Because service rules cannot be configured in logical systems. firewall filter configurations in the [edit logical-systems logical-system logical-system-name]
hierarchy are allowed to reference service sets outside the logical system hierarchy.
[edit] logical-systems { ls-B { interfaces { fe-0/3/2 { unit 0 { family inet { service { input { service-set fred service-filterinetsf1
; } } } } } } policy-options { prefix-listprefix1
{ 1.1.0.0/16; 1.2.0.0/16; 1.3.0.0/16; } } firewall { # Under logical-system ’ls-B’. family inet { filterfilter1
{ term one { from { source-address { 12.1.0.0/16; } } then { reject host-unknown; } } term two { from { source-address { 12.2.0.0/16; } } then policerpol1
; } } service-filter inetsf1 { term term1 { from { source-prefix-list { prefix1; } } then count prefix1; } } } policerpol1
{ if-exceeding { bandwidth-limit 401k; burst-size-limit 50k; } then discard; } } } } # End of logical systems configuration. services { # Main services hierarchy level. service-setfred
{ max-flows 100; interface-service { service-interface sp-1/2/0.0; } } }