References from a Nonfirewall Object in a Logical System to a Firewall Filter
Resolution of References from a Nonfirewall Object to a Firewall Filter
If a nonfirewall filter object in a logical system references an object in a firewall filter configured in a logical system, the reference is resolved using the following logic:
If the nonfirewall filter object is configured in a logical system that includes firewall filter configuration statements, the policy framework software searches the
[edit logical-systems logical-system-name firewall]hierarchy level. Firewall filter configurations that belong to other logical systems or to the main[edit firewall]hierarchy level are not searched.If the nonfirewall filter object is configured in a logical system that does not include any firewall filter configuration statements, the policy framework software searches the firewall configurations defined at the
[edit firewall]hierarchy level.
Invalid Reference to a Firewall Filter Outside of the Logical System
This example configuration illustrates an unresolvable reference from a nonfirewall object in a logical system to a firewall filter.
In the following scenario, the stateless firewall filters filter1 and fred are applied to the logical interface fe-0/3/2.0 in the logical system ls-C.
Filter
filter1is defined inls-C.Filter
fredis defined in the main firewall configuration.
Because ls-C contains firewall filter statements (for filter1), the policy framework software resolves references to and from firewall filters by searching the [edit logical systems ls-C firewall] hierarchy level. Consequently, the reference from fe-0/3/2.0 in the logical system to fred in the main firewall configuration cannot be resolved.
[edit]
logical-systems {
ls-C {
interfaces {
fe-0/3/2 {
unit 0 {
family inet {
filter {
input-list [ filter1 fred ];
}
}
}
}
}
firewall { # Under logical system ’ls-C’.
family inet {
filter filter1 {
term one {
from {
source-address 12.1.0.0/16;
}
then {
reject host-unknown;
}
}
term two {
from {
source-address 12.2.0.0/16;
}
then policer pol1;
}
}
}
policer pol1 {
if-exceeding {
bandwidth-limit 401k;
burst-size-limit 50k;
}
then discard;
}
}
}
} # End of logical systems
firewall { # Under the main firewall hierarchy level
family inet {
filter fred {
term one {
from {
source-address 11.1.0.0/16;
}
then {
log;
reject host-unknown;
}
}
}
}
} # End of main firewall configurations.
Valid Reference to a Firewall Filter Within the Logical System
This example configuration illustrates resolvable references from a nonfirewall object in a logical system to two firewall filter.
In the following scenario, the stateless firewall filters filter1 and fred are applied to the logical interface fe-0/3/2.0 in the logical system ls-C.
Filter
filter1is defined inls-C.Filter
fredis defined inls-Cand also in the main firewall configuration.
Because ls-C contains firewall filter statements, the policy framework software resolves references to and from firewall filters by searching the [edit logical systems ls-C firewall] hierarchy level. Consequently, the references from fe-0/3/2.0 in the logical system to filter1 and fred use the stateless firewall filters configured in ls-C.
[edit]
logical-systems {
ls-C {
interfaces {
fe-0/3/2 {
unit 0 {
family inet {
filter {
input-list [ filter1 fred ];
}
}
}
}
}
firewall { # Under logical system ’ls-C’.
family inet {
filter filter1 {
term one {
from {
source-address 12.1.0.0/16;
}
then {
reject host-unknown;
}
}
term two {
from {
source-address 12.2.0.0/16;
}
then policer pol1;
}
}
filter fred { # This ’fred’ is in ’ls-C’.
term one {
from {
source-address 10.1.0.0/16;
}
then {
log;
reject host-unknown;
}
}
}
}
policer pol1 {
if-exceeding {
bandwidth-limit 401k;
burst-size-limit 50k;
}
then discard;
}
}
}
} # End of logical systems configurations.
firewall { # Main firewall filter hierarchy level
family inet {
filter fred {
term one {
from {
source-address 11.1.0.0/16;
}
then {
log;
reject host-unknown;
}
}
}
}
} # End of main firewall configurations.
Valid Reference to a Firewall Filter Outside of the Logical System
This example configuration illustrates resolvable references from a nonfirewall object in a logical system to two firewall filter.
In the following scenario, the stateless firewall filters filter1 and fred are applied to the logical interface fe-0/3/2.0 in the logical system ls-C.
Filter
filter1is defined in the main firewall configuration.Filter
fredis defined in the main firewall configuration.
Because ls-C does not contain any firewall filter statements, the policy framework software resolves references to and from firewall filters by searching the [edit firewall] hierarchy level. Consequently, the references from fe-0/3/2.0 in the logical system to filter1 and fred use the stateless firewall filters configured in the main firewall configuration.
[edit]
logical-systems {
ls-C {
interfaces {
fe-0/3/2 {
unit 0 {
family inet {
filter {
input-list [ filter1 fred ];
}
}
}
}
}
}
} # End of logical systems configurations.
firewall { # Main firewall hierarchy level.
family inet {
filter filter1 {
term one {
from {
source-address 12.1.0.0/16;
}
then {
reject host-unknown;
}
}
term two {
from {
source-address 12.2.0.0/16;
}
then policer pol1;
}
}
filter fred {
term one {
from {
source-address 11.1.0.0/16;
}
then {
log;
reject host-unknown;
}
}
}
}
policer pol1 {
if-exceeding {
bandwidth-limit 701k;
burst-size-limit 70k;
}
then discard;
}
} # End of main firewall configurations.