Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Unsupported Actions for Firewall Filters in Logical Systems

Table 1 describes the firewall filter actions that are supported at the [edit firewall] hierarchy level, but not supported at the [edit logical-systems logical-system-name firewall] hierarchy level.

Table 1: Unsupported Actions for Firewall Filters in Logical Systems

Firewall Filter Action

Example

Description

Terminating Actions Not Supported in a Logical System

logical-system

[edit]
logical-systems {
    ls1 {
        firewall {
            family inet {
                filter foo {
                    term one {
                        from {
                            source-address 10.1.0.0/16;
                        }
                        then {
                            logical-system fred;
                        }
                    }
                }
            }
        }
    }
}

Because the logical-system action refers to fred—a logical system defined outside the local logical system—, this action is not supported.

Nonterminating Actions Not Supported in a Logical System

ipsec-sa

[edit]
logical-systems {
    ls1 {
        firewall {
            family inet {
                filter foo {
                    term one {
                        from {
                            source-address 10.1.0.0/16;
                        }
                        then {
                            ipsec-sa barney;
                        }
                    }
                }
            }
        }
    }
}

Because the ipsec-sa action modifier references barney—a security association defined outside the local logical system—this action is not supported.

next-hop-group

[edit]
logical-systems {
    ls1 {
        firewall {
            family inet {
                filter foo {
                    term one {
                        from {
                            source-address 10.1.0.0/16;
                        }
                        then {
                            next-hop-group fred;
                        }
                    }
                }
            }
        }
    }
}

Because the next-hop-group action refers to fred—an object defined at the [edit forwarding-options next-hop-group] hierarchy level—this action is not supported.

port-mirror

[edit]
logical-systems {
    ls1 {
        firewall {
            family inet {
                filter foo {
                    term one {
                        from {
                            source-address 10.1.0.0/16;
                        }
                        then {
                            port-mirror;
                        }
                    }
                }
            }
        }
    }
}

Because the port-mirror action relies on a configuration defined at the [edit forwarding-options port-mirroring] hierarchy level, this action is not supported.

sample

[edit]
logical-systems {
    ls1 {
        firewall {
            family inet {
                filter foo {
                    term one {
                        from {
                            source-address 10.1.0.0/16;
                        }
                        then {
                            sample;
                        }
                    }
                }
            }
        }
    }
}

In this example, the sample action depends on the sampling configuration defined under the [edit forwarding-options] hierarchy. Therefore, the sample action is not supported.

syslog

[edit]
logical-systems {
    ls1 {
        firewall {
            family inet {
                filter icmp-syslog {
                    term icmp-match {
                        from {
                            address {
                                192.168.207.222/32;
                            }
                            protocol icmp;
                        }
                        then {
                            count packets;
                            syslog;
                            accept;
                        }
                    }
                    term default {
                        then accept;
                    }
                }
            }
        }
    }
}

In this example, there must be at least one system log (system syslog file filename) with the firewall facility enabled for the icmp-syslog filter's logs to be stored.

Because this firewall configuration relies on a configuration outside the logical system, the syslog action modifier is not supported.