Junos OS

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  firewall filter error

    Posted 05-02-2020 21:40

    Hi, 

     

    I got the following error with following config, please let me know what I am doing wrong/missing. Thanks

    admin@router# set firewall family inet filter abc term t1 then sample

    [edit]
    admin@router# commit
    [edit firewall family inet filter abc term t1 then]
    'sample'
    Requires forwarding-options sampling or packet-capture config
    error: commit failed: (statements constraint check failed)

    [edit]


    #FirewallFilter


  • 2.  RE: firewall filter error

    Posted 05-02-2020 23:47

    Hello,

    When You use "then sample" in the firewall filter config, You need to add config under "forwarding-options sampling" 

    https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/sampling-edit-forwarding-options.html

    You can also use sampling instances if You want to use different rates on different linecards.

    Example sampling instance config here https://www.juniper.net/documentation/en_US/junos/topics/example/flowmonitoring-active-sampling-instance-example.html 

    HTH

    Thx

    Alex



  • 3.  RE: firewall filter error

    Posted 05-03-2020 01:14

    @aarseniev:

    I tried both methods as listed belwo, but it still failed. Any suggested option for forwarding-options?


    1) set forwarding-options sampling input rate 3

    admin@router# set forwarding-options sampling input rate 3

    [edit]
    admin@router# commit
    [edit firewall family inet filter abc term t1 then]
    'sample'
    Requires forwarding-options sampling or packet-capture config
    error: commit failed: (statements constraint check failed)

    [edit]

     

    or

     

    2) 

    admin@router# set forwarding-options sampling input max-packets-per-second 10

    [edit]
    admin@router# commit
    [edit firewall family inet filter abc term t1 then]
    'sample'
    Requires forwarding-options sampling or packet-capture config
    error: commit failed: (statements constraint check failed)




  • 4.  RE: firewall filter error
    Best Answer

    Posted 05-03-2020 01:27

    Hello,

    If You only added a rate and max-packets-per-sec then this is NOT a complete sampling config, You need to add output flow-server/collector IP and port

    Below is the minimum sampling config that passes commit check, JUNOS 19.1R3

     

    [edit]
    regress@R3# commit check 
    configuration check succeeds
    
    [edit]
    regress@R3# show | compare
    [edit]
    +  forwarding-options {
    +      sampling {
    +          input {
    +              rate 100;
    +          }
    +          family inet {
    +              output {
    +                  flow-server 203.0.113.1 {
    +                      port 1130;
    +                  }
    +              }
    +          }
    +      }
    +  }
    [edit firewall family inet]
    +     filter abc {
    +         term 1 {
    +             then sample;
    +         }
    +     }

    HTH

    Thx

    Alex