Junos OS

Expand all | Collapse all

firewall filter error

Jump to Best Answer
  • 1.  firewall filter error

    Posted 05-02-2020 21:40

    Hi, 

     

    I got the following error with following config, please let me know what I am doing wrong/missing. Thanks

    admin@router# set firewall family inet filter abc term t1 then sample

    [edit]
    admin@router# commit
    [edit firewall family inet filter abc term t1 then]
    'sample'
    Requires forwarding-options sampling or packet-capture config
    error: commit failed: (statements constraint check failed)

    [edit]


    #FirewallFilter


  • 2.  RE: firewall filter error

    Posted 05-02-2020 23:47

    Hello,

    When You use "then sample" in the firewall filter config, You need to add config under "forwarding-options sampling" 

    https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/sampling-edit-forwarding-options.html

    You can also use sampling instances if You want to use different rates on different linecards.

    Example sampling instance config here https://www.juniper.net/documentation/en_US/junos/topics/example/flowmonitoring-active-sampling-instance-example.html 

    HTH

    Thx

    Alex



  • 3.  RE: firewall filter error

    Posted 05-03-2020 01:14

    @aarseniev:

    I tried both methods as listed belwo, but it still failed. Any suggested option for forwarding-options?


    1) set forwarding-options sampling input rate 3

    admin@router# set forwarding-options sampling input rate 3

    [edit]
    admin@router# commit
    [edit firewall family inet filter abc term t1 then]
    'sample'
    Requires forwarding-options sampling or packet-capture config
    error: commit failed: (statements constraint check failed)

    [edit]

     

    or

     

    2) 

    admin@router# set forwarding-options sampling input max-packets-per-second 10

    [edit]
    admin@router# commit
    [edit firewall family inet filter abc term t1 then]
    'sample'
    Requires forwarding-options sampling or packet-capture config
    error: commit failed: (statements constraint check failed)




  • 4.  RE: firewall filter error
    Best Answer

    Posted 05-03-2020 01:27

    Hello,

    If You only added a rate and max-packets-per-sec then this is NOT a complete sampling config, You need to add output flow-server/collector IP and port

    Below is the minimum sampling config that passes commit check, JUNOS 19.1R3

     

    [edit]
    regress@R3# commit check 
    configuration check succeeds
    
    [edit]
    regress@R3# show | compare
    [edit]
    +  forwarding-options {
    +      sampling {
    +          input {
    +              rate 100;
    +          }
    +          family inet {
    +              output {
    +                  flow-server 203.0.113.1 {
    +                      port 1130;
    +                  }
    +              }
    +          }
    +      }
    +  }
    [edit firewall family inet]
    +     filter abc {
    +         term 1 {
    +             then sample;
    +         }
    +     }

    HTH

    Thx

    Alex