I want to set up an analyzer to capture ingress traffic from all IP addresses arriving on the port *except* for one subnet. I have limited means to test this in a non-production network. So:
set ethernet-switching-options analyzer copysense input ingress interface ge-0/0/45.0
set ethernet-switching-options analyzer copysense output interface ge-0/0/47.0
Now for the filter. This seems intuitive:
set firewall family ethernet-switching filter dont-mirror-core term notcore from source-address 149.137.1.0/24
set firewall family ethernet-switching filter dont-mirror-core term notcore then discard
set firewall family ethernet-switching filter dont-mirror-core term sendtocopysense then analyzer copysense
BUT - won't having the "discard" term in there before the "then analyzer" term discard all 149.137.1.0/24 packets on ingress, even those that need to be forwarded on to their normal destination port?
So - I need to figure out a way to do this without any "discard" actions, is that correct? Then, you would use a first term that accepts 149.137.1.0/24 but does nothing, and then a second term that catches everything else:
set firewall family ethernet-switching filter dont-mirror-core term notcore from source-address 149.137.1.0/24
set firewall family ethernet-switching filter dont-mirror-core term notcore then accept
set firewall family ethernet-switching filter dont-mirror-core term sendtocopysense then analyzer copysense
I think I can test this latter one without too much risk of shutting off our "core"....