Junos
Highlighted
Junos

firewall filter error

‎05-02-2020 09:40 PM

Hi, 

 

I got the following error with following config, please let me know what I am doing wrong/missing. Thanks

admin@router# set firewall family inet filter abc term t1 then sample

[edit]
admin@router# commit
[edit firewall family inet filter abc term t1 then]
'sample'
Requires forwarding-options sampling or packet-capture config
error: commit failed: (statements constraint check failed)

[edit]

3 REPLIES 3
Highlighted
Junos

Re: firewall filter error

‎05-02-2020 11:46 PM

Hello,

When You use "then sample" in the firewall filter config, You need to add config under "forwarding-options sampling" 

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/sampling-...

You can also use sampling instances if You want to use different rates on different linecards.

Example sampling instance config here https://www.juniper.net/documentation/en_US/junos/topics/example/flowmonitoring-active-sampling-inst... 

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Junos

Re: firewall filter error

‎05-03-2020 01:13 AM

@aarseniev:

I tried both methods as listed belwo, but it still failed. Any suggested option for forwarding-options?


1) set forwarding-options sampling input rate 3

admin@router# set forwarding-options sampling input rate 3

[edit]
admin@router# commit
[edit firewall family inet filter abc term t1 then]
'sample'
Requires forwarding-options sampling or packet-capture config
error: commit failed: (statements constraint check failed)

[edit]

 

or

 

2) 

admin@router# set forwarding-options sampling input max-packets-per-second 10

[edit]
admin@router# commit
[edit firewall family inet filter abc term t1 then]
'sample'
Requires forwarding-options sampling or packet-capture config
error: commit failed: (statements constraint check failed)


Highlighted
Junos
Solution
Accepted by topic author PL2
‎05-03-2020 05:11 AM

Re: firewall filter error

‎05-03-2020 01:27 AM

Hello,

If You only added a rate and max-packets-per-sec then this is NOT a complete sampling config, You need to add output flow-server/collector IP and port

Below is the minimum sampling config that passes commit check, JUNOS 19.1R3

 

[edit]
regress@R3# commit check 
configuration check succeeds

[edit]
regress@R3# show | compare
[edit]
+  forwarding-options {
+      sampling {
+          input {
+              rate 100;
+          }
+          family inet {
+              output {
+                  flow-server 203.0.113.1 {
+                      port 1130;
+                  }
+              }
+          }
+      }
+  }
[edit firewall family inet]
+     filter abc {
+         term 1 {
+             then sample;
+         }
+     }

HTH

Thx

Alex

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !