Hello, Nick Ryce a écrit (Thu, Apr 28, 2011 at 10:35:53AM +0100) : > We currently have an issue where we are unable to use > tcp-established on egress firewall filters. We need this as we have > firewall filters per customer applied to their own vlan. If the > server initiates a connection we want the return traffic allowed ( > normally we use tcp-established in cisco land ).
We hit the same problem. > Is there any known work around? No. Juniper told us this is a hardware limitation. tcp-flags will never be supported on EX4200 (don't know for EX8200). I don't have any knowledge in switch design, but I don't understand why pattern-matching some bits in TCP headers is difficult on egress. Also note that syslog on egress firewall filters is also not possible. Cheers, -- Emmanuel Halbwachs Observatoire de Paris-Meudon Resp. Réseau/Sécurité 5 Place Jules Janssen tel : +33 1 45 07 75 54 F 92195 MEUDON CEDEX fax : +33 1 45 07 01 89 véhicules : 11 av. Marcellin Berthelot _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
