[Contents] [Prev] [Next] [Index] [Report an Error]

[edit services] Hierarchy Level

To configure services, include the following statements at the [edit services] hierarchy level of the configuration: 

[edit services]

adaptive-services-pics {

    traceoptions {

        flag flag;

    }

}

flow-collector {

    analyzer-address address;

    analyzer-id name;

    destinations {

        ftp:url {

            password "password";

    }

    file-specification {

        variant variant-number {

            data-format format;

            name-format format;

            transfer {

                record-level number;

                timeout seconds;

            }

        }

    }

    interface-map {

        collector interface-name;

        file-specification variant-number;

        interface-name {

            file-specification variant-number;

            collector interface-name;

        }

    }

    retry number;

    retry-delay seconds;

    transfer-log {

        destinations {

            ftp:url {

                password "password";

                username username;

            }

        }

        filename "file-name";

        interval minutes;

        maximum-size number;

    }

}

ids {

    rule rule-name {

        match-direction (input | output | input-output);

        term term-name {

            from {

                applications [ application-names ];

                application-sets [ set-names ];

                destination-address address;

                source-address address;

            }

            then {

                aggregation {

                    destination-prefix prefix-value;

                    source-prefix prefix-value;

                }

                (force-entry | ignore-entry); 

                logging {

                    syslog;

                    threshold rate;

                }

                syn-cookie {

                    mss value;

                    threshold rate;

                }

            }

        }

    }

    rule-set rule-set-name {

        [ rule rule-names ];

    }

}

ipsec-vpn {

    ike {

        proposal proposal-name {

            authentication-algorithm (md5 | sha1); 

            authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures); 

            description description;

            dh-group (group1 | group2); 

            encryption-algorithm (3des-cbc | des-cbc); 

            lifetime-seconds seconds; 

        }

        policy policy-name {

            description description;

            local-id {

                fqdn [ values ];

                ipv4_addr [ values ];

                key_id [ values ];

            }

            mode (aggressive | main);

            pre-shared-key (ascii-text key | hexadecimal key);

            proposals [ proposal-names ];

            remote-id {

                fqdn [ values ];

                ipv4_addr [ values ];

                key_id [ values ];

            }

        }

    }

    ipsec {

        proposal proposal-name {

            authentication-algorithm (hmac-md5-96 | hmac-sha1-96); 

            description description;

            encryption-algorithm (3des-cbc | des-cbc); 

            lifetime-seconds seconds; 

            protocol (ah | esp | bundle); 

        } 

        policy policy-name {

            description description;

            perfect-forward-secrecy {

                keys (group1 | group2); 

            }

            proposals [ proposal-names ]; 

        } 

    }

    rule rule-name {

        match-direction (input | output);

        term term-name {

            from {

                destination-address address;

                source-address address;

            }

            then {

                backup-remote-gateway address;

                clear-dont-fragment-bit;

                dynamic {

                    ike-policy policy-name;

                    ipsec-policy policy-name;

                }

                manual (

                    direction (inbound | outbound | bidirectional) {

                        authentication {

                            algorithm (hmac-md5-96 | hmac-sha1-96);

                            key (ascii-text key | hexadecimal key); 

                        }

                        auxiliary-spi spi-value;

                        encryption {

                            algorithm (des-cbc | 3des-cbc);

                            key (ascii-text key | hexadecimal key); 

                        }

                        protocol (ah | bundle | esp);

                        spi spi-value;

                    }

                }

                no-anti-replay:

                remote-gateway address;

                syslog;

            }

        }

    }

    rule-set rule-set-name {

        [ rule rule-names ];

    }

}

l2tp {

    tunnel-group name {

        hello-interval seconds;

        hide-avps;

        l2tp-access-profile profile-name;

        local-gateway address address;

        maximum-send-window packets;

        ppp-access-profile profile-name;

        receive-window packets;

        retransmit-interval seconds;

        service-interface interface-name; 

        syslog {

            host hostname {

                services priority-level;

                facility-override facility-name;

                log-prefix prefix-number;

            }

        }

        tunnel-timeout seconds;

    }

    traceoptions {

        debug-level level;

        filter {

            protocol name;

        }

        flag flag;

        interfaces interface-name {

            debug-level level;

            flag flag;

        }

    }

}

nat {

    pool nat-pool-name {

        address (address | address-range low minimum-value high maximum-value);

        port (automatic | range low minimum-value high maximum-value);

    }

    rule rule-name {

        match-direction (input | output);

        term term-name {

            from {

                applications [ application-names ];

                application-sets [ set-names ];

                destination-address address;

                source-address address;

            }

            then {

                translated {

                    destination-pool nat-pool-name;

                    source-pool nat-pool-name;

                    translation-type (destination type | source type);

                }

                syslog;

            }

        }

    }

    rule-set rule-set-name {

        [ rule rule-names ];

    }

}

service-set service-set-name {

    ([ ids-rules rule-names ] | ids-rule-sets rule-set-name);

    ([ ipsec-vpn-rules rule-names ] | ipsec-vpn-rule-sets rule-set-name);

    ([ nat-rules rule-names ] | nat-rule-sets rule-set-name);

    ([ stateful-firewall-rules rule-names ] | stateful-firewall-rule-sets rule-set-name);

    interface-service {

        service-interface interface-name;

    }

    ipsec-vpn-options {

        local-gateway address;

    }

    next-hop-service {

        inside-service-interface name.number;

        outside-service-interface name.number;

    }

    syslog {

        host hostname {

            services priority-level;

            facility-override facility-name;

            log-prefix prefix-number;

        }

    }

}

adaptive-services-pics {

    traceoptions {

        flag flag;

    }

}

stateful-firewall {

    rule rule-name {

        match-direction (input | output | input-output);

        term term-name {

            from {

                applications [ application-names ];

                application-sets [ set-names ];

                destination-address address;

                source-address address;

            }

            then {

                (accept | discard | reject);

                allow-ip-option [ values ];

                syslog;

            }

        }

        }

    }

    rule-set rule-set-name {

        [ rule rule-names ];

    }

}


[Contents] [Prev] [Next] [Index] [Report an Error]