[edit services] hierarchy level
services {
adaptive-services-pics {
traceoptions {
flag flag;
}
}
flow-collector {
analyzer-address address;
analyzer-id name;
destinations {
ftp:url {
password "password";
}
}
file-specification {
variant variant-number {
data-format format;
name-format format;
transfer {
record-level number;
timeout seconds;
}
}
}
interface-map {
collector interface-name;
file-specification variant-number;
interface-name {
file-specification variant-number;
collector interface-name;
}
}
retry number;
retry-delay seconds;
transfer-log-archive {
archive-sites {
ftp:url {
password "password";
username username;
}
}
filename-prefix prefix;
maximum-age minutes;
}
}
ids {
rule rule-name {
match-direction (input | output | input-output);
term term-name {
from {
applications [ application-names ];
application-sets [ set-names ];
destination-address address;
source-address address;
}
then {
aggregation {
destination-prefix prefix-value;
source-prefix prefix-value;
}
(force-entry | ignore entry);
logging {
syslog;
threshold rate;
}
session-limit {
by-destination {
hold-time seconds;
maximum number;
packets number;
rate number;
}
by-pair {
maximum number;
packets number;
rate number;
}
by-source {
hold-time seconds;
maximum number;
packets number;
rate number;
}
}
syn-cookie {
mss value;
threshold rate;
}
}
}
rule-set rule-set-name {
[ rule rule-names ];
}
}
ipsec-vpn {
ike {
proposal proposal-name {
authentication-algorithm (md5 | sha1);
authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures);
description description;
dh-group (group1 | group2);
encryption-algorithm (3des-cbc | des-cbc);
lifetime-seconds seconds;
}
policy policy-name {
description description;
local-id {
fqdn [ values ];
ipv4_addr [ values ];
key_id [ values ];
}
mode (aggressive | main);
pre-shared-key (ascii-text key | hexadecimal key);
proposals [ proposal-names ];
remote-id {
fqdn [ values ];
ipv4_addr [ values ];
key_id [ values ];
}
}
ipsec {
proposal proposal-name {
authentication-algorithm (hmac-md5-96 | hmac-sha1-96);
description description;
encryption-algorithm (3des-cbc | des-cbc);
lifetime-seconds seconds;
protocol (ah | esp | bundle);
}
policy policy-name {
description description;
perfect-forward-secrecy {
keys (group1 | group2);
}
proposals [ proposal-names ];
}
}
rule rule-name {
match-direction (input | output);
term term-name {
from {
destination-address address;
source-address address;
}
then {
backup-remote-gateway address;
dynamic {
ike-policy policy-name;
ipsec-policy policy-name;
}
manual (
direction (inbound | outbound | bidirectional) {
authentication {
algorithm (hmac-md5-96 | hmac-sha1-96);
key (ascii-text key | hexadecimal key);
}
auxiliary-spi spi-value;
encryption {
algorithm (des-cbc | 3des-cbc);
key (ascii-text key | hexadecimal key);
}
protocol (ah | bundle | esp);
spi spi-value;
}
}
no-anti-replay;
remote-gateway address;
syslog;
}
}
}
rule-set rule-set-name {
[ rule rule-names ];
}
}
l2tp {
tunnel-group group-name {
hello-interval seconds;
hide-avps;
l2tp-access-profile profile-name;
local-gateway address address;
maximum-send-window packets;
ppp-access-profile profile-name;
receive-window packets;
retransmit-interval seconds;
service-interface interface-name;
syslog {
host hostname {
facility-override facility-name;
log-prefix prefix-number;
services severity-level;
}
}
tunnel-timeout seconds;
}
traceoptions {
debug-level level;
filter {
protocol name;
}
flag flag;
interfaces interface-name {
debug-level level;
flag flag;
}
}
}
nat {
pool nat-pool-name {
address (address | address-range low value high value | prefix);
port (automatic | range low minimum-value high maximum-value);
}
rule rule-name {
match-direction (input | output);
term term-name {
from {
applications [ application-names ];
application-sets [ set-names ];
destination-address address;
source-address (address | prefix);
}
then {
translated {
destination-pool nat-pool-name;
source-pool nat-pool-name;
translation-type (destination type | source type);
}
syslog;
}
}
}
rule-set rule-set-name {
[ rule rule-names ];
}
}
rpm {
probe owner {
test test-name {
data-fill data;
data-size size;
destination-port port;
dscp-code-point DSCP bits;
history-size size;
probe-count count;
probe-interval seconds;
probe-type type;
routing-instance routing-instance-name;
source-address address;
target-url (url | address);
test-interval interval;
thresholds thresholds;
traps traps;
}
}
probe-server {
tcp port;
udp port;
}
probe-limit limit;
}
}
service-set service-set-name {
([ ids-rules rule-names ] | ids-rule-sets rule-set-name);
([ipsec-vpn-rules rule-names ] | ipsec-vpn-rule-sets rule-set-name);
([ nat-rules rule-names ] | nat-rule-sets rule-set-name);
([ stateful-firewall-rules rule-names ] | stateful-firewall-rule-sets rule-set-name);
interface-service {
service-interface interface-name;
}
ipsec-vpn-options {
local-gateway address;
}
next-hop-service {
inside-service-interface name.number;
outside-service-interface name.number;
}
syslog {
host hostname {
facility-override facility-name;
log-prefix prefix-number;
services priority-level;
}
}
}
stateful-firewall {
rule rule-name {
match-direction (input | output | input-output);
term term-name {
from {
applications [ application-names ];
application-sets [ set-names ];
destination-address address;
source-address address;
}
then {
(accept | discard | reject);
allow-ip-option { values ]
syslog;
}
}
}
rule-set rule-set-name {
[ rule rule-names ];
}
}
} # End of [edit services] hierarchy level