The following configuration includes all the items necessary to configure services on an interface. For examples showing individual service configurations, see the chapters that describe each service in detail.
[edit]interfaces {fe-0/1/0 {unit 0 {family inet {service {input {service-set Firewall-Set;}output {service-set Firewall-Set;}}address 10.1.3.2/24;}}}fe-0/1/1 {unit 0 {family inet {filter {input Sample;}address 172.16.1.2/24;}}}sp-1/0/0 {unit 0 {family inet {address 172.16.1.3/24 {}}}}}forwarding-options {sampling {input {family inet {rate 1;}}output {cflowd 10.1.3.1 {port 2055;version 5;}flow-inactive-timeout 15;flow-active-timeout 60;interface sp-1/0/0 {engine-id 1;engine-type 136;source-address 10.1.3.2;}}}}firewall {filter Sample {term Sample {then {count Sample;sample;accept;}}}}services {stateful-firewall {rule Rule1 {match-direction input;term 1 {from {application-sets Applications;}then {accept;}}term accept {then {accept;}}}rule Rule2 {match-direction output;term Local {from {source-address {10.1.3.2/32;}}then {accept;}}}}ids {rule Attacks {match-direction output;term Match {from {application-sets Applications;}then {logging {syslog;}}}}}nat {pool public {address-range low 172.16.2.1 high 172.16.2.32;port automatic;}rule Private-Public {match-direction input;term Translate {then {translated {source-pool public;translation-type source dynamic;}}}}}service-set Firewall-Set {stateful-firewall-rules Rule1;stateful-firewall-rules Rule2;nat-rules Private-Public;ids-rules Attacks;interface-service {service-interface sp-1/0/0;}}}applications {application ICMP {application-protocol icmp;}application FTP {application-protocol ftp;destination-port ftp;}application-set Applications {application ICMP;application FTP;}}The following example combines VPN routing and forwarding (VRF) and services configuration:
[edit policy-options]policy-statement test-policy {term t1 {then reject;}}[edit routing-instances]test {interface ge-0/2/0.0;interface sp-1/3/0.20;instance-type vrf;route-distinguisher 10.58.255.1:37;vrf-import test-policy;vrf-export test-policy;routing-options {static {route 0.0.0.0/0 next-table inet.0;}}}[edit interfaces]ge-0/2/0 {unit 0 {family inet {service {input service-set nat-me;output service-set nat-me;}}}}sp-1/3/0 {unit 0 {family inet;}unit 20 {family inet;service-domain inside;}unit 21 {family inet;service-domain outside;}[edit services]stateful-firewall {rule allow-any-input {match-direction input;term t1 {then accept;}}}nat {pool hide-pool {address 10.58.16.100;port automatic;}rule hide-all-input {match-direction input;term t1 {then {translated {source-pool hide-pool;translation-type source dynamic;}}}}}service-set nat-me {stateful-firewall-rules allow-any-input;nat-rules hide-all-input;interface-service {service-interface sp-1/3/0.20;}}The following example shows dynamic-source NAT applied as a next-hop service:
[edit interfaces]ge-0/2/0 {unit 0 {family mpls;}}sp-1/3/0 {unit 0 {family inet;}unit 20 {family inet;}unit 32 {family inet;}}[edit routing-instances]protected-domain {interface ge-0/2/0.0;interface sp-1/3/0.20;instance-type vrf;route-distinguisher 10.58.255.17:37;vrf-import protected-domain-policy;vrf-export protected-domain-policy;routing-options {static {route 0.0.0.0/0 next-hop sp-1/3/0.20;}}}[edit policy-options]policy-statement protected-domain-policy {term t1 {then reject;}}[edit services]stateful-firewall {rule allow-all {match-direction input;term t1 {then {accept;}}}}nat {pool my-pool {address 10.58.16.100;port automatic;}rule hide-all {match-direction input;term t1 {then {translated {source-pool my-pool;translation-type source dynamic;}}}}}service-set null-sfw-with-nat {stateful-firewall-rules allow-all;nat-rules hide-all;next-hop-service {inside-service-interface sp-1/3/0.20;outside-service-interface sp-1/3/0.32;}}The following example configuration enables NAT between VRFs with overlapping private addresses, using distinct public addresses for the source and destination NAT in this scenario:
- A host in vrf-a traverses 10.58.16.201 to reach 10.58.0.2 in vrf-b.
- A host in vrf-b traverses 10.58.16.101 to reach 10.58.0.2 in vrf-a.
[edit interfaces]ge-0/2/0 {unit 0 {family inet {address 10.58.0.1/24;service {input service-set vrf-a-svc-set;output service-set vrf-a-svc-set;}}}}ge-0/3/0 {unit 0 {family inet {address 10.58.0.1/24;service {input service-set vrf-b-svc-set;output service-set vrf-b-svc-set;}}}}sp-1/3/0 {unit 0 {family inet;}unit 10 {family inet;service-domain inside;}unit 20 {family inet;service-domain inside;}}[edit policy-options]policy-statement test-policy {term t1 {then reject;}}[edit routing-instances]vrf-a {interface ge-0/2/0.0;interface sp-1/3/0.10;instance-type vrf;route-distinguisher 10.1.1.1:1;vrf-import test-policy;vrf-export test-policy;routing-options {static {route 0.0.0.0/0 next-table inet.0;}}}vrf-b {interface ge-0/3/0.0;interface sp-1/3/0.20;instance-type vrf;route-distinguisher 10.2.2.2:2;vrf-import test-policy;vrf-export test-policy;routing-options {static {route 0.0.0.0/0 next-table inet.0;}}}[edit services]stateful-firewall {rule allow-all {match-direction input-output;term t1 {then {accept;}}}}nat {pool vrf-a-src-pool {address 10.58.16.100;port automatic;}pool vrf-a-dst-pool {address 10.58.0.2;}rule vrf-a-input {match-direction input;term t1 {then {translated {source-pool vrf-a-src-pool;translation-type source dynamic;}}}}rule vrf-a-output {match-direction output;term t1 {from {destination-address 10.58.16.101;}then {translated {destination-pool vrf-a-dst-pool;translation-type destination static;}}}}pool vrf-b-src-pool {address 10.58.16.200;port automatic;}pool vrf-b-dst-pool {address 10.58.0.2;}rule vrf-b-input {match-direction input;term t1 {then {translated {source-pool vrf-b-src-pool;translation-type source dynamic;}}}}rule vrf-b-output {match-direction output;term t1 {from {destination-address 10.58.16.201;}then {translated {destination-pool vrf-b-dst-pool;translation-type destination static;}}}}}service-set vrf-a-svc-set {stateful-firewall-rules allow-all;nat-rules vrf-a-input;nat-rules vrf-a-output;interface-service {service-interface sp-1/3/0.10;}}service-set vrf-b-svc-set {stateful-firewall-rules allow-all;nat-rules vrf-b-input;nat-rules vrf-b-output;interface-service {service-interface sp-1/3/0.20;}}The following example supports Bootstrap Protocol (BOOTP) and broadcast addresses:
[edit applications]application bootp {application-protocol bootp;protocol udp;destination-port 67;}[edit services]stateful-firewall bootp-support {rule bootp-allow {direction input;term bootp-allow {from {destination-address [ any-unicast, 255.255.255.255 ];application bootp;}then {accept;}}}}