[Contents] [Prev] [Next] [Index] [Report an Error]

Services Interfaces Configuration Statements > [edit services] Hierarchy Level

To configure services, include the following statements at the [edit services] hierarchy level of the configuration: 

adaptive-services-pics {

    traceoptions {

        file filename <files number> <size size> 

                          <world-readable | no-world-readable> <match regex>;

        flag flag;

    }

}

cos {

    application-profile profile-name {

        sip-text {

            dscp (alias | bits);

            forwarding-class class-name;

        }

        sip-video {

            dscp (alias | bits);

            forwarding-class class-name;

        }

        sip-voice {

            dscp (alias | bits);

            forwarding-class class-name;

        }

    }

    rule rule-name {

        match-direction (input | output | input-output);

        term term-name {

            from {

                applications [ application-names ];

                application-sets [ set-names ];

                destination-address address;

                destination-prefix-list list-name <except>;

                source-address address;

                source-prefix-list list-name <except>;

            }

            then {

                application-profile profile-name;

                dscp (alias | bits);

                forwarding-class class-name;

                syslog;

                (reflexive | reverse) {

                    application-profile profile-name;

                    dscp (alias | bits);

                    forwarding-class class-name;

                    syslog;

                }

            }

        }

    }

    rule-set rule-set-name {

        [ rule rule-names ];

    }

}

dynamic-flow-capture {

    capture-group client-name {

        content-destination identifier {

            address address;

            ttl hops;

        }

        control-source identifier {

            allowed-destinations [ destination ];

            no-syslog;

            notification-targets [ address address port port-number ];

            service-port port-number;

            shared-key value;

            source-addresses [ address ];

        }

        input-packet-rate-threshold rate;

        interfaces interface-name;

        pic-memory-threshold percentage percentage;

    }

}

flow-collector {

    analyzer-address address;

    analyzer-id name;

    destinations {

        ftp:url {

            password "password";

    }

    file-specification {

        variant variant-number {

            data-format format;

            name-format format;

            transfer {

                record-level number;

                timeout seconds;

            }

        }

    }

    interface-map {

        collector interface-name;

        file-specification variant-number;

        interface-name {

            file-specification variant-number;

            collector interface-name;

        }

    }

    retry number;

    retry-delay seconds;

    transfer-log-archive {

        archive-sites {

            ftp:url {

                password "password";

                username username;

            }

        }

        filename-prefix prefix;

        maximum-age minutes;

    }

}

flow-monitoring {

    version9 {

        template template-name {

            flow-active-timeout seconds;

            flow-inactive-timeout seconds;

            ipv4-template;

            mpls-template {

                label-position [ positions ]; 

            }

            mpls-ipv4-template {

                label-position [ positions ]; 

            }

            option-refresh-rate packets packets seconds seconds;

            template-refresh-rate packets packets seconds seconds;

        }

    }

}

flow-tap {

    interface interface-name;

}

ids {

    rule rule-name {

        match-direction (input | output | input-output);

        term term-name {

            from {

                applications [ application-names ];

                application-sets [ set-names ];

                destination-address (address | any-unicast) <except>;

                destination-address-range low minimum-value high maximum-value

                    <except>;

                destination-prefix-list list-name <except>;

                source-address (address | any-unicast) <except>;

                source-address-range low minimum-value high maximum-value 

                    <except>;

                source-prefix-list list-name <except>;

            }

            then {

                aggregation {

                    destination-prefix prefix-value;

                    source-prefix prefix-value;

                }

                (force-entry | ignore-entry); 

                logging {

                    syslog;

                    threshold rate;

                }

                session-limit {

                    by-destination {

                        hold-time seconds;

                        maximum number;

                        packets number;

                        rate number;

                    }

                    by-pair {

                        maximum number;

                        packets number;

                        rate number;

                    }

                    by-source {

                        hold-time seconds;

                        maximum number;

                        packets number;

                        rate number;

                    }

                }

                syn-cookie {

                    mss value;

                    threshold rate;

                }

            }

        }

    }

    rule-set rule-set-name {

        [ rule rule-names ];

    }

}

ipsec-vpn {

    ike {

        proposal proposal-name {

            authentication-algorithm (md5 | sha1 | sha-256); 

            authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures); 

            description description;

            dh-group (group1 | group2); 

            encryption-algorithm algorithm; 

            lifetime-seconds seconds; 

        }

        policy policy-name {

            description description;

            local-certificate identifier;

            local-id {

                ipv4_addr [ values ];

                ipv6_addr [ values ];

                key_id [ values ];

            }

            mode (aggressive | main);

            pre-shared-key (ascii-text key | hexadecimal key);

            proposals [ proposal-names ];

            remote-id {

                ipv4_addr [ values ];

                ipv6_addr [ values ];

                key_id [ values ];

            }

        }

    }

    ipsec {

        proposal proposal-name {

            authentication-algorithm (hmac-md5-96 | hmac-sha1-96); 

            description description;

            encryption-algorithm algorithm; 

            lifetime-seconds seconds; 

            protocol (ah | esp | bundle); 

        } 

        policy policy-name {

            description description;

            perfect-forward-secrecy {

                keys (group1 | group2); 

            }

            proposals [ proposal-names ]; 

        } 

    }

    rule rule-name {

        match-direction (input | output);

        term term-name {

            from {

                destination-address address;

                ipsec-inside-interface interface-name;

                source-address address;

            }

            then {

                backup-remote-gateway address;

                clear-dont-fragment-bit;

                dynamic {

                    ike-policy policy-name;

                    ipsec-policy policy-name;

                }

                manual {

                    direction (inbound | outbound | bidirectional) {

                        authentication {

                            algorithm (hmac-md5-96 | hmac-sha1-96);

                            key (ascii-text key | hexadecimal key); 

                        }

                        auxiliary-spi spi-value;

                        encryption {

                            algorithm (algorithm);

                            key (ascii-text key | hexadecimal key); 

                        }

                        protocol (ah | bundle | esp);

                        spi spi-value;

                    }

                }

                no-anti-replay;

                remote-gateway address;

                syslog;

                tunnel-mtu bytes;

            }

        }

    }

    rule-set rule-set-name {

        [ rule rule-names ];

    }

    traceoptions {

        file {

            files number;

            size bytes;

        }

        flag flag;

    }

}

l2tp {

    tunnel-group name {

        hello-interval seconds;

        hide-avps;

        l2tp-access-profile profile-name;

        local-gateway address address;

        maximum-send-window packets;

        ppp-access-profile profile-name;

        receive-window packets;

        retransmit-interval seconds;

        service-interface interface-name; 

        syslog {

            host hostname {

                services severity-level;

                facility-override facility-name;

                log-prefix prefix-value;

            }

        }

        tunnel-timeout seconds;

    }

    traceoptions {

        debug-level level;

        filter {

            protocol name;

        }

        flag flag;

        interfaces interface-name {

            debug-level level;

            flag flag;

        }

    }

}

logging {

    traceoptions {

        file filename <files number> <size size> 

              <world-readable | no-world-readable> <match regex>;

        flag flag;

    }

}

nat {

    pool nat-pool-name {

        address (address | address-range low value high value | prefix);

        port (automatic | range low minimum-value high maximum-value);

    }

    rule rule-name {

        match-direction (input | output);

        term term-name {

            from {

                applications [ application-names ];

                application-sets [ set-names ];

                destination-address (address | any-unicast) <except>;

                destination-address-range low minimum-value high maximum-value

                    <except>;

                destination-prefix-list list-name <except>;

                source-address (address | any-unicast) <except>;

                source-address-range low minimum-value high maximum-value 

                    <except>;

                source-prefix-list list-name <except>;

            }

            then {

                translated {

                    destination-pool nat-pool-name;

                    destination-prefix destination-prefix;

                    overload-pool overload-pool-name; 

                    overload-prefix overload-prefix;

                    source-pool nat-pool-name; 

                    source-prefix source-prefix;

                    translation-type (destination type | source type);

                }

                syslog;

            }

        }

    }

    rule-set rule-set-name {

        [ rule rule-names ];

    }

}

rpm {

    bgp {

        data-fill data;

        data-size size;

        destination-port port;

        history-size size;

        logical-router logical-router-name [routing-instances routing-instance-name];

        probe-count count;

        probe-interval seconds;

        probe-type type;

        routing-instances instance-name;

        test-interval interval;

    }

    probe owner {

        test test-name {

                data-fill data;

                data-size size;

                destination-interface interface-name;

                destination-port port;

                dscp-code-point dscp-bits;

                hardware-timestamp;

                history-size size;

                probe-count count;

                probe-interval seconds;

                probe-type type;

                routing-instance instance-name;

                source-address address;

                target (url | address);

                test-interval interval;

                thresholds thresholds;

                traps traps;

        }

    }

    probe-server {

        tcp {

            destination-interface interface-name;

            port number;

        }

        udp {

            destination-interface interface-name;

            port number;

        }

    }

    probe-limit limit {

    } 

}

service-set service-set-name {

    ([ ids-rules rule-names ] | ids-rule-sets rule-set-name);

    ([ ipsec-vpn-rules rule-names ] | ipsec-vpn-rule-sets rule-set-name);

    ([ nat-rules rule-names ] | nat-rule-sets rule-set-name);

    ([ stateful-firewall-rules rule-names ] | stateful-firewall-rule-sets rule-set-name);

    interface-service {

        service-interface interface-name;

    }

    allow-multicast;

    ipsec-vpn-options {

        ike-access-profile profile-name;

        local-gateway address;

        trusted-ca [ ca-profile-name ];

    }

    max-flows number;

    next-hop-service {

        inside-service-interface name.number;

        outside-service-interface name.number;

    }

    syslog {

        host hostname {

            services severity-level;

            facility-override facility-name;

            log-prefix prefix-value;

        }

    }

}

stateful-firewall {

    rule rule-name {

        match-direction (input | output | input-output);

        term term-name {

            from {

                applications [ application-names ];

                application-sets [ set-names ];

                destination-address (address | any-unicast) <except>;

                destination-address-range low minimum-value high maximum-value

                    <except>;

                destination-prefix-list list-name <except>;

                source-address (address | any-unicast) <except>;

                source-address-range low minimum-value high maximum-value

                    <except>;

                source-prefix-list list-name <except>;

            }

            then {

                (accept | discard | reject);

                allow-ip-option [ values ];

                syslog;

            }

        }

    }

    rule-set rule-set-name {

        [ rule rule-names ];

    }

}
[Contents] [Prev] [Next] [Index] [Report an Error]