To configure services, include the following statements at the [edit services] hierarchy level of the configuration:
- adaptive-services-pics {
-
-
traceoptions {
- file filename <files number> <size size> <world-readable
| no-world-readable> <match regex>;
- flag flag;
- }
- }
- cos {
-
-
application-profile profile-name {
-
-
sip-text {
-
dscp (alias | bits);
-
forwarding-class class-name;
- }
-
-
sip-video {
-
dscp (alias | bits);
-
forwarding-class class-name;
- }
-
-
sip-voice {
-
dscp (alias | bits);
-
forwarding-class class-name;
- }
- }
-
-
rule rule-name {
-
match-direction (input | output | input-output);
-
-
term term-name {
-
-
from {
-
applications [ application-names ];
-
application-sets [ set-names ];
-
destination-address address;
-
destination-prefix-list list-name <except>;
-
source-address address;
-
source-prefix-list list-name <except>;
- }
-
-
then {
-
application-profile profile-name;
-
dscp (alias | bits);
-
forwarding-class class-name;
-
-
(reflexive | reverse) {
-
application-profile profile-name;
-
dscp (alias | bits);
-
forwarding-class class-name;
-
syslog;
- }
-
syslog;
- }
- }
- }
-
-
rule-set rule-set-name {
- [ rule rule-names ];
- }
- }
- dynamic-flow-capture {
-
-
capture-group client-name {
-
-
content-destination identifier {
-
address address;
-
ttl hops;
- }
-
-
control-source identifier {
-
allowed-destinations [ destination ];
-
no-syslog;
-
notification-targets [ address address port port-number ];
-
service-port port-number;
-
shared-key value;
-
source-addresses [ address ];
- }
-
input-packet-rate-threshold rate;
-
interfaces interface-name;
-
pic-memory-threshold percentage percentage;
- }
- }
-
flow-collector {
-
analyzer-address address;
-
analyzer-id name;
-
-
destinations {
-
-
ftp:url {
-
password "password";
- }
-
-
file-specification {
-
-
variant variant-number {
-
data-format format;
-
name-format format;
-
-
transfer {
- record-level number;
- timeout seconds;
- }
- }
- }
-
-
interface-map {
-
collector interface-name;
-
file-specification variant-number;
-
-
interface-name {
-
collector interface-name;
-
file-specification variant-number;
- }
- }
-
retry number;
-
retry-delay seconds;
-
-
transfer-log-archive {
-
-
archive-sites {
-
-
ftp:url {
-
password "password";
-
username username;
- }
- }
-
filename-prefix prefix;
-
maximum-age minutes;
- }
- }
-
-
flow-monitoring {
-
-
version9 {
-
-
template template-name {
-
flow-active-timeout seconds;
-
flow-inactive-timeout seconds;
-
ipv4-template;
-
-
mpls-template {
-
label-position [ positions ];
- }
-
-
mpls-ipv4-template {
-
label-position [ positions ];
- }
-
option-refresh-rate packets packets seconds seconds;
-
template-refresh-rate packets packets seconds seconds;
- }
- }
- }
-
- flow-tap {
-
interface interface-name;
- }
-
- ids {
-
-
rule rule-name {
-
match-direction (input | output | input-output);
-
-
term term-name {
-
-
from {
-
applications [ application-names ];
-
application-sets [ set-names ];
-
destination-address (address | any-unicast) <except>;
- destination-address-range low minimum-value high maximum-value<except>;
-
destination-prefix-list list-name <except>;
-
source-address (address | any-unicast) <except>;
- source-address-range low minimum-value high maximum-value <except>;
-
source-prefix-list list-name <except>;
- }
-
-
then {
-
-
aggregation {
-
destination-prefix prefix-number | destination-prefix-ipv6 prefix-number;
-
source-prefix prefix-number | source-prefix-ipv6 prefix-number;
- }
- (force-entry | ignore-entry);
-
-
logging {
-
syslog;
-
threshold rate;
- }
-
-
session-limit {
-
-
by-destination {
- hold-time seconds;
- maximum number;
- packets number;
- rate number;
- }
-
-
by-pair {
- maximum number;
- packets number;
- rate number;
- }
-
-
by-source {
- hold-time seconds;
- maximum number;
- packets number;
- rate number;
- }
- }
-
-
syn-cookie {
-
mss value;
-
threshold rate;
- }
- }
- }
- }
-
-
rule-set rule-set-name {
- [ rule rule-names ];
- }
- }
-
- ipsec-vpn {
-
clear-ike-sas-on-pic-restart;
-
-
ike {
-
-
proposal proposal-name {
-
authentication-algorithm (md5 | sha1 | sha-256);
-
authentication-method (dsa-signatures | pre-shared-keys
| rsa-signatures);
-
description description;
-
dh-group (group1 | group2);
-
encryption-algorithm algorithm;
-
lifetime-seconds seconds;
- }
-
-
policy policy-name {
-
description description;
-
local-certificate identifier;
-
-
local-id {
- ipv4_addr [ values ];
- ipv6_addr [ values ];
- key_id [ values ];
- }
-
mode (aggressive | main);
-
pre-shared-key (ascii-text key | hexadecimal key);
-
proposals [ proposal-names ];
-
-
remote-id {
- ipv4_addr [ values ];
- ipv6_addr [ values ];
- key_id [ values ];
- }
- }
- }
-
-
ipsec {
-
-
proposal proposal-name {
-
authentication-algorithm (hmac-md5-96 | hmac-sha1-96);
-
description description;
-
encryption-algorithm algorithm;
-
lifetime-seconds seconds;
-
protocol (ah | esp | bundle);
- }
-
-
policy policy-name {
-
description description;
-
-
perfect-forward-secrecy {
- keys (group1 | group2);
- }
-
proposals [ proposal-names ];
- }
- }
-
-
rule rule-name {
-
match-direction (input | output);
-
-
term term-name {
-
-
from {
-
destination-address address;
-
ipsec-inside-interface interface-name;
-
source-address address;
- }
-
-
then {
-
backup-remote-gateway address;
-
clear-dont-fragment-bit;
-
-
dynamic {
- ike-policy policy-name;
- ipsec-policy policy-name;
- }
-
-
manual {
-
-
direction (inbound | outbound |
bidirectional) {
-
-
authentication {
- algorithm (hmac-md5-96 | hmac-sha1-96);
- key (ascii-text key | hexadecimal key );
- }
-
auxiliary-spi spi-value;
-
-
encryption {
- algorithm algorithm;
- key (ascii-text key | hexadecimal key );
- }
-
protocol (ah | bundle | esp);
-
spi spi-value;
- }
- }
-
no-anti-replay;
-
remote-gateway address;
-
syslog;
-
tunnel-mtu bytes;
- }
- }
- }
-
-
rule-set rule-set-name {
- [ rule rule-names ];
- }
-
-
traceoptions {
-
- file {
- files number;
- size bytes;
- }
- flag flag;
- }
- }
-
- l2tp {
-
-
tunnel-group name {
-
hello-interval seconds;
-
hide-avps;
-
l2tp-access-profile profile-name;
-
local-gateway address address;
-
maximum-send-window packets;
-
ppp-access-profile profile-name;
-
receive-window packets;
-
retransmit-interval seconds;
-
service-interface interface-name;
-
-
syslog {
-
-
host hostname {
-
services severity-level;
-
facility-override facility-name;
-
log-prefix prefix-value;
- }
- }
-
tunnel-timeout seconds;
- }
-
-
traceoptions {
- debug-level level;
-
- filter {
- protocol name;
- }
- flag flag;
-
- interfaces interface-name {
- debug-level level;
- flag flag;
- }
- }
- }
-
- logging {
-
-
traceoptions {
- file filename <files number> <size size> <world-readable
| no-world-readable> <match regex>;
- flag flag;
- }
- }
-
- nat {
-
-
pool nat-pool-name {
-
address (address | address-range low value high value | prefix);
-
-
pgcp {
-
hint hint-string;
-
ports-per-session ports;
-
remotely-controlled;
- }
-
port (automatic | range low minimum-value high maximum-value);
- }
-
-
rule rule-name {
-
match-direction (input | output);
-
-
term term-name {
-
nat-type(full-cone | symmetric);
-
-
from {
-
applications [ application-names ];
-
application-sets [ set-names ];
-
destination-address (address | any-unicast) <except>;
- destination-address-range low minimum-value high maximum-value <except>;
-
destination-prefix-list list-name <except>;
-
source-address (address | any-unicast) <except>;
- source-address-range low minimum-value high maximum-value <except>;
-
source-prefix-list list-name <except>;
- }
-
-
then {
-
syslog;
-
-
translated {
-
destination-pool nat-pool-name;
- destination-prefix destination-prefix;
- overload-pool overload-pool-name;
- overload-prefix overload-prefix;
-
source-pool nat-pool-name;
- source-prefix source-prefix;
-
translation-type (destination type | source type);
- }
- }
- }
- }
-
-
rule-set rule-set-name {
- [ rule rule-names ];
- }
- }
-
- pgcp
-
- gateway gateway-name {
-
cleanup-timeout seconds;
-
gate-inactivity-delay seconds;
-
gate-inactivity-duration seconds;
-
gateway-address gateway-address;
-
-
fast-update-filters {
-
maximum-terms number-of-terms;
-
maximum-fuf-percentage percentage;
- }
-
-
gateway-controller gateway-controller-name {
-
controller-address ip-address;
-
controller-port port-number;
-
-
interim-ah-scheme {
-
algorithm algorithm;
- }
- }
-
gateway-port gateway-port;
-
-
graceful-restart {
-
maximum-synchronization-mismatches number-of-mismatches;
-
maximum-synchronization-time seconds;
- }
-
- h248-properties {
-
-
base-root {
-
normal-mg-execution-time default milliseconds;
-
normal-mgc-execution-time default milliseconds;
-
mg-provisional-response-timer-value default milliseconds;
-
mgc-provisional-response-timer-value default milliseconds;
-
mg-originated-pending-limit default number-of-pendings-received;
-
mgc-originated-pending-limit default number-of-pendings-received;
- }
-
-
diffserv {
-
dscp (dscp-value | alias | do-not-change);
- }
-
- segmentation {
-
mg-segmentation-timer default milliseconds;
-
mgc-segmentation-timer default milliseconds;
-
mg-maximum-pdu-size default bytes;
-
mgc-maximum-pdu-size default bytes;
- }
- }
-
-
h248-options {
-
wildcard-response-service-change;
- }
-
-
h248-timers {
-
initial-average-ack-delay milliseconds;
-
maximum-net-propagation-delay milliseconds;
-
maximum-waiting-delay milliseconds;
-
tmax-retransmission-delay milliseconds;
- }
-
-
monitor {
-
-
media {
-
rtcp;
-
rtp;
- }
- }
-
service-state (in-service
| out-of-service-forced | out-of-service-graceful);
- }
-
-
media-service media-service-name {
-
nat-pool nat-pool-name;
- }
-
-
rule rule-name {
-
gateway gateway-name;
- media-service media-service-name;
- }
-
-
rule-set rule-set-name {
-
rule rule-name1;
-
rule rule-name2;
-
rule rule-name3;
- }
-
-
traceoptions {
- file filename <files number> <size size> <world-readable
| no-world-readable> <match regex>;
- flag flag;
- }
-
-
virtual-interface interface-number {
-
media-service media-service-name;
-
interface interface-identifier;
-
routing-instance instance-name;
-
service-state (in-service
| out-of-service-forced | out-of-service-graceful);
- }
- }
-
- rpm {
-
- bgp {
-
data-fill data;
-
data-size size;
-
destination-port port;
-
history-size size;
-
logical-router logical-router-name [ routing-instances routing-instance-name ];
-
probe-count count;
-
probe-interval seconds;
-
probe-type type;
-
routing-instances instance-name;
-
test-interval interval;
- }
-
-
probe owner {
-
-
test test-name {
-
data-fill data;
-
data-size size;
-
destination-interface interface-name;
-
destination-port port;
-
dscp-code-point dscp-bits;
-
hardware-timestamp;
-
history-size size;
-
moving-average-size number;
-
one-way-hardware-timestamp;
-
probe-count count;
-
probe-interval seconds;
-
probe-type type;
-
routing-instance instance-name;
-
source-address address;
-
target (url | address);
-
test-interval interval;
-
thresholds thresholds;
-
traps traps;
- }
- }
-
-
probe-limit limit {
- }
-
-
probe-server {
-
-
tcp {
-
destination-interface interface-name;
-
port number;
- }
-
-
udp {
-
destination-interface interface-name;
-
port number;
- }
- }
- }
-
-
service-set service-set-name {
- ([ ids-rules rule-names ] | ids-rule-sets rule-set-name);
- ([ ipsec-vpn-rules rule-names ] |
ipsec-vpn-rule-sets rule-set-name);
- ([ nat-rules rule-names ] | nat-rule-sets rule-set-name);
- ([ pgcp-rules rule-names] | pgcp-rule-sets rule-set-name);
- ([ stateful-firewall-rules rule-names ] | stateful-firewall-rule-sets rule-set-name);
-
allow-multicast;
-
-
extension-service service-name {
-
provider-specific rules;
- }
-
-
interface-service {
-
service-interface interface-name;
- }
-
-
ipsec-vpn-options {
-
ike-access-profile profile-name;
-
local-gateway address;
-
trusted-ca [ ca-profile-name ];
- }
-
max-flows number;
-
-
next-hop-service {
- inside-service-interface name.number;
- outside-service-interface name.number;
- }
-
-
syslog {
-
-
host hostname {
-
services severity-level;
-
facility-override facility-name;
-
log-prefix prefix-value;
- }
- }
- }
-
- stateful-firewall {
-
-
rule rule-name {
-
match-direction (input | output | input-output);
-
-
term term-name {
-
-
from {
-
applications [ application-names ];
-
application-sets [ set-names ];
-
destination-address (address | any-unicast) <except>;
- destination-address-range low minimum-value high maximum-value <except>;
-
destination-prefix-list list-name <except>;
-
source-address (address | any-unicast) <except>;
- source-address-range low minimum-value high maximum-value<except>;
-
source-prefix-list list-name <except>;
- }
-
-
then {
- (accept | discard | reject);
-
allow-ip-option [ values ];
-
syslog;
- }
- }
- }
-
-
rule-set rule-set-name {
- [ rule rule-names ];
- }
- }
- }