Configuring Service Rules
You specify the collection of rules and rule sets that constitute the service set. The router performs rule sets in the order in which they appear in the configuration. You can include only one rule set for each service type. You configure the rule names and content for each service type at the [edit services name] hierarchy level for each type:
You configure intrusion detection service (IDS) rules at the [edit services ids] hierarchy level; for more information, see Configuring IDS Rules on an MS-DPC for MS-DPC cards and Configuring Protection Against Network Attacks on an MS-MPC for MS-MPC cards.
You configure IP Security (IPsec) rules at the [edit services ipsec-vpn] hierarchy level; for more information, see Understanding Junos VPN Site Secure..
You configure Network Address Translation (NAT) rules at the [edit services nat] hierarchy level; for more information, see Junos Address Aware Network Addressing Overview..
You configure packet-triggered subscribers and policy control (PTSP) rules at the [edit services ptsp] hierarchy level; for more information, see Configuring PTSP Service Rules.
You configure softwire rules for DS-Lite or 6rd softwires at the [edit services softwire] hierarchy level; for more information, see Configuring Softwire Rules.
You configure stateful firewall rules at the [edit services stateful-firewall] hierarchy level; for more information, see Configuring Stateful Firewall Rules.
To configure the rules and rule sets that constitute a service set, include the following statements at the [edit services service-set service-set-name] hierarchy level:
For each service type, you can include one or more individual rules, or one rule set.
If you configure a service set with IPsec rules, it must not contain rules for any other services. You can, however, configure another service set containing rules for the other services and apply both service sets to the same interface.
You can also include Junos Application Aware (previously known as Dynamic Application Awareness) functionality within service sets. To do this, you must include an idp-profile statement at the [edit services service-set] hierarchy level, along with application identification (APPID) rules, and, as appropriate, application-aware access list (AACL) rules and a policy-decision-statistics-profile. Only one service sets can be applied to a single interface when Junos Application Aware functionality is used. For more information, see Configuring IDS Rules on an MS-DPC, APPID Overview, and Application Aware Services Interfaces User Guide for Routing Devices.