Related Documentation
- LN Series
- Understanding How to Control Inbound Traffic Based on Traffic Types
- SRX Series
- Understanding How to Control Inbound Traffic Based on Traffic Types
- Additional Information
- Security Zones and Interfaces Feature Guide for Security Devices
Example: Controlling Inbound Traffic Based on Traffic Types
This example shows how to configure inbound traffic based on traffic types.
Requirements
Before you begin:
- Configure network interfaces. See Junos OS Interfaces Library for Security Devices.
- Understand Inbound traffic types. See Understanding How to Control Inbound Traffic Based on Traffic Types.
Overview
By allowing system services to run, you can configure zones to specify different types of traffic that can reach the device from systems that are directly connected to its interfaces. You can configure the different system services at the zone level, in which case they affect all interfaces of the zone, or at the interface level. (Interface configuration overrides that of the zone.)
You must enable all expected host-inbound traffic. Inbound traffic from devices directly connected to the device's interfaces is dropped by default.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure inbound traffic based on traffic types:
- Configure a security zone.[edit]user@host# edit security zones security-zone ABC
- Configure the security zone to support inbound traffic
for all system services.[edit security zones security-zone ABC]user@host# set host-inbound-traffic system-services all
- Configure the Telnet, FTP, and SNMP system services at
the interface level (not the zone level) for the first interface.[edit security zones security-zone ABC]user@host# set interfaces ge-0/0/1.3 host-inbound-traffic system-services telnetuser@host# set interfaces ge-0/0/1.3 host-inbound-traffic system-services ftpuser@host# set interfaces ge-0/0/1.3 host-inbound-traffic system-services snmp
- Configure the security zone to support inbound traffic
for all system services for a second interface.[edit security zones security-zone ABC]user@host# set interfaces ge-0/0/1.0 host-inbound-traffic system-services all
- Exclude the FTP and HTTP system services from the second
interface.[edit security zones security-zone ABC]user@host# set interfaces ge-0/0/1.0 host-inbound-traffic system-services ftp exceptuser@host# set interfaces ge-0/0/1.0 host-inbound-traffic system-services http except
Results
From configuration mode, confirm your configuration by entering the show security zones security-zone ABC. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host# show security zones security-zone
ABChost-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/1.3 {
host-inbound-traffic {
system-services {
ftp;
telnet;
snmp;
}
}
}
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
ftp {
except;
}
http {
except;
}
}
}
}
} If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform this task:
Troubleshooting with Logs
Purpose
Use these logs to identify any issues.
Action
From operational mode, enter the show log messages command and the show log dcd command.
Related Documentation
- LN Series
- Understanding How to Control Inbound Traffic Based on Traffic Types
- SRX Series
- Understanding How to Control Inbound Traffic Based on Traffic Types
- Additional Information
- Security Zones and Interfaces Feature Guide for Security Devices
