Related Documentation
- LN Series
- Understanding How to Control Inbound Traffic Based on Traffic Types
- Example: Controlling Inbound Traffic Based on Traffic Types
- SRX Series
- Understanding How to Control Inbound Traffic Based on Traffic Types
- Example: Controlling Inbound Traffic Based on Traffic Types
- Additional Information
- Security Zones and Interfaces Feature Guide for Security Devices
Supported System Services for Host Inbound Traffic
This topic describes the supported system services for host inbound traffic on the specified zone or interface.
For example, suppose a user whose system was connected to interface 1.3.1.4 in zone ABC wanted to telnet into interface 2.1.2.4 in zone ABC. For this action to be allowed, the Telnet application must be configured as an allowed inbound service on both interfaces and a policy must permit the traffic transmission.
Table 1 shows the system services that can be used for host inbound traffic.
Table 1: System Services for Host Inbound Traffic
Host Inbound System Services | |
|---|---|
all | any-service |
dns | finger |
ftp | http |
https | indent-reset |
ike | netconf |
ntp | ping |
reverse-ssh | reverse-telnet |
rlogin | rpm |
rsh | sip |
snmp | snmp-trap |
ssh | telnet |
tftp | traceroute |
xnm-clear-text | xnm-ssl |
 | Note: On the SRX Series Services Gateways, the xnm-clear-text field is enabled in the factory default configuration. This setting enables incoming Junos XML protocol traffic in the trust zone for the device when the device is operating with factory default settings. We recommend you to replace the factory default settings with user-defined configuration which provides additional security once the box is configured. You must delete the xnm-clear-text field manually by using the CLI command delete system services xnm-clear-text. |
Table 2 shows the supported protocols that can be used for host inbound traffic.
Table 2: Protocols for Host Inbound Traffic
Protocols | |
|---|---|
all | bfd |
bgp | dvmrp |
igmp | msdp |
ospf | nhrp |
pgm | ospf3 |
rip | pim |
sap | ripng |
vrrp | |
| Note: All services (except DHCP and BOOTP) can be configured either per zone or per interface. A DHCP server is configured only per interface because the incoming interface must be known by the server to be able to send out DHCP replies. |
| Note: You do not need to configure Neighbor Discovery Protocol (NDP) on host-inbound traffic, because the NDP is enabled by default. |
Configuration option for IPv6 Neighbor Discovery Protocol (NDP) is available. The configuration option is set protocol neighbor-discovery onlink-subnet-only command. This option will prevent the device from responding to a Neighbor Solicitation (NS) from a prefix which was not included as one of the device interface prefixes.
| Note: The Routing Engine needs to be rebooted after setting this option to remove any possibility of a previous IPv6 entry from remaining in the forwarding-table. |
Related Documentation
- LN Series
- Understanding How to Control Inbound Traffic Based on Traffic Types
- Example: Controlling Inbound Traffic Based on Traffic Types
- SRX Series
- Understanding How to Control Inbound Traffic Based on Traffic Types
- Example: Controlling Inbound Traffic Based on Traffic Types
- Additional Information
- Security Zones and Interfaces Feature Guide for Security Devices
