Configuring Service Rules

You specify the collection of rules and rule sets that constitute the service set. The router performs rule sets in the order in which they appear in the configuration. You can include only one rule set for each service type. You configure the rule names and content for each service type at the [edit services name] hierarchy level for each type:

You configure intrusion detection service (IDS) rules at the [edit services ids] hierarchy level; for more information, see Configuring IDS Rules.
You configure IP Security (IPsec) rules at the [edit services ipsec-vpn] hierarchy level; for more information, see IPSec properties.
You configure Network Address Translation (NAT) rules at the [edit services nat] hierarchy level; for more information, see Network Address Translation.
You configure Packet Gateway Control Protocol (PGCP) rules at the [edit services pgcp] hierarchy level; for more information, see Border Gateway Function (BGF), JUNOS Release 10.2.
You configure packet-triggered subscribers and policy control (PTSP) rules at the [edit services ptsp] hierarchy level; for more information, see PTSP for Subscriber Access.
You configure stateful firewall rules at the [edit services stateful-firewall] hierarchy level; for more information, see Stateful Firewall.

To configure the rules and rule sets that constitute a service set, include the following statements at the [edit services service-set service-set-name] hierarchy level:

([ ids-rules rule-names ] | ids-rule-sets rule-set-name);([ ipsec-vpn-rules rule-names ] | ipsec-vpn-rule-sets rule-set-name);([ nat-rules rule-names ] | nat-rule-sets rule-set-name);([ pgcp-rules rule-names] | pgcp-rule-sets rule-set-name);([ stateful-firewall-rules rule-names ] | stateful-firewall-rule-sets rule-set-name);

For each service type, you can include one or more individual rules, or one rule set.

If you configure a service set with IPsec rules, it must not contain rules for any other services. You can, however, configure another service set containing rules for the other services and apply both service sets to the same interface.

Note: You can also include Dynamic Application Awareness for Junos OS functionality within service sets. To do this, you must include an idp-profile statement at the [edit services service-set] hierarchy level, along with application identification (APPID) rules, and, as appropriate, application-aware access list (AACL) rules and a policy-decision-statistics-profile. Only one service sets can be applied to a single interface when Dynamic Application Awareness functionality is used. For more information, see Intrusion Detection and Prevention, Application Identification, and Application-Aware Access List.