Example: Controlling Inbound Traffic Based on Traffic Types

This example shows how to configure inbound traffic based on traffic types.

• Requirements
• Overview
• Configuration
• Verification

Requirements

Before you begin:

• Configure network interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices.
• Understand Inbound traffic types. See Understanding How to Control Inbound Traffic Based on Traffic Types.

Overview

By allowing system services to run, you can configure zones to specify different types of traffic that can reach the device from systems that are directly connected to its interfaces. You can configure the different system services at the zone level, in which case they affect all interfaces of the zone, or at the interface level. (Interface configuration overrides that of the zone.)

You must enable all expected host-inbound traffic. Inbound traffic from devices directly connected to the device's interfaces is dropped by default.

Configuration

CLI Quick Configuration

To quickly configure inbound traffic based on traffic types, copy the following commands and paste them into the CLI:

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure inbound traffic based on traffic types:

1. Configure a security zone.
   [edit]
   user@host# edit security zones security-zone ABC
2. Configure the security zone to support inbound traffic for all system services.
   [edit security zones security-zone ABC]
   user@host# set host-inbound-traffic system-services all
3. Configure the Telnet, FTP, and SNMP system services at the interface level (not the zone level) for the first interface.
   [edit security zones security-zone ABC]
   user@host# set interfaces ge-0/0/1.3 host-inbound-traffic system-services telnet
   user@host# set interfaces ge-0/0/1.3 host-inbound-traffic system-services ftp
   user@host# set interfaces ge-0/0/1.3 host-inbound-traffic system-services snmp
4. Configure the security zone to support inbound traffic for all system services for a second interface.
   [edit security zones security-zone ABC]
   user@host# set interfaces ge-0/0/1.0 host-inbound-traffic system-services all
5. Exclude the FTP and HTTP system services from the second interface.
   [edit security zones security-zone ABC]
   user@host# set interfaces ge-0/0/1.0 host-inbound-traffic system-services ftp except
   user@host# set interfaces ge-0/0/1.0 host-inbound-traffic system-services http except

Results

From configuration mode, confirm your configuration by entering the show security zones security-zone ABC. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

host-inbound-traffic { 
    system-services { 
        all; 
    }
}
    interfaces {
    ge-0/0/1.3 {
        host-inbound-traffic {
            system-services {
                ftp;
                telnet;
                snmp;
            }
        }
    }
    ge-0/0/1.0 {
        host-inbound-traffic {
            system-services {
                all;
                ftp {
                    except;
                }
                http {
                    except;
                }
            }
        }
    }
}                   

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

• Troubleshooting with Logs

Troubleshooting with Logs

Purpose

Use these logs to identify any issues.

Action

From operational mode, enter the show log messages command and the show log dcd command.

Related Topics

• Junos OS CLI Reference
• Junos OS Feature Support Reference for SRX Series and J Series Devices
• Understanding How to Control Inbound Traffic Based on Traffic Types
• Supported System Services for Host Inbound Traffic