Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


system-services (Security Zones Host Inbound Traffic)


Hierarchy Level


Specify the types of incoming system service traffic that can reach the device for all interfaces in a security zone. By default, a security zone has all system services disabled. You can allow the inbound system services traffic in one of the following ways:

  • Allow system services individually.

  • Allow all system services.

  • Allow all system services with the exception of the specified services.


service-name Name of system service traffic that can reach the device.
  • all—Traffic from the defined system services available on the Routing Engine (RE). Use the except option to disallow specific system services. Enabling all the system services does not override any interface-specific configuration under a particular zone.

  • any-service—All system services on an entire port range including the system services that are not defined.

  • bootp—Traffic destined to BOOTP and DHCP relay agents

  • dhcp—DHCP requests

  • dhcpv6—DHCP requests for IPv6

  • dns—DNS services

  • finger—Finger traffic

  • ftp—FTP traffic

  • http—J-Web or clear-text Web authentication traffic

  • https—J-Web or Web authentication traffic over Secure Sockets Layer (SSL)

  • ident-reset—Access that has been blocked by an unacknowledged identification request

  • ike—Internet Key Exchange (IKE) traffic

  • lsping—Label-switched path (LSP) ping service

  • netconf—NETCONF service

  • ntp—Network Time Protocol (NTP) traffic

  • ping—ICMP echo request responses

  • r2cp—Radio-to-Router Control Protocol traffic

  • reverse-ssh—Reverse SSH traffic

  • reverse-telnet—Reverse Telnet traffic

  • rlogin—Incoming rlogin (remote login) traffic

  • rpm—Real-time performance monitoring (RPM) traffic

  • rsh—Remote shell (rsh) traffic

  • snmp—SNMP traffic (UDP port 161)

  • snmp-trap—SNMP traps (UDP port 162)

  • ssh—SSH traffic

  • telnet—Telnet traffic

  • tftp—TFTP services

  • traceroute—Traceroute traffic (UDP port 33434)

  • xnm-clear-text—Junos XML protocol traffic for all specified interfaces

  • xnm-ssl— Junos XML protocol-over-SSL traffic for all specified interfaces

service-name except

(Optional) Allow all inbound service traffic, except the specified service traffic types, to reach the device. In the following example, the configuration allows all system service traffic, with the exception of FTP and HTTP, to reach the device:

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5.