Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


system-services (Security Zones Host Inbound Traffic)


Hierarchy Level


Specify the types of incoming system service traffic that can reach the device for all interfaces in a zone. You can do this in one of several ways:

  • You can enable traffic from each system service individually.

  • You can enable traffic from all system services.

  • You can enable traffic from all but some system services.


  • service-name —System-service for which traffic is allowed. The following system services are supported:

    • all—Enable traffic from the defined system services available on the Routing Engine (RE). Use the except option to disallow specific system services. Enabling all the system services does not override any interface specific configuration under a particular zone.

    • any-service—Enable all system services on entire port range including the system services that are not defined.

    • bootp—Enable traffic destined to BOOTP and DHCP relay agents.

    • dhcp—Enable incoming DHCP requests.

    • dhcpv6—Enable incoming DHCP requests for IPv6.

    • dns—Enable incoming DNS services.

    • finger—Enable incoming finger traffic.

    • ftp—Enable incoming FTP traffic.

    • http—Enable incoming J-Web or clear-text Web authentication traffic.

    • https—Enable incoming J-Web or Web authentication traffic over Secure Sockets Layer (SSL).

    • ident-reset—Enable the access that has been blocked by an unacknowledged identification request.

    • ike—Enable Internet Key Exchange traffic.

    • lsping—Enable label switched path ping service.

    • netconf—Enable incoming NETCONF service.

    • ntp—Enable incoming Network Time Protocol (NTP) traffic.

    • ping—Allow the device to respond to ICMP echo requests.

    • r2cp—Enable incoming Radio Router Control Protocol traffic.

    • reverse-ssh—Reverse SSH traffic.

    • reverse-telnet—Reverse Telnet traffic.

    • rlogin—Enable incoming rlogin (remote login) traffic.

    • rpm—Enable incoming Real-time performance monitoring (RPM) traffic.

    • rsh—Enable incoming Remote Shell (rsh) traffic.

    • snmp—Enable incoming SNMP traffic (UDP port 161).

    • snmp-trap—Enable incoming SNMP traps (UDP port 162).

    • ssh—Enable incoming SSH traffic.

    • telnet—Enable incoming Telnet traffic.

    • tftp—Enable TFTP services.

    • traceroute—Enable incoming traceroute traffic (UDP port 33434).

    • xnm-clear-text—Enable incoming Junos XML protocol traffic for all specified interfaces.

    • xnm-ssl— Enable incoming Junos XML protocol-over-SSL traffic for all specified interfaces.

  • except—(Optional) Enable specific incoming system service traffic but only when the all option has been defined . For example, to enable all but FTP and HTTP system service traffic:

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5.