Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Modifying the Zones Configuration for Security Devices

You can use the Zones section on the Modify Configuration page to modify the security zone configuration for a device. You can modify settings related to zone name, system services, protocols, application tracking, and associate screen to the zone.


Refer to the Junos OS documentation (available at for a particular release and device. There you can find detailed information on the configuration parameters for that device.

To modify the zones parameters:

  1. Select Devices > Security Devices.
    1. The Security Devices page appears.

  2. Select the devices whose configuration you want to modify.
  3. From the More or right-click menu, select Configuration > Modify Configuration.
    1. The Modify Configuration page appears.

  4. Click the Screens.
    1. The Screens page appears.

  5. Modify the configuration according to the guidelines provided in Table 1.
  6. After modifying the configuration, you can cancel the changes, save the changes, preview the changes, or save the changes and deploy the configuration on the device. See Modifying the Configuration of Security Devices.
Table 1: Zones Settings




Modify the zone name.


Modify the description of the zone.

Application Tracking

Enable this option to maintain the application usage statistics on a device.

By default, when each session closes, application track generates a message that provides the byte and packet counts and duration of the session, and then sends the message to the syslog host device.


Select the interfaces from the Available column to include in the selected list for the zones.

System Services

Is Except

Select this option to disable specific incoming system service traffic, but only when the all system services option is defined.

The following system services are supported:

  • all—Enable traffic from the defined system services available on the Routing Engine (RE). Use the Is Except option to disallow specific system services.

  • any-service—Enable all system services on the entire port range including the system services that are not defined.

  • dns—Enable incoming DNS services.

  • finger—Enable incoming finger traffic.

  • ftp—Enable incoming FTP traffic.

  • http—Enable incoming Web authentication traffic.

  • https—Enable incoming Web authentication traffic over Secure Sockets Layer (SSL).

  • ident-reset—Enable the access that has been blocked by an unacknowledged identification request.

  • ike—Enable Internet Key Exchange (IKE) traffic.

  • Isping—Enable label switched path ping service.

  • netconf—Enable incoming NETCONF service.

  • ntp—Enable incoming Network Time Protocol (NTP) traffic.

  • ping—Allow the device to respond to ICMP echo requests.

  • r2cp—Enable incoming Radio Router Control Protocol traffic.

  • reverse-ssh—Reverse SSH traffic.

  • reverse-telnet—Reverse Telnet traffic.

  • rlogin—Enable incoming rlogin (remote login) traffic.

  • rpm—Enable incoming real-time performance monitoring (RPM) traffic.

  • rsh—Enable incoming remote shell (rsh) traffic.

  • sip—Enable incoming Session Initiation Protocol traffic.

  • snmp—Enable incoming SNMP traffic (UDP port 161).

  • snmp-trap—Enable incoming SNMP traps (UDP port 162).

  • ssh—Enable incoming SSH traffic.

  • telnet—Enable incoming Telnet traffic.

  • tftp—Enable TFTP services.

  • traceroute—Enable incoming traceroute traffic (UDP port 33434).

  • xnm-clear-text—Enable incoming Junos XML protocol traffic for all specified interfaces.

  • xnm-ssl—Enable incoming Junos XML protocol-over-SSL traffic for all specified interfaces.


Is Except

Select this option to disable specific incoming protocol traffic, but only when the all protocol option is defined.

The following protocols are supported:

  • all—Enable traffic from all possible protocols available. Use the Is Except option to disallow specific protocols.

  • bfd—Enable incoming Bidirectional Forwarding Detection (BFD) protocol traffic.

  • bgp—Enable incoming BGP traffic.

  • dvmrp—Enable incoming Distance Vector Multicast Routing Protocol (DVMRP) traffic.

  • igmp—Enable incoming Internet Group Management Protocol (IGMP) traffic.

  • ldp—Enable incoming LDP traffic (UDP and TCP port 646).

  • msdp—Enable incoming Multicast Source Discovery Protocol (MSDP) traffic.

  • nhrp—Enable incoming Next Hop Resolution Protocol (NHRP) traffic.

  • ospf—Enable incoming OSPF traffic.

  • ospf3—Enable incoming OSPF version 3 traffic.

  • pgm—Enable incoming Pragmatic General Multicast (PGM) protocol traffic (IP protocol number 113).

  • pim—Enable incoming Protocol Independent Multicast (PIM) traffic.

  • rip—Enable incoming RIP traffic.

  • ripng—Enable incoming RIP next generation traffic.

  • router-discovery—Enable incoming router discovery traffic.

  • rsvp—Enable incoming RSVP traffic (IP protocol number 46).

  • sap—Enable incoming Session Announcement Protocol (SAP) traffic. SAP always listens on New addresses and ports can be added dynamically. This information must be propagated to the Packet Forwarding Engine (PFE).

  • vrrp—Enable incoming Virtual Router Redundancy Protocol (VRRP) traffic.

Traffic Control Options


Enable this option to send a TCP packet with the RST (reset) flag set to 1 in response to a TCP packet with any flag other than SYN set and that does not belong to an existing session.


Select a security screen for a security zone to detect and block various kinds of traffic that the device determines as potentially harmful.

Interface Services and Protocols

Display the selected interfaces and system services and protocols for the interface.