Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Configuring Layer 3 Services and the Services SDK on Two PICs

You can configure the Layer 3 service package and the Services SDK on two PICs. For this example, you must configure an FTP or HTTP client and a server. In this configuration, the client side of the router interface is ge-1/2/2.1 and the server side of the router interface is ge-1/1/0.48. This configuration enables Network Address Translation (NAT) with stateful firewall (SFW) on the uKernel PIC and application identification (APPID), application-aware access list (AACL), and intrusion detection and prevention (IDP) on the Services SDK PIC for FTP or HTTP traffic.

Note: The Services SDK does not support NAT yet. When NAT is required, you can configure the Layer 3 service package to deploy NAT along with the Services SDK such as APPID, AACL, or IDP.

1. In configuration mode, go to the following hierarchy level:
   [edit services]user@host# edit stateful-firewall
2. In the hierarchy level, configure the conditions for the stateful firewall rule r1.
   [edit services stateful-firewall]user@host# set rule rule-name match-direction input-output term term from applications application-nameuser@host# set rule rule-name match-direction input-output term term then accept syslog

   In this example, the stateful firewall term is ALLOWED-SERVICES. Enclose the application names—junos-ftp, junos-http, and junos-icmp-ping—in brackets for application-name.

   [edit services stateful-firewall]user@host# set rule r1 match-direction input-output term ALLOWED-SERVICES from applications [ junos-ftp junos-http junos-icmp-ping ]user@host# set rule r1 match-direction input-output term ALLOWED-SERVICES then accept syslog
3. Configure the conditions for the stateful firewall rule r2.
   [edit services stateful-firewall]user@host# set rule rule-name match-direction input-output term term then discarduser@host# set rule rule-name match-direction input-output term term then syslog

   In this example, the stateful firewall term is term1.

   [edit services stateful-firewall]user@host# set rule r2 match-direction input-output term term1 then discarduser@host# set rule r2 match-direction input-output term term1 then syslog
4. Go to the following hierarchy level and verify the configuration:

   [edit services stateful-firewall]
   user@host# show 
   rule r1 {
       match-direction input-output;
       term ALLOWED-SERVICES {
           from {
               applications [ junos-ftp junos-http junos-icmp-ping ];
           }
           then {
               accept;
               syslog;
           }
       }
   }
   rule r2 {
       match-direction input-output;
       term term1 {
           then {
               discard;
               syslog;
           }
       }
   }

5. Go to the following hierarchy level:
   [edit services]user@host# edit nat
6. In the hierarchy level, configure the NAT pool.
   [edit services nat]user@host# set pool pool-name address ip-addressuser@host# set pool pool-name port automatic

   In this example, the NAT pool is OUTBOUND-SERVICES and the IP address is 10.48.0.2/32.

   [edit services natl]user@host# set pool OUTBOUND-SERVICES address 10.48.0.2/32user@host# set pool OUTBOUND-SERVICES port automatic
7. Configure the NAT rule.
   [edit services nat]user@host# set rule rule-name match-direction output term term from applications application-nameuser@host# set rule rule-name match-direction output term term then translated source-pool source-pool translation-type source dynamic

   In this example, the NAT rule is SET-MSR-ADDR, the NAT term is TRANSLATE-SOURCE-ADDR, and the source pool is OUTBOUND-SERVICES. Enclose the application names—junos-ftp, junos-http, and junos-icmp-ping—in parentheses for application-name.

   [edit services nat]user@host# set rule SET-MSR-ADDR match-direction output term TRANSLATE-SOURCE-ADDR from applications [ junos-ftp junos-http junos-icmp-ping ] user@host# set rule SET-MSR-ADDR match-direction output term TRANSLATE-SOURCE-ADDR then translated source-pool OUTBOUND-SERVICES translation-type source dynamic
8. Go to the following hierarchy level and verify the configuration:

   [edit services nat]
   user@host# show 
   pool OUTBOUND-SERVICES {
       address 11.48.0.2/32;
       port {
           automatic;
       }
   }
   rule SET-MSR-ADDR {
       match-direction output;
       term TRANSLATE-SOURCE-ADDR {
           from {
               applications [ junos-ftp junos-http junos-icmp-ping ]; 
           }
           then {
               translated {
                   source-pool OUTBOUND-SERVICES;
                   translation-type {
                       source dynamic;
                   }
               }
           }
       }
   }

9. Go to the following hierarchy level:
   [edit security]user@host# edit idp
10. In the hierarchy level, configure the IDP policy.
    [edit security idp]user@host# set idp-policy policy-name rulebase-ips rule rule-name match application default attacks predefined-attacks attack-nameuser@host# set idp-policy policy-name rulebase-ips rule rule-name match application default attacks predefined-attack-groups attack-group--nameuser@host# set idp-policy policy-name rulebase-ips rule rule-name then action no-actionuser@host# set idp-policy policy-name rulebase-ips rule rule-name then notification log-attacks alert

    In this example, the IDP policy is test1, the rule is r1, the predefined attack is FTP:USER:ROOT, and the predefined attack group is "Recommended Attacks".

    [edit security idp]user@host# set idp-policy test1 rulebase-ips rule r1 match application default attacks predefined-attacks FTP:USER:ROOTuser@host# set idp-policy test1 rulebase-ips rule r1 match application default attacks predefined-attack-groups [ "Recommended Attacks" ]user@host# set idp-policy test1 rulebase-ips rule r1 then action no-actionuser@host# set idp-policy test1 rulebase-ips rule r1 then notification log-attacks alert
11. Configure the trace options for IDP services.
    [edit security idp]user@host# set traceoptions file filenameuser@host# set traceoptions flag alluser@host# set traceoptions level all

    In this example, the log file name is idp-demo.log.

    [edit security idp]user@host# set traceoptions file idp-demo.loguser@host# set traceoptions flag alluser@host# set traceoptions level all
12. Go to the following hierarchy level and verify the configuration:

    [edit security idp]
    user@host# show 
    idp-policy test1 {
        rulebase-ips {
            rule r1 {
                match {
                    application default;
                    attacks {
                        predefined-attacks FTP:USER:ROOT;
                        predefined-attack-groups "Recommended Attacks";
                    }
                }
                then {
                    action {
                        no-action;
                    }
                    notification {
                        log-attacks {
                            alert;
                        }
                    }
                }
            }
        }
    }
    traceoptions {
        file idp-demo.log;
        flag all;
        level all;
    }

13. Go to the following hierarchy level:
    [edit services]user@host# edit aacl
14. In the hierarchy level, configure the AACL rules.
    [edit services aacl]user@host# set rule rule-name match-direction input-output term term from application-group-anyuser@host# set rule rule-name match-direction input-output term term then count application accept

    In this example, the AACL rule is app-aware and the term is t1.

    [edit services aacl]user@host# set rule app-aware match-direction input-output term t1 from application-group-anyuser@host# set rule app-aware match-direction input-output term t1 then count application accept
15. Go to the following hierarchy level and verify the configuration:

    [edit services aacl]
    user@host# show 
    rule app-aware {
                match-direction input-output;
                term t1 {
                    from {
                        application-group-any;
                    }
                    then {
                        count application;
                        accept;
                    }
                }
            }
    

16. Go to the following hierarchy level:
    [edit services]user@host# edit service-set App-Aware-Set
17. Configure the APPID profile.
    [edit services service-set App-Aware-Set]user@host# set application-identification-profile application-identification-profile

    In this example, the APPID profile is dummy-profile.

    [edit services service-set App-Aware-Set]user@host# set application-identification-profile dummy-profile
18. Configure the IDP profile.
    [edit services service-set App-Aware-Set]user@host# set idp-profile idp-profile

    In this example, the IDP profile is test1.

    [edit services service-set App-Aware-Set]user@host# set idp-profile test1
19. Configure the policy decision statistics profile.
    [edit services service-set App-Aware-Set]user@host# set policy-decision-statistics-profile profile-name

    In this example, the policy decision statistics profile is lpdf-stats.

    [edit services service-set App-Aware-Set]user@host# set policy-decision-statistics-profile lpdf-stats
20. Configure the AACL rules.
    [edit services service-set App-Aware-Set]user@host# set aacl-rules rule-name

    In this example, the AACL rule name is app-aware.

    [edit services service-set App-Aware-Set]user@host# set aacl-rules app-aware
21. Configure two stateful firewall rules.
    [edit services service-set App-Aware-Set]user@host# set stateful-firewall-rules rule-nameuser@host# set stateful-firewall-rules rule-name

    In this example, the first rule is r1 and the second rule is r2.

    [edit services service-set App-Aware-Set]user@host# set stateful-firewall-rules r1user@host# set stateful-firewall-rules r2
22. In the hierarchy level, configure the service set to bypass traffic on service PIC failure.
    [edit services service-set App-Aware-Set]user@host# set service-set-options bypass-traffic-on-pic-failure
23. Configure interface-specific service set options.
    [edit services service-set App-Aware-Set]user@host# set interface-service service-interface service-interface

    In this example, the services interface is ms-0/1/0.

    [edit services service-set App-Aware-Set]user@host# set interface-service service-interface ms-0/1/0
24. Go to the following hierarchy level and verify the configuration:

    [edit services service-set App-Aware-Set]
    user@host# show 
    application-identification-profile dummy-profile;
    idp-profile test1;
    policy-decision-statistics-profile {
        lpdf-stats;
    }
    aacl-rules app-aware;
    stateful-firewall-rules r1;
    stateful-firewall-rules r2;
    service-set-options {
        bypass-traffic-on-pic-failure;
    }
    interface-service {
        service-interface ms-0/1/0;
    }

25. Go to the following hierarchy level:
    [edit services]user@host# edit service-set NAT-SFW-SET
26. In the hierarchy level, configure optional notification parameters for the services interface. Note that it is required only for debugging.
    [edit services service-set NAT-SFW-SET]user@host# set syslog host host-name services any

    In this example, the host to notify is local.

    [edit services service-set NAT-SFW-SET]user@host# set services-options syslog host local services any
27. Configure two stateful firewall rules.
    [edit services service-set NAT-SFW-SET]user@host# set stateful-firewall-rules rule-nameuser@host# set stateful-firewall-rules rule-name

    In this example, the first rule is r1 and the second rule is r2.

    [edit services service-set NAT-SFW-SET]user@host# set stateful-firewall-rules r1user@host# set stateful-firewall-rules r2
28. Configure NAT rules.
    [edit services service-set NAT-SFW-SET]user@host# set nat-rules rule-name

    In this example, the NAT rule is SET-MSR-ADDR.

    [edit services service-set NAT-SFW-SET]user@host# set nat-rules SET-MSR-ADDR
29. Configure interface-specific service set options.
    [edit services service-set NAT-SFW-SET]user@host# set interface-service service-interface service-interface

    In this example, the services interface is sp-3/1/0.

    [edit services service-set NAT-SFW-SET]user@host# set interface-service service-interface sp-3/1/0
30. Go to the following hierarchy level and verify the configuration:

    [edit services service-set NAT-SFW-SET]
    user@host# show 
    syslog {
        host local {
            services any;
        }
    }
    stateful-firewall-rules r1;
    stateful-firewall-rules r2;
    interface-service {
        service-interface sp-3/1/0;
    }

31. Go to the following hierarchy level:
    user@host# edit interfaces
32. In the hierarchy level, configure the interface.
    [edit interfaces]user@host# set interface

    In this example, the interface is ge-1/2/2.1.

    [edit interfaces]user@host# set ge-1/2/2.1
33. Go to the following hierarchy level:
    [edit interfaces]user@host# edit ge-1/2/2.1
34. In the hierarchy level, configure the service set for received packets.
    [edit interfaces ge-1/2/2 unit 1]user@host# set family inet service input service-set service-set-name

    In this example, the input service set is App-Aware-Set.

    [edit interfaces ge-1/2/2 unit 1]user@host# set family inet service input service-set App-Aware-Set
35. Configure the service set for transmitted packets.
    [edit interfaces ge-1/2/2 unit 1]user@host# set family inet service output service-set service-set-name

    In this example, the output service set is App-Aware-Set.

    [edit interfaces ge-1/2/2 unit 1]user@host# set family inet service output service-set App-Aware-Set
36. Go to the following hierarchy level:
    [edit interfaces ge-1/2/2 unit 1]user@host# edit family inet
37. In the hierarchy level, configure the interface address.
    [edit interfaces ge-1/2/2 unit 1 family inet]user@host# set address source

    In this example, the interface address is 10.10.9.10/30.

    [edit interfaces]user@host# set address 10.10.9.10/30
38. Go to the following hierarchy level and verify the configuration:

    [edit interfaces ge-1/2/2 unit 1]
    user@host# show
    family inet {
        service {
            input {
                service-set App-Aware-Set;
            }
            output {
                service-set App-Aware-Set;
            }
        }
        address 10.10.9.10/30;
    }

39. Go to the following hierarchy level:
    user@host# edit interfaces
40. In the hierarchy level, configure the interface.
    [edit interfaces]user@host# set interface

    In this example, the interface is ge-1/1/0.48.

    [edit interfaces]user@host# set ge-1/1/0.48
41. Go to the following hierarchy level:
    [edit interfaces]user@host# edit ge-1/1/0.48
42. In the hierarchy level, configure the service set for received packets.
    [edit interfaces ge-1/1/0 unit 48]user@host# set family inet service input service-set service-set-name

    In this example, the service set is NAT-SFW-SET.

    [edit interfaces ge-1/1/0 unit 48]user@host# set family inet service input service-set NAT-SFW-SET
43. Configure the service set for transmitted packets.
    [edit interfaces ge-1/1/0 unit 48]user@host# set family inet service output service-set service-set-name

    In this example, the service set is NAT-SFW-SET.

    [edit interfaces ge-1/1/0 unit 48]user@host# set family inet service output service-set NAT-SFW-SET
44. Go to the following hierarchy level:
    [edit interfaces ge-1/1/0 unit 48]user@host# edit family inet
45. Configure the interface address.
    [edit interfaces ge-1/1/0 unit 48 family inet]user@host# set address source

    In this example, the interface address is 10.48.0.1/31.

    [edit interfaces ge-1/1/0 unit 48 family inet]user@host# set address 10.48.0.1/31
46. Go to the following hierarchy level and verify the configuration:

    [edit interfaces ge-1/1/0 unit 48]
    user@host# show 
    family inet {
        service {
            input {
                service-set NAT-SFW-SET;
                }
            output {
                service-set NAT-SFW-SET;
            }
        }
        address 10.48.0.1/31;
    }

47. Go to the following hierarchy level:
    user@host# edit interfaces
48. In the hierarchy level, configure the interface.
    [edit interfaces]set interface

    In this example, the interface is ms-0/1/0.0.

    [edit interfaces]user@host# set ms-0/1/0.0
49. Go to the following hierarchy level:
    [edit interfaces]user@host# edit ms-0/1/0.0
50. In the hierarchy level, configure the protocol family.
    [edit interfaces ms-0/1/0 unit 0]user@host# set family inet
51. Go to the following hierarchy level and verify the configuration:

    [edit interfaces ms-0/1/0]
    user@host# show 
    unit 0 {
        family inet;
    }

52. Go to the following hierarchy level:
    user@host# edit interfaces
53. In the hierarchy level, configure the interface.
    [edit interfaces]set interface

    In this example, the interface is sp-3/1/0.0.

    [edit interfaces]user@host# set sp-3/1/0.0
54. Go to the following hierarchy level:
    [edit interfaces]user@host# edit sp-3/1/0
55. In the hierarchy level, configure optional notification parameters for the services interface. Note that it is required only for debugging.
    [edit interfaces sp-3/1/0]user@host# set services-options syslog host host-name services any

    In this example, the host to notify is local.

    [edit interfaces sp-3/1/0]user@host# set services-options syslog host local services any
56. Go to the following hierarchy level:
    [edit interfaces]user@host# edit sp-3/1/0.0
57. In the hierarchy level, configure the protocol family.
    [edit interfaces sp-3/1/0 unit 0]user@host# set family inet
58. Go to the following hierarchy level and verify the configuration:

    [edit interfaces sp-3/1/0]
    user@host# show 
    services-options {
        syslog {
            host local {
                services any;
            }
        }
    }
    unit 0 {
        family inet;
    }

59. Go to the following hierarchy level:
    [edit chassis]
60. In the hierarchy level, configure the redundancy settings.
    [edit chassis]user@host# set no-service-pic-restart-on-failoveruser@host# set redundancy graceful-switchover
61. Configure the FPC and PIC.
    [edit chassis]user@host# edit fpc slot pic slot

    In this example, the FPC is in slot 0 and the PIC is in slot 1.

    [edit chassis]user@host# edit fpc 0 pic 1
62. Configure the number of cores dedicated to run control functionality.
    [edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider control-cores control-cores

    In this example, the number of control cores is 1.

    [edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider control-cores 1
63. Configure the number of processing cores dedicated to data.
    [edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider data-cores data-cores

    In this example, the number of data cores is 7.

    [edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider data-cores 7
64. Configure the size of the object cache in megabytes. Only values in increments of 128 MB are allowed and the maximum value of object cache can be 1280 MB. On MS-100, the value is 512 MB.
    [edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider object-cache-size object-cache-size

    In this example, the size of the object cache is 1280 MB.

    [edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider object-cache-size 1280
65. Configure the size of the policy database in megabytes.
    [edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider policy-db-size policy-db-size

    In this example, the size of the policy database is 64 MB.

    [edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider policy-db-size 64
66. Configure the packages.
    [edit chassis fpc slot pic slot]user@host# set adaptive-services service-package extension-provider package package

    In this example, the first package is jservices-appid, the second package is jservices-aacl, the third package is jservices-llpdf, the fourth package is jservices-idp, and the fifth package is jservices-sfw. jservices-sfw is available only in Junos OS Release 10.1 and later.

    [edit chassis fpc 1 pic 0]user@host# set adaptive-services service-package extension-provider package jservices-appid user@host# set adaptive-services service-package extension-provider package jservices-aacluser@host# set adaptive-services service-package extension-provider package jservices-llpdfuser@host# set adaptive-services service-package extension-provider package jservices-idpuser@host# set adaptive-services service-package extension-provider package jservices-sfw
67. Configure the IP network services.
    [edit chassis]user@host# set network-services ip
68. Go to the following hierarchy level and verify the configuration:

    [edit chassis]
    user@host# show chassis 
    no-service-pic-restart-on-failover;
    filter-memory-enhanced;
    redundancy {
        graceful-switchover;
    }
    fpc 0 {
        pic 1 {
            adaptive-services {
                service-package {
                    extension-provider {
                        control-cores 1;
                        data-cores 7;
                        object-cache-size 1280;
                        policy-db-size 64;
                        package jservices-appid;
                        package jservices-aacl;
                        package jservices-llpdf;
                        package jservices-idp;
                        package jservices-sfw;
                    }
                }
            }
        }
    }
    network-services ip;