[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Examples: Services Interfaces Configuration

The following configuration includes all the items necessary to configure services on an interface. For examples showing individual service configurations, see the chapters that describe each service in detail.

[edit]
interfaces {
fe-0/1/0 {
unit 0 {
family inet {
service {
input {
service-set Firewall-Set;
}
output {
service-set Firewall-Set;
}
}
address 10.1.3.2/24;
}
}
}
fe-0/1/1 {
unit 0 {
family inet {
filter {
input Sample;
}
address 172.16.1.2/24;
}
}
}
sp-1/0/0 {
unit 0 {
family inet {
address 172.16.1.3/24 {
}
}
}
}
}
forwarding-options {
sampling {
input {
family inet {
rate 1;
}
}
output {
cflowd 10.1.3.1 {
port 2055;
version 5;
}
flow-inactive-timeout 15;
flow-active-timeout 60;
interface sp-1/0/0 {
engine-id 1;
engine-type 136;
source-address 10.1.3.2;
}
}
}
}
firewall {
filter Sample {
term Sample {
then {
count Sample;
sample;
accept;
}
}
}
}
services {
stateful-firewall {
rule Rule1 {
match-direction input;
term 1 {
from {
application-sets Applications;
}
then {
accept;
}
}
term accept {
then {
accept;
}
}
}
rule Rule2 {
match-direction output;
term Local {
from {
source-address {
10.1.3.2/32;
}
}
then {
accept;
}
}
}
}
ids {
rule Attacks {
match-direction output;
term Match {
from {
application-sets Applications;
}
then {
logging {
syslog;
}
}
}
}
}
nat {
pool public {
address-range low 172.16.2.1 high 172.16.2.32;
port automatic;
}
rule Private-Public {
match-direction input;
term Translate {
then {
translated {
source-pool public;
translation-type source dynamic;
}
}
}
}
}
service-set Firewall-Set {
stateful-firewall-rules Rule1;
stateful-firewall-rules Rule2;
nat-rules Private-Public;
ids-rules Attacks;
interface-service {
service-interface sp-1/0/0;
}
}
}
applications {
application ICMP {
application-protocol icmp;
}
application FTP {
application-protocol ftp;
destination-port ftp;
}
application-set Applications {
application ICMP;
application FTP;
}
}

The following example combines VPN routing and forwarding (VRF) and services configuration:

[edit policy-options]
policy-statement test-policy {
term t1 {
then reject;
}
}
[edit routing-instances]
test {
interface ge-0/2/0.0;
interface sp-1/3/0.20;
instance-type vrf;
route-distinguisher 10.58.255.1:37;
vrf-import test-policy;
vrf-export test-policy;
routing-options {
static {
route 0.0.0.0/0 next-table inet.0;
}
}
}
[edit interfaces]
ge-0/2/0 {
unit 0 {
family inet {
service {
input service-set nat-me;
output service-set nat-me;
}
}
}
}
sp-1/3/0 {
unit 0 {
family inet;
}
unit 20 {
family inet;
service-domain inside;
}
unit 21 {
family inet;
service-domain outside;
}
[edit services]
stateful-firewall {
rule allow-any-input {
match-direction input;
term t1 {
then accept;
}
}
}
nat {
pool hide-pool {
address 10.58.16.100;
port automatic;
}
rule hide-all-input {
match-direction input;
term t1 {
then {
translated {
source-pool hide-pool;
translation-type source dynamic;
}
}
}
}
}
service-set nat-me {
stateful-firewall-rules allow-any-input;
nat-rules hide-all-input;
interface-service {
service-interface sp-1/3/0.20;
}
}
}

The following example shows dynamic-source NAT applied as a next-hop service:

[edit interfaces]
ge-0/2/0 {
unit 0 {
family mpls;
}
}
sp-1/3/0 {
unit 0 {
family inet;
}
unit 20 {
family inet;
}
unit 32 {
family inet;
}
}
[edit routing-instances]
protected-domain {
interface ge-0/2/0.0;
interface sp-1/3/0.20;
instance-type vrf;
route-distinguisher 10.58.255.17:37;
vrf-import protected-domain-policy;
vrf-export protected-domain-policy;
routing-options {
static {
route 0.0.0.0/0 next-hop sp-1/3/0.20;
}
}
}
[edit policy-options]
policy-statement protected-domain-policy {
term t1 {
then reject;
}
}
[edit services]
stateful-firewall {
rule allow-all {
match-direction input;
term t1 {
then {
accept;
}
}
}
}
nat {
pool my-pool {
address 10.58.16.100;
port automatic;
}
rule hide-all {
match-direction input;
term t1 {
then {
translated {
source-pool my-pool;
translation-type source dynamic;
}
}
}
}
}
service-set null-sfw-with-nat {
stateful-firewall-rules allow-all;
nat-rules hide-all;
next-hop-service {
inside-service-interface sp-1/3/0.20;
outside-service-interface sp-1/3/0.32;
}
}

The following example configuration enables NAT between VRFs with overlapping private addresses, using distinct public addresses for the source and destination NAT in this scenario:

The following example supports Bootstrap Protocol (BOOTP) and broadcast addresses:

[edit applications]
application bootp {
application-protocol bootp;
protocol udp;
destination-port 67;
}
[edit services]
stateful-firewall bootp-support {
rule bootp-allow {
direction input;
term bootp-allow {
from {
destination-address {
any-unicast;
255.255.255.255;
}
application bootp;
}
then {
accept;
}
}
}
}
[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]