Example: Controlling Inbound Traffic Based on Protocols

This example shows how to enable inbound traffic for an interface.

Requirements

Before you begin:

Overview

Any host-inbound traffic that corresponds to a protocol listed under the host-inbound traffic option is allowed. For example, if anywhere in the configuration you map a protocol to a port number other than the default, you can specify the protocol in the host-inbound traffic option, and the new port number will be used.

A value of all indicates that traffic from all of the protocols is allowed inbound on the specified interfaces (of the zone, or a single specified interface).

Configuration

CLI Quick Configuration

To quickly configure inbound traffic based on protocols, copy the following commands and paste them into the CLI:


[edit]


set security zones security-zone ABC interfaces ge-0/0/1.1 host-inbound-traffic system-services ping


set security zones security-zone ABC interfaces ge-0/0/1.1 host-inbound-traffic system-services ssh


set security zones security-zone ABC interfaces ge-0/0/1.1 host-inbound-traffic system-services traceroute


set security zones security-zone ABC interfaces ge-0/0/1.1 host-inbound-traffic protocols ospf


set security zones security-zone ABC interfaces ge-0/0/1.1 host-inbound-traffic protocols ospf3

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure inbound traffic based on protocols:

  1. Configure a security zone.

    [edit]


    user@host# edit security zones security-zone ABC
  2. Configure the security zone to support inbound traffic for the ping system service for an interface.

    [edit security zones security-zone ABC]


    user@host# set interfaces ge-0/0/1.1 host-inbound-traffic system-services ping
  3. Configure the security zone to support inbound traffic for the ssh system service for an interface.

    [edit security zones security-zone ABC]


    user@host# set interfaces ge-0/0/1.1 host-inbound-traffic system-services ssh
  4. Configure the security zone to support inbound traffic for the traceroute system service for an interface.

    [edit security zones security-zone ABC]


    user@host# set interfaces ge-0/0/1.1 host-inbound-traffic system-services traceroute
  5. Configure the security zone to support inbound traffic based on the ospf protocol for an interface.

    [edit security zones security-zone ABC]


    user@host# set interfaces ge-0/0/1.1 host-inbound-traffic protocols ospf
  6. Configure the security zone to support inbound traffic based on the ospf3 protocol for an interface.

    [edit security zones security-zone ABC]


    user@host# set interfaces ge-0/0/1.1 host-inbound-traffic protocols ospf3

Results

Confirm your configuration by entering the show security zones security-zone ABC command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.


user@host# show security zones security-zone ABC
interfaces {
    ge-0/0/1.1 {
        host-inbound-traffic {
            system-services {
                ping;
                ssh;
                traceroute;
            }
            protocols {
                ospf;
                ospf3;
            }
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Troubleshooting with Logs

Purpose

Use these logs to identify any inbound traffic, system service, or protocol issues.

Action

Enter these show log commands from operational mode.


user@host> show log messages


user@host> show log dcd

Related Topics