Example: Controlling Inbound Traffic Based on Protocols

This example shows how to enable inbound traffic for an interface.

Requirements

Before you begin:

Configure security zones. See Example: Creating Security Zones.
Configure network interfaces. See the JUNOS Software Interfaces Configuration Guide for Security Devices.

Overview

Any host-inbound traffic that corresponds to a protocol listed under the host-inbound traffic option is allowed. For example, if anywhere in the configuration you map a protocol to a port number other than the default, you can specify the protocol in the host-inbound traffic option, and the new port number will be used.

A value of all indicates that traffic from all of the protocols is allowed inbound on the specified interfaces (of the zone, or a single specified interface).

Configuration

CLI Quick Configuration

To quickly configure inbound traffic based on protocols, copy the following commands and paste them into the CLI:

[edit]

set security zones security-zone ABC interfaces
ge-0/0/1.1 host-inbound-traffic system-services ping

set security zones security-zone ABC interfaces
ge-0/0/1.1 host-inbound-traffic system-services ssh

set security zones security-zone ABC interfaces
ge-0/0/1.1 host-inbound-traffic system-services traceroute

set security zones security-zone ABC interfaces
ge-0/0/1.1 host-inbound-traffic protocols ospf

set security zones security-zone ABC interfaces
ge-0/0/1.1 host-inbound-traffic protocols ospf3

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure inbound traffic based on protocols:

Configure a security zone.

[edit]

user@host# edit security zones security-zone ABC
Configure the security zone to support inbound traffic for the ping system service for an interface.

[edit security zones security-zone ABC]

user@host# set interfaces ge-0/0/1.1 host-inbound-traffic system-services ping
Configure the security zone to support inbound traffic for the ssh system service for an interface.

[edit security zones security-zone ABC]

user@host# set interfaces ge-0/0/1.1 host-inbound-traffic system-services ssh
Configure the security zone to support inbound traffic for the traceroute system service for an interface.

[edit security zones security-zone ABC]

user@host# set interfaces ge-0/0/1.1 host-inbound-traffic system-services traceroute
Configure the security zone to support inbound traffic based on the ospf protocol for an interface.

[edit security zones security-zone ABC]

user@host# set interfaces ge-0/0/1.1 host-inbound-traffic protocols ospf
Configure the security zone to support inbound traffic based on the ospf3 protocol for an interface.

[edit security zones security-zone ABC]

user@host# set interfaces ge-0/0/1.1 host-inbound-traffic protocols ospf3

Results

Confirm your configuration by entering the show security zones security-zone ABC command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

user@host# show security zones security-zone
ABC

interfaces {
    ge-0/0/1.1 {
        host-inbound-traffic {
            system-services {
                ping;
                ssh;
                traceroute;
            }
            protocols {
                ospf;
                ospf3;
            }
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Troubleshooting with Logs

Troubleshooting with Logs

Purpose

Use these logs to identify any inbound traffic, system service, or protocol issues.

Action

Enter these show log commands from operational mode.

user@host> show log messages

user@host> show log dcd