Example: Controlling Inbound Traffic Based on Protocols
This example shows how to enable inbound traffic for an interface.
Requirements
Before you begin:
- Configure security zones. See Example: Creating Security Zones.
- Configure network interfaces. See the JUNOS Software Interfaces Configuration Guide for Security Devices.
Overview
Any host-inbound traffic that corresponds to a protocol listed under the host-inbound traffic option is allowed. For example, if anywhere in the configuration you map a protocol to a port number other than the default, you can specify the protocol in the host-inbound traffic option, and the new port number will be used.
A value of all indicates that traffic from all of the protocols is allowed inbound on the specified interfaces (of the zone, or a single specified interface).
Configuration
CLI Quick Configuration
To quickly configure inbound traffic based on protocols, copy the following commands and paste them into the CLI:
[edit]
set security zones security-zone ABC interfaces
ge-0/0/1.1 host-inbound-traffic system-services ping
set security zones security-zone ABC interfaces
ge-0/0/1.1 host-inbound-traffic system-services ssh
set security zones security-zone ABC interfaces
ge-0/0/1.1 host-inbound-traffic system-services traceroute
set security zones security-zone ABC interfaces
ge-0/0/1.1 host-inbound-traffic protocols ospf
set security zones security-zone ABC interfaces
ge-0/0/1.1 host-inbound-traffic protocols ospf3
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.
To configure inbound traffic based on protocols:
- Configure a security zone.
[edit]
user@host# edit security zones security-zone ABC
- Configure the security zone to support inbound
traffic for the ping system service for an interface.
[edit security zones security-zone ABC]
user@host# set interfaces ge-0/0/1.1 host-inbound-traffic system-services ping
- Configure the security zone to support inbound
traffic for the ssh system service for an interface.
[edit security zones security-zone ABC]
user@host# set interfaces ge-0/0/1.1 host-inbound-traffic system-services ssh
- Configure the security zone to support inbound
traffic for the traceroute system service for an interface.
[edit security zones security-zone ABC]
user@host# set interfaces ge-0/0/1.1 host-inbound-traffic system-services traceroute
- Configure the security zone to support inbound
traffic based on the ospf protocol for an interface.
[edit security zones security-zone ABC]
user@host# set interfaces ge-0/0/1.1 host-inbound-traffic protocols ospf
- Configure the security zone to support inbound
traffic based on the ospf3 protocol for an interface.
[edit security zones security-zone ABC]
user@host# set interfaces ge-0/0/1.1 host-inbound-traffic protocols ospf3
Results
Confirm your configuration by entering the show security zones security-zone ABC command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
user@host# show security zones security-zone
ABC
interfaces { ge-0/0/1.1 { host-inbound-traffic { system-services { ping; ssh; traceroute; } protocols { ospf; ospf3; } } } }
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Troubleshooting with Logs
Purpose
Use these logs to identify any inbound traffic, system service, or protocol issues.
Action
Enter these show log commands from operational mode.
user@host> show log messages
user@host> show log dcd
Related Topics
- JUNOS Software CLI Reference
- JUNOS Software Feature Support Reference for SRX Series and J Series Devices
- Understanding How to Control Inbound Traffic Based on Protocols