Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation
keyboard_arrow_up
close
keyboard_arrow_left
Junos CLI Reference
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

system-services (Security Zones Host Inbound Traffic)

date_range 20-Nov-23

Syntax

content_copy zoom_out_map
system-services { 
    (service-name | all <service-name except>);
}

Hierarchy Level

content_copy zoom_out_map
[edit security zones security-zone zone-name host-inbound-traffic]

Description

Specify the types of incoming system service traffic that can reach the device for all interfaces in a security zone. By default, a security zone has all system services disabled. You can allow the inbound system services traffic in one of the following ways:

  • Allow system services individually.

  • Allow all system services.

  • Allow all system services with the exception of the specified services.

Options

service-name Name of system service traffic that can reach the device.
  • all—Traffic from the defined system services available on the Routing Engine (RE). Use the except option to disallow specific system services. Enabling all the system services does not override any interface-specific configuration under a particular zone.

  • any-service—All system services on an entire port range including the system services that are not defined.

  • bootp—Traffic destined to BOOTP and DHCP relay agents

  • dhcp—DHCP requests

  • dhcpv6—DHCP requests for IPv6

  • dns—DNS services

  • finger—Finger traffic

  • ftp—FTP traffic

  • http—J-Web or clear-text Web authentication traffic

  • https—J-Web or Web authentication traffic over Secure Sockets Layer (SSL)

  • ident-reset—Access that has been blocked by an unacknowledged identification request

  • ike—Internet Key Exchange (IKE) traffic

  • lsping—Label-switched path (LSP) ping service

  • netconf—NETCONF service

  • ntp—Network Time Protocol (NTP) traffic

  • ping—ICMP echo request responses

  • r2cp—Radio-to-Router Control Protocol traffic

  • reverse-ssh—Reverse SSH traffic

  • reverse-telnet—Reverse Telnet traffic

  • rlogin—Incoming rlogin (remote login) traffic

  • rpm—Real-time performance monitoring (RPM) traffic

  • rsh—Remote shell (rsh) traffic

  • snmp—SNMP traffic (UDP port 161)

  • snmp-trap—SNMP traps (UDP port 162)

  • ssh—SSH traffic

  • telnet—Telnet traffic

  • tftp—TFTP services

  • traceroute—Traceroute traffic (UDP port 33434)

  • xnm-clear-text—Junos XML protocol traffic for all specified interfaces

  • xnm-ssl— Junos XML protocol-over-SSL traffic for all specified interfaces

service-name except

(Optional) Allow all inbound service traffic, except the specified service traffic types, to reach the device. In the following example, the configuration allows all system service traffic, with the exception of FTP and HTTP, to reach the device:

content_copy zoom_out_map
[edit]
user@host# set security zones security-zone trust host-inbound-traffic system-services all 
user@host# set security zones security-zone trust host-inbound-traffic system-services ftp except
user@host# set security zones security-zone trust host-inbound-traffic system-services http except

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5.

footer-navigation