Junos Security Cli Reference

JUNOS Software

CLI Reference for J-series Services Routers and SRX-series Services Gateways

Release 9.5

Juniper Networks, Inc.1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000

www.juniper.netPart Number: 530-029527-01, Revision 01

This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright 1986-1997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain. This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto. This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved. GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNs HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright 1991, D. L. S. Associates. This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc. Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

JUNOS Software CLI Reference Release 9.5 Copyright 2009, Juniper Networks, Inc. All rights reserved. Printed in USA. Revision History April 2009Revision 1 The information in this document is current as of the date listed in the revision history. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. The JUNOS software has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036. SOFTWARE LICENSE The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase order or, to the extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks. By using this software, you indicate that you understand and agree to be bound by those terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the software and may contain prohibitions against certain uses. The software license may state conditions under which the license is automatically terminated. You should consult the license for further details. For complete product documentation, please see the Juniper Networks Web site at www.juniper.net/techpubs.

ii

END USER LICENSE AGREEMENTREAD THIS END USER LICENSE AGREEMENT (AGREEMENT) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customers principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customers principal office is located outside the Americas) (such applicable entity being referred to herein as Juniper), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (Customer) (collectively, the Parties). 2. The Software. In this Agreement, Software means the program modules and features of the Juniper or Juniper-supplied software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer purchased from Juniper or an authorized Juniper reseller. Software also includes updates, upgrades and new releases of such software. Embedded Software means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment. 3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions: a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper or an authorized Juniper reseller. b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a single chassis. c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits to Customers use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other specific Software. Customers use of the Software shall be subject to all such limitations and purchase of all applicable licenses. d. For any trial copy of the Software, Customers right to use the Software expires 30 days after download, installation or use of the Software. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial period by re-installing the Software after the 30-day trial period. e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customers enterprise network. Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any commercial network access services. The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable license(s) for the Software from Juniper or an authorized Juniper reseller. 4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) remove any proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any locked or key-restricted feature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein. 5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish such records to Juniper and certify its compliance with this Agreement.

iii

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes restricting access to the Software to Customer employees and contractors having a need to use the Software for Customers internal business purposes. 7. Ownership. Juniper and Junipers licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software. 8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statement that accompanies the Software (the Warranty Statement). Nothing in this Agreement shall give rise to any obligation to support the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Junipers or its suppliers or licensors liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the Parties. 9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customers possession or control. 10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showing Customers payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any liability incurred by Juniper as a result of Customers non-compliance or delay with its responsibilities herein. Customers obligations under this Section shall survive termination or expiration of this Agreement. 11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customers ability to export the Software without an export license. 12. Commercial Computer Software. The Software is commercial computer software and is provided with restricted rights. Use, duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable. 13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable terms and conditions upon which Juniper makes such information available. 14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License (GPL) or the GNU Library General Public License (LGPL)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL at http://www.gnu.org/licenses/lgpl.html. 15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous

iv

agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English version will govern. (For Canada: Les parties aux prsents confirment leur volont que cette convention de mme que tous les documents y compris tout avis qui s'y rattach, soient redigs en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be in the English language)).

v

vi

Table of ContentsAbout This Guide xxxiii SRX Series Documentation and Release Notes ..........................................xxxiii Objectives .................................................................................................xxxiii Audience ...................................................................................................xxxiv Supported Routing Platforms ....................................................................xxxiv How to Use This Manual ...........................................................................xxxiv Document Conventions ............................................................................xxxvi Documentation Feedback .......................................................................xxxviii Requesting Technical Support .................................................................xxxviii

Part 1Chapter 1

Configuration StatementsAccess Hierarchy and Statements 3

Access Configuration Statement Hierarchy ......................................................3 admin-search ..................................................................................................6 assemble .........................................................................................................7 authentication-order ........................................................................................8 banner ............................................................................................................9 banner (FTP, HTTP, Telnet) .......................................................................9 banner (Web Authentication) ..................................................................10 base-distinguished-name ...............................................................................11 client-group ...................................................................................................12 client-idle-timeout .........................................................................................12 client-name-filter ...........................................................................................13 client-session-timeout ....................................................................................13 configuration-file ...........................................................................................14 count .............................................................................................................14 default-profile ................................................................................................15 distinguished-name .......................................................................................15 domain-name ................................................................................................16 fail .................................................................................................................16 firewall-authentication ...................................................................................17 firewall-user ..................................................................................................18 ftp .................................................................................................................18 http ...............................................................................................................19 ldap-options ..................................................................................................20 ldap-server ....................................................................................................21 login ..............................................................................................................22

Table of Contents

vii

JUNOS Software CLI Reference

pass-through ..................................................................................................23 password .......................................................................................................24 port ...............................................................................................................25 port (LDAP) .............................................................................................25 port (RADIUS) .........................................................................................25 radius-options ...............................................................................................26 radius-server .................................................................................................27 retry ..............................................................................................................28 retry (LDAP) ............................................................................................28 retry (RADIUS) ........................................................................................29 revert-interval ................................................................................................30 revert-interval (LDAP) .............................................................................30 revert-interval (RADIUS) ..........................................................................31 routing-instance ............................................................................................32 routing-instance (LDAP) ..........................................................................32 routing-instance (RADIUS) ......................................................................33 search ...........................................................................................................34 search-filter ...................................................................................................35 secret ............................................................................................................35 securid-server ................................................................................................36 separator .......................................................................................................37 session-options ..............................................................................................38 source-address ..............................................................................................39 source-address (LDAP) ............................................................................39 source-address (RADIUS) ........................................................................39 success ..........................................................................................................40 telnet .............................................................................................................41 timeout .........................................................................................................42 timeout (LDAP Server) ............................................................................42 timeout (RADIUS Server) .........................................................................43 traceoptions ..................................................................................................44 web-authentication ........................................................................................45 Chapter 2 Accounting-Options Hierarchy 47

Accounting-Options Configuration Statement Hierarchy ...............................47 Chapter 3 Applications Hierarchy and Statements 49

Applications Configuration Statement Hierarchy ...........................................49 alg .................................................................................................................51 application-protocol .......................................................................................52 destination-port .............................................................................................53 icmp-code .....................................................................................................56 icmp-type ......................................................................................................57 inactivity-timeout ..........................................................................................57 protocol .........................................................................................................58 rpc-program-number .....................................................................................59 source-port ....................................................................................................59

viii

Table of Contents

Table of Contents

term ..............................................................................................................60 uuid ...............................................................................................................61 Chapter 4 Bridge-Domains Hierarchy and Statements 63

Bridge-Domains Configuration Statement Hierarchy .....................................63 bridge-domains .............................................................................................64 bridge-options ...............................................................................................65 domain-type ..................................................................................................65 interface ........................................................................................................66 routing-interface ............................................................................................67 static-mac ......................................................................................................67 vlan-id ...........................................................................................................68 vlan-id-list ......................................................................................................69 Chapter 5 Chassis Hierarchy and Statements 71

Chassis Configuration Statement Hierarchy ...................................................71 cluster ...........................................................................................................75 control-link-recovery .....................................................................................76 control-ports ..................................................................................................77 gratuitous-arp-count ......................................................................................78 heartbeat-interval ..........................................................................................78 heartbeat-threshold .......................................................................................79 interface-monitor ..........................................................................................79 node ..............................................................................................................80 node (Cluster) .........................................................................................80 node (Redundancy-Group) ......................................................................81 pic-mode .......................................................................................................82 preempt ........................................................................................................83 priority ..........................................................................................................83 redundancy-group .........................................................................................84 reth-count ......................................................................................................85 traceoptions ..................................................................................................86 tunnel-queuing ..............................................................................................87 weight ...........................................................................................................88 Chapter 6 Class-of-Service Hierarchy and Statements 89

Class-of-Service Configuration Statement Hierarchy ......................................89 Chapter 7 Event-Options Hierarchy 93

Event-Options Configuration Statement Hierarchy ........................................93

Table of Contents

ix


Chapter 8

Firewall Hierarchy and Statements

95

Firewall Configuration Statement Hierarchy ..................................................95 policer ...........................................................................................................98 simple-filter ...................................................................................................99 Chapter 9 Forwarding-Options Hierarchy and Statements 101

Forwarding-Options Configuration Statement Hierarchy .............................101 vpn ..............................................................................................................105 Chapter 10 Groups Hierarchy 107

Groups Configuration Statement Hierarchy .................................................107 Chapter 11 Interfaces Hierarchy and Statements 109

Interfaces Configuration Statement Hierarchy .............................................109 access-point-name .......................................................................................121 authentication-method ................................................................................122 bundle .........................................................................................................122 Cbr rate .......................................................................................................123 cellular-options ............................................................................................123 client-identifier ............................................................................................124 dhcp ............................................................................................................124 encapsulation ..............................................................................................125 fabric-options ..............................................................................................125 flow-control .................................................................................................126 gsm-options ................................................................................................127 lease-time ....................................................................................................128 link-speed ....................................................................................................128 loopback .....................................................................................................129 member-interfaces ......................................................................................129 next-hop-tunnel ...........................................................................................130 no-flow-control ............................................................................................130 no-loopback ................................................................................................130 no-source-filtering .......................................................................................130 profiles ........................................................................................................131 redundancy-group .......................................................................................132 redundant-ether-options ..............................................................................132 redundant-parent ........................................................................................133 redundant-parent (Fast Ethernet Options) .............................................133 redundant-parent (Gigabit Ethernet Options) ........................................133 retransmission-attempt ...............................................................................134 retransmission-interval ................................................................................134 roaming-mode .............................................................................................135 select-profile ................................................................................................135

x

Table of Contents

Table of Contents

server-address .............................................................................................136 simple-filter .................................................................................................136 sip-password ...............................................................................................137 sip-user-id ....................................................................................................137 source-address-filter ....................................................................................138 source-filtering ............................................................................................139 update-server ..............................................................................................139 vbr rate .......................................................................................................140 vendor-id .....................................................................................................140 web-authentication ......................................................................................141 Chapter 12 Power Over Ethernet Hierarchy and Statements 143

[edit poe] Configuration Statement Hierarchy .............................................144 disable .........................................................................................................144 duration ......................................................................................................145 guard-band ..................................................................................................145 interface ......................................................................................................146 interval ........................................................................................................146 management ...............................................................................................147 maximum-power .........................................................................................147 priority ........................................................................................................148 telemetries ..................................................................................................149 Chapter 13 Policy-Options Hierarchy and Statements 151

Policy-Options Configuration Statement Hierarchy ......................................151 condition .....................................................................................................152 route-active-on ............................................................................................153 Chapter 14 Protocols Hierarchy and Statements 155

Protocols Configuration Statement Hierarchy ..............................................155 global-mac-limit ...........................................................................................178 global-mac-table-aging-time .........................................................................179 global-no-mac-learning ................................................................................179 l2-learning ...................................................................................................180 packet-action ...............................................................................................180 Chapter 15 Routing-Instances Hierarchy 181

Routing-Instances Configuration Statement Hierarchy ................................181 Chapter 16 Routing-Options Hierarchy 193

Routing-Options Configuration Statement Hierarchy ...................................193

Table of Contents

xi


Chapter 17

Schedulers Hierarchy and Statements

201

Schedulers Configuration Statement Hierarchy ...........................................201 all-day .........................................................................................................202 daily ............................................................................................................203 exclude ........................................................................................................204 friday ..........................................................................................................205 monday .......................................................................................................206 saturday ......................................................................................................207 scheduler .....................................................................................................208 schedulers ...................................................................................................209 start-date .....................................................................................................209 start-time .....................................................................................................210 stop-date .....................................................................................................211 stop-time .....................................................................................................212 sunday ........................................................................................................213 thursday ......................................................................................................214 tuesday .......................................................................................................215 wednesday ..................................................................................................216 Chapter 18 Security Hierarchy and Statements 217

Security Configuration Statement Hierarchy ................................................217 access profile ...............................................................................................244 access-profile (Dynamic VPNs) ..............................................................244 access-profile (IPsec VPNs) ....................................................................244 ack-number .................................................................................................245 action ..........................................................................................................246 action (web filtering) ...................................................................................247 active-policy ................................................................................................247 address ........................................................................................................248 address (ARP Proxy Services Gateway) .................................................248 address (Destination NAT Services Gateway) ........................................249 address (Destination NAT Services Router) ...........................................249 address (IKE Gateway) ..........................................................................250 address (Source NAT) ............................................................................250 address (Zone Address Book) ................................................................251 address (Zone Address Set) ...................................................................251 address-book ...............................................................................................252 address-blacklist ..........................................................................................252 address-persistent .......................................................................................253 address-range ..............................................................................................254 address-range (Destination NAT) ...........................................................254 address-range (Source NAT) ..................................................................254 address-set ..................................................................................................255 address-whitelist .........................................................................................255 admin-email ................................................................................................256 administrator ..............................................................................................256 aging ...........................................................................................................257

xii

Table of Contents

Table of Contents

alarm-threshold ...........................................................................................258 alarm-without-drop .....................................................................................258 alert .............................................................................................................259 alg ...............................................................................................................260 algorithm .....................................................................................................264 all-tcp ..........................................................................................................265 allow-dns-reply ............................................................................................265 allow-icmp-without-flow ..............................................................................266 allow-incoming ............................................................................................266 always-send .................................................................................................267 anomaly ......................................................................................................267 antispam .....................................................................................................268 antispam (feature-profile) ......................................................................268 antispam (utm-policy) ...........................................................................269 antivirus ......................................................................................................270 antivirus (feature-profile) .......................................................................271 antivirus (utm-policy) ............................................................................273 application ..................................................................................................274 application (Protocol Binding Custom Attack) .......................................274 application (Security Policies) ................................................................274 application-identification .............................................................................275 application-screen .......................................................................................276 application-screen (H323) .....................................................................276 application-screen (MGCP) ....................................................................277 application-screen (SCCP) .....................................................................278 application-screen (SIP) .........................................................................279 application-services .....................................................................................280 application-services (Unified Access Control) ........................................280 application-services (WXC Integrated Services Module) ........................281 application-system-cache ............................................................................281 application-system-cache-timeout ...............................................................282 attack-threshold ...........................................................................................283 attacks .........................................................................................................284 attacks (Exempt Rulebase) ....................................................................284 attacks (IPS Rulebase) ...........................................................................285 attack-type ..................................................................................................286 attack-type (Anomaly) ...........................................................................286 attack-type (Chain) ................................................................................287 attack-type (Signature) ..........................................................................288 authentication .............................................................................................291 authentication-algorithm .............................................................................292 authentication-method ................................................................................293 auto-re-enrollment .......................................................................................294 automatic ....................................................................................................295 bind-interface ..............................................................................................295 block-command ..........................................................................................296 block-content-type .......................................................................................296 block-mime .................................................................................................297 bridge ..........................................................................................................298 c-timeout .....................................................................................................299 ca-identity ...................................................................................................299

Table of Contents

xiii


ca-profile .....................................................................................................300 ca-profile-name ...........................................................................................301 cache ...........................................................................................................301 cache-size ....................................................................................................302 call-flood .....................................................................................................302 category ......................................................................................................303 category (web filtering) ................................................................................303 certificate ....................................................................................................304 certificate-id ................................................................................................304 chain ...........................................................................................................305 challenge-password .....................................................................................306 clear-threshold ............................................................................................306 clients ..........................................................................................................307 code ............................................................................................................308 connection-flood .........................................................................................308 connections-limit .........................................................................................309 container .....................................................................................................309 content-filtering ...........................................................................................310 content-filtering (feature-profile) ...........................................................310 content-filtering (utm-policy) .................................................................311 content-size .................................................................................................311 content-size-limit .........................................................................................312 context ........................................................................................................312 corrupt-file ..................................................................................................313 count ...........................................................................................................314 count (Custom Attack) ..........................................................................314 count (Security Policies) ........................................................................315 crl ................................................................................................................316 custom-attack ..............................................................................................317 custom-attack-group ....................................................................................321 custom-attacks ............................................................................................321 custom-block-message ................................................................................322 custom-message ..........................................................................................323 custom-message (antivirus notification-options fallback-block/non-block) ................................................................323 custom-message (antivirus notification-options virus-detection) ...........324 custom-message (content-filter notification-options) .............................324 custom-message-subject ..............................................................................325 custom-message-subject (antivirus notification-options fallback-block/non-block) ................................................................325 custom-message-subject (antivirus notification-options virus-detection) ...............................................................................326 custom-message-subject (antivirus pattern-update email-notify) ...........326 custom-objects ............................................................................................327 custom-tag-string .........................................................................................328 custom-url-category .....................................................................................328 data-length ..................................................................................................329 dead-peer-detection .....................................................................................330 decompress-layer ........................................................................................330 decompress-layer-limit ................................................................................331

xiv

Table of Contents

Table of Contents

default .........................................................................................................332 default (antivirus fallback-options) ........................................................332 default (web-filtering fallback-settings) ..................................................333 default-policy ...............................................................................................333 deny ............................................................................................................334 deny (Policy) .........................................................................................334 deny (SIP) .............................................................................................335 description ..................................................................................................336 description (IDP Policy) .........................................................................336 description (Security Policies) ...............................................................336 destination ..................................................................................................337 destination (Destination NAT Services Gateway) ...................................338 destination (IP Headers in Signature Attack) .........................................339 destination-address .....................................................................................340 destination-address (Destination NAT Services Gateway) ......................340 destination-address (IDP Policy) ............................................................341 destination-address (Security Policies) ..................................................341 destination-address (Source NAT Services Gateway) .............................342 destination-address (Static NAT Services Gateway) ...............................342 destination-address (Traffic Policy Services Gateway) ...........................343 destination-except .......................................................................................343 destination-ip ..............................................................................................344 destination-ip-based ....................................................................................344 destination-nat ............................................................................................345 destination-nat (Destination NAT Services Gateway) .............................345 destination-nat (Destination NAT Services Router) ................................346 destination-nat (Security Policies) .........................................................347 destination-port ...........................................................................................348 destination-port (Destination NAT Services Gateway) ............................348 destination-port (Signature Attack) ........................................................349 destination-threshold ...................................................................................350 detect-shellcode ...........................................................................................350 detector .......................................................................................................351 df-bit ...........................................................................................................351 dh-group ......................................................................................................352 direction ......................................................................................................353 direction (Custom Attack) .....................................................................353 direction (Dynamic Attack Group) .........................................................354 disable-call-id-hiding ....................................................................................355 distinguished-name .....................................................................................355 dns ..............................................................................................................356 download-profile .........................................................................................357 download-profile (ftp antivirus utm-profile) ...........................................357 download-profile (ftp content-filtering utm-profile) ...............................357 dynamic ......................................................................................................358 dynamic-vpn ...............................................................................................359 dynamic-attack-group ..................................................................................360 early-ageout ................................................................................................361 email-notify .................................................................................................362 enable-all-qmodules ....................................................................................362 enable-packet-pool ......................................................................................363

Table of Contents

xv


encryption ...................................................................................................364 encryption-algorithm ...................................................................................365 endpoint-registration-timeout ......................................................................365 engine-not-ready .........................................................................................366 enrollment ..................................................................................................367 establish-tunnels ..........................................................................................368 exception ....................................................................................................369 exception (antivirus mime-whitelist) .....................................................369 exception (content-filter block-mime) ...................................................369 expression ...................................................................................................370 external-interface ........................................................................................371 external-interface (IKE Gateway) ...........................................................371 external-interface (Manual Security Association) ...................................371 fallback-block ..............................................................................................372 fallback-options ...........................................................................................373 fallback-options (antivirus juniper-express-engine) ................................373 fallback-options (antivirus kaspersky-lab-engine) ..................................374 fallback-settings ...........................................................................................375 fallback-settings (web-filtering surf-control-integrated) ..........................375 fallback-settings (web-filtering websense-redirect) ................................376 false-positives ..............................................................................................377 family ..........................................................................................................378 feature-profile ..............................................................................................379 filename-extension ......................................................................................382 filters ...........................................................................................................383 fin-no-ack ....................................................................................................384 firewall-authentication .................................................................................385 firewall-authentication (Policies) ...........................................................385 firewall-authentication (Security) ...........................................................386 flood ............................................................................................................387 flood (ICMP) ..........................................................................................387 flood (UDP) ...........................................................................................388 flow .............................................................................................................389 flow (IDP) ..............................................................................................389 flow (Security Flow) ..............................................................................390 force-upgrade ..............................................................................................391 forwarding-options ......................................................................................392 fragment .....................................................................................................393 from ............................................................................................................393 from-zone ...................................................................................................394 from-zone (IDP Policy) ..........................................................................394 from-zone (Security Policies) .................................................................395 ftp ...............................................................................................................397 ftp (utm) ......................................................................................................398 ftp (antivirus utm-policy) .......................................................................398 ftp (content-filtering utm-policy) ...........................................................399 functional-zone ............................................................................................400 gatekeeper ..................................................................................................401

xvi

Table of Contents

Table of Contents

gateway .......................................................................................................402 gateway (IKE) ........................................................................................403 gateway (IPsec) .....................................................................................404 gateway (Manual Security Association) .................................................404 global ..........................................................................................................405 gre-in ...........................................................................................................406 gre-out .........................................................................................................407 group-members ...........................................................................................408 h323 ............................................................................................................409 header-length ..............................................................................................410 high-watermark ...........................................................................................410 host .............................................................................................................411 host-address-base ........................................................................................411 host-address-low .........................................................................................412 host-inbound-traffic .....................................................................................413 hostname ....................................................................................................414 http-profile ..................................................................................................415 http-profile (antivirus utm-policy) ..........................................................415 http-profile (content-filtering utm-policy) ..............................................415 http-profile (web-filtering utm-policy) ....................................................416 icmp ............................................................................................................417 icmp (Protocol Binding Custom Attack) .................................................417 icmp (Security Screen) ..........................................................................418 icmp (Signature Attack) .........................................................................419 identification ...............................................................................................420 identification (ICMP Headers in Signature Attack) .................................420 identification (IP Headers in Signature Attack) ......................................421 idle-time ......................................................................................................421 idp ...............................................................................................................422 idp-policy ....................................................................................................429 ids-option ....................................................................................................431 ignore-mem-overflow ..................................................................................432 ignore-regular-expression ............................................................................433 ike ...............................................................................................................434 ike (IPsec VPN) .....................................................................................434 ike (Security) .........................................................................................435 ike-policy .....................................................................................................436 ike-user-type ................................................................................................437 imap-profile .................................................................................................438 imap-profile (antivirus utm-policy) ........................................................438 imap-profile (content-filtering utm-policy) .............................................438 inactive-media-timeout ................................................................................439 inactive-media-timeout (MGCP) .............................................................439 inactive-media-timeout (SCCP) ..............................................................440 inactive-media-timeout (SIP) .................................................................440 include-destination-address .........................................................................441 inet ..............................................................................................................441 inet6 ............................................................................................................442 install-interval ..............................................................................................442 intelligent-prescreening ...............................................................................443

Table of Contents

xvii


interface ......................................................................................................444 interface (ARP Proxy Services Gateway) ...............................................444 interface (NAT Services Router) ............................................................445 interfaces ....................................................................................................446 interval ........................................................................................................447 interval (IDP) .........................................................................................447 interval (IKE) .........................................................................................447 interval (anti-virus) ......................................................................................448 interval (kaspersky-lab-engine) .............................................................448 interval (juniper-express-engine) ...........................................................448 ip .................................................................................................................449 ip (Protocol Binding Custom Attack) .....................................................449 ip (Security Screen) ...............................................................................450 ip (Signature Attack) .............................................................................452 ip-action ......................................................................................................453 ip-block .......................................................................................................454 ip-close ........................................................................................................454 ip-flags ........................................................................................................455 ip-notify .......................................................................................................455 ips ...............................................................................................................456 ipsec-policy .................................................................................................456 ipsec-vpn .....................................................................................................457 ipsec-vpn (Flow) ....................................................................................457 ipsec-vpn (Policies) ...............................................................................458 ipsec-vpn (Dynamic VPNs) ....................................................................458 ip-sweep ......................................................................................................459 iso ...............................................................................................................460 juniper-express-engine ................................................................................461 kaspersky-lab-engine ...................................................................................463 land .............................................................................................................464 large ............................................................................................................465 lifetime-kilobytes .........................................................................................465 limit ............................................................................................................466 limit-session ................................................................................................466 list ...............................................................................................................467 list (antivirus mime-whitelist) ................................................................467 list (content-filter block-mime) ..............................................................467 local ............................................................................................................468 local-certificate ............................................................................................468 local-identity ................................................................................................469 log ...............................................................................................................470 log (IDP) ................................................................................................470 log (IDP Policy) .....................................................................................471 log (Security Policies) ............................................................................471 log-attacks ...................................................................................................472 log-errors .....................................................................................................472 log-supercede-min .......................................................................................473 low-watermark ............................................................................................473 management ...............................................................................................474 manual ........................................................................................................475

xviii

Table of Contents

Table of Contents

match ..........................................................................................................476 match (Destination NAT Services Gateway) ..........................................476 match (IDP Policy) ................................................................................477 match (Security Policies) .......................................................................478 match (Source NAT Services Gateway) ..................................................478 match (Static NAT Services Gateway) ....................................................479 max-flow-mem ............................................................................................479 max-logs-operate .........................................................................................480 max-packet-mem ........................................................................................480 max-packet-memory ...................................................................................481 max-sessions ...............................................................................................481 max-tcp-session-packet-memory .................................................................482 max-time-report ..........................................................................................482 max-timers-poll-ticks ...................................................................................483 max-udp-session-packet-memory ................................................................483 maximum-call-duration ...............................................................................484 media-source-port-any ................................................................................484 member ......................................................................................................485 message-flood .............................................................................................486 message-flood (H323) ...........................................................................486 message-flood (MGCP) ..........................................................................487 mgcp ...........................................................................................................488 mime-pattern ..............................................................................................489 mime-whitelist ............................................................................................489 mode ...........................................................................................................490 mode (Forwarding-Options) ..................................................................490 mode (Policy) ........................................................................................491 mpls ............................................................................................................492 msrpc ..........................................................................................................493 mss .............................................................................................................494 nat ...............................................................................................................495 nat (Services Gateway Configuration) ....................................................496 nat (Services Router Configuration) .......................................................498 nat-keepalive ...............................................................................................499 negate .........................................................................................................500 no-allow-icmp-without-flow .........................................................................500 no-anti-replay ..............................................................................................500 no-enable-all-qmodules ...............................................................................500 no-enable-packet-pool .................................................................................501 no-log-errors ................................................................................................501 no-nat-traversal ...........................................................................................501 no-policy-lookup-cache ................................................................................501 no-port-translation .......................................................................................502 no-reset-on-policy ........................................................................................502 no-sequence-check ......................................................................................502 no-syn-check ...............................................................................................503 no-syn-check-in-tunnel ................................................................................503 notification ..................................................................................................504

Table of Contents

xix


notification-options .....................................................................................505 notification-options (antivirus juniper-express-engine) ..........................505 notification-options (antivirus kaspersky-lab-engine) .............................506 notification-options (content-filtering) ...................................................506 notify-mail-sender .......................................................................................507 notify-mail-sender (antivirus fallback-block) ..........................................507 notify-mail-sender (antivirus notification-options virus-detection) .........508 optimized ....................................................................................................508 option ..........................................................................................................509 order ...........................................................................................................509 out-of-resources ...........................................................................................510 over-limit .....................................................................................................511 overflow-pool ..............................................................................................512 overflow-pool (Source NAT Services Gateway) ......................................512 overflow-pool (Source NAT Services Router) .........................................513 pair-policy ...................................................................................................514 pass-through ................................................................................................515 password-file ...............................................................................................516 pattern ........................................................................................................516 pattern-update .............................................................................................517 pattern-update (kaspersky-lab-engine) ..................................................517 pattern-update (juniper-express-engine) ................................................518 peer-certificate-type ....................................................................................518 perfect-forward-secrecy ...............................................................................519 performance ...............................................................................................520 permit .........................................................................................................521 permit-command ........................................................................................522 ping-death ...................................................................................................522 pki ...............................................................................................................523 policies ........................................................................................................525 policy ..........................................................................................................527 policy (IKE) ...........................................................................................527 policy (IPsec) .........................................................................................528 policy (Security) ....................................................................................529 policy-lookup-cache .....................................................................................530 policy-rematch ............................................................................................531 pool .............................................................................................................532 pool (Destination NAT Services Gateway) .............................................532 pool (Pool Set) .......................................................................................533 pool (Source NAT) .................................................................................533 pool (Source NAT Services Gateway) .....................................................534 pool-set .......................................................................................................535 pool-utilization-alarm ..................................................................................536 pop3profile ................................................................................................537 pop3-profile (antivirus utm-policy) ........................................................537 pop3-profile (content-filtering utm-policy) .............................................537 port .............................................................................................................538 port (web filtering) ......................................................................................538 port-scan .....................................................................................................539 pptp ............................................................................................................540 pre-filter-shellcode .......................................................................................541

xx

Table of Contents

Table of Contents

predefined-attack-groups .............................................................................541 predefined-attacks .......................................................................................542 pre-shared-key ............................................................................................542 process-ignore-s2c .......................................................................................543 process-override ..........................................................................................543 process-port ................................................................................................544 products ......................................................................................................544 profile ..........................................................................................................545 profile (antispam symantec-sbl) ............................................................545 profile (antivirus kaspersky-lab-engine) .................................................546 profile (antivirus juniper-express-engine) ..............................................547 profile (content-filtering) ............................................................

Documents

Junos Security Cli Reference