Junos Es Cli Reference

7/23/2019 Junos Es Cli Reference

1/993

JUNOS Software

CLI Referencefor J-series Services Routers and SRX-series ServicesGateways

Release 9.3

Juniper Networks, Inc.1194 North Mathilda Avenue

Sunnyvale, California 94089

USA

408-745-2000

www.juniper.net

Part Number: 530-02583201, Revision 1


2/993

This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright 1986-1997, EpilogueTechnology Corporation. All rights reserved. This program and i ts documentation were developed at private expense, and no part of them is in the publicdomain.

This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and softwareincluded in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988,1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 byCornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNs HELLO routing protocol.Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright 1988, Regents of theUniversity of California. All rights reserved. Portions of the GateD software copyright 1991, D. L. S. Associates.

This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc.

Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc. inthe United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, orregistered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, orotherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensedto Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347,6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

JUNOS Software CLI Reference

Release 9.3Copyright 2008, Juniper Networks, Inc.All rights reserved. Printed in USA.

Revision HistoryNovember 2008Revision 1

The information in this document is current as of the date listed in the revision history.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. The JUNOS software has no known time-related limitations through the year2038. However, the NTP application is known to have some difficulty in the year 2036.

SOFTWARE LICENSE

The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase order or, to theextent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks. By using this software, youindicate that you understand and agree to be bound by those terms and conditions. Generally speaking, the software license restricts the manner in whichyou are permitted to use the software and may contain prohibitions against certain uses. The software license may state conditions under which the licenseis automatically terminated. You should consult the license for further details. For complete product documentation, please see the Juniper Networks Website at www.juniper.net/techpubs.

ii


3/993

END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (AGREEMENT) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING,INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMEROR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS

AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE,AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.

1. The Parties.The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customers principal office is located in the Americas) or Juniper Networks(Cayman) Limited (if the Customers principal office is located outside the Americas) (such applicable entity being referred to herein as Juniper), and (ii)the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (Customer)(collectively, the Parties).

2. The Software.In this Agreement, Softwaremeans the program modules and features of the Juniper or Juniper-supplied software, for which Customerhas paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customerpurchased from Juniper or an authorized Juniper reseller. Softwarealso includes updates, upgrades and new releases of such software. EmbeddedSoftwaremeans Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacementswhich are subsequently embedded in or loaded onto the equipment.

3. License Grant.Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusiveand non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:

a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniperor an authorized Juniper reseller.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customerhas paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall usesuch Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of theSteel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whethersuch computers or virtualizations are physically contained on a single chassis.

c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits toCustomers use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls,connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features,functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing,temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Softwareto be used only in conjunction with other specific Software. Customers use of the Software shall be subject to all such limitations and purchase of all applicablelicenses.

d. For any trial copy of the Software, Customers right to use the Software expires 30 days after download, installation or use of the Software. Customermay operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trialperiod by re-installing the Software after the 30-day trial period.

e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customers enterprise network.Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support anycommercial network access services.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicablelicense(s) for the Software from Juniper or an authorized Juniper reseller.

4. Use Prohibitions.Notwithstanding the foregoing, the l icense provided herein does not permit the Customer to, and Customer agrees not to and shallnot: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except asnecessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) removeany proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) dist ribute any copy ofthe Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any lockedor key-restricted

feature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, evenif such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniperto any third party; (h) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniperreseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that theCustomer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software toany third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.

5. Audit.Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnishsuch records to Juniper and certify its compliance with this Agreement.

iii


4/993

6. Confidentiality.The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customershall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includesrestricting access to the Software to Customer employees and contractors having a need to use the Software for Customers internal business purposes.

7. Ownership.Juniper and Junipers licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software,

associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest inthe Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.

8. Warranty, Limitation of Liability, Disclaimer of Warranty.The warranty applicable to the Software shall be as set forth in the warranty statement thataccompanies the Software (the Warranty Statement). Nothing in this Agreement shall give rise to any obligation to support the Software. Support servicesmay be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTEDBY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER ORJUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANYJUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW,JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDINGANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPERWARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION,OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Junipers or its suppliersor licensorsliability to Customer, whetherin contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, orif the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniperhas set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same

reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss),and that the same form an essential basis of the bargain between the Parties.

9. Termination.Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the licensegranted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customerspossession or control.

10. Taxes.All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase ofthe license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper priorto invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of anyapplicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniperwith valid tax receipts and other required documentation showing Customers payment of any withholding taxes; completing appropriate applications thatwould reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder.Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages relatedto any liability incurred by Juniper as a result of Customers non-compliance or delay with its responsibilities herein. Customers obligations under thisSection shall survive termination or expiration of this Agreement.

11. Export.Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreignagency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, orwithout all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryptionor other capabilities restricting Customers ability to export the Software without an export license.

12. Commercial Computer Software.The Software is commercial computer softwareand is provided with restricted rights. Use, duplication, or disclosureby the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212,FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information.To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interfaceinformation needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any.Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicableterms and conditions upon which Juniper makes such information available.

14. Third Party Software.Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technologyare embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor

shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with theSoftware and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under andsubject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License(GPL) or the GNU Library General Public License (LGPL)), Juniper will make such source code portions (including Juniper modifications, as appropriate)available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194

N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, anda copy of the LGPL at http://www.gnu.org/licenses/lgpl.html.

15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisionsof the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Partieshereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreementconstitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous

iv
http://www.gnu.org/licenses/gpl.htmlhttp://www.gnu.org/licenses/lgpl.htmlhttp://www.gnu.org/licenses/lgpl.htmlhttp://www.gnu.org/licenses/gpl.html


5/993

agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of aseparate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflictwith terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to inwriting by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of theremainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English

version will govern. (For Canada: Les parties aux prsents confirment leur volont que cette convention de mme que tous les documents y compris toutavis qui s'y rattach, soient redigs en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will bein the English language)).

v


6/993

vi


7/993

Table of Contents

About This Guide xxvii

Objectives .................................................................................................. xxviiAudience ................................................................................................... xxviiiSupported Routing Platforms .................................................................... xxviiiHow to Use This Manual ........................................................................... xxviiiDocument Conventions ............................................................................... xxxList of Technical Publications .....................................................................xxxii

Documentation Feedback ......................................................................... xxxiiiRequesting Technical Support ................................................................... xxxiv

Part 1 Configuration Statements

Chapter 1 Access Hierarchy and Statements 3

Access Configuration Statement Hierarchy ...................................................... 3admin-search .................................................................................................. 6assemble ......................................................................................................... 7

authentication-order ........................................................................................ 8banner ............................................................................................................ 9

banner (FTP, HTTP, Telnet) ....................................................................... 9banner (Web Authentication) .................................................................. 10

base-distinguished-name ............................................................................... 11client-group ................................................................................................... 12client-idle-timeout ......................................................................................... 12client-name-filter ........................................................................................... 13client-session-timeout .................................................................................... 13configuration-file ........................................................................................... 14count ............................................................................................................. 14default-profile ................................................................................................ 15distinguished-name ....................................................................................... 15domain-name ................................................................................................ 16fail ................................................................................................................. 16firewall-authentication ................................................................................... 17firewall-user .................................................................................................. 18ftp ................................................................................................................. 18http ............................................................................................................... 19ldap-options .................................................................................................. 20ldap-server .................................................................................................... 21login .............................................................................................................. 22

Table of Contents vii


8/993

pass-through .................................................................................................. 23password ....................................................................................................... 24port ............................................................................................................... 25

port (LDAP) ............................................................................................. 25

port (RADIUS) ......................................................................................... 25radius-options ............................................................................................... 26radius-server ................................................................................................. 27retry .............................................................................................................. 28

retry (LDAP) ............................................................................................ 28retry (RADIUS) ........................................................................................ 29

revert-interval ................................................................................................ 30revert-interval (LDAP) ............................................................................. 30revert-interval (RADIUS) .......................................................................... 31

routing-instance ............................................................................................ 32routing-instance (LDAP) .......................................................................... 32routing-instance (RADIUS) ...................................................................... 33

search ........................................................................................................... 33search-filter ................................................................................................... 34secret ............................................................................................................ 34securid-server ................................................................................................ 35separator ....................................................................................................... 36session-options .............................................................................................. 37source-address .............................................................................................. 38

source-address (LDAP) ............................................................................ 38source-address (RADIUS) ........................................................................ 38

success .......................................................................................................... 39telnet ............................................................................................................. 40timeout ......................................................................................................... 41

timeout (LDAP Server) ............................................................................ 41

timeout (RADIUS Server) ......................................................................... 42traceoptions .................................................................................................. 43web-authentication ........................................................................................ 44

Chapter 2 Accounting-Options Hierarchy 45

Accounting-Options Configuration Statement Hierarchy ............................... 45

Chapter 3 Applications Hierarchy and Statements 47

Applications Configuration Statement Hierarchy ........................................... 47alg ................................................................................................................. 49application-protocol ....................................................................................... 50destination-port ............................................................................................. 51icmp-code ..................................................................................................... 54icmp-type ...................................................................................................... 55inactivity-timeout .......................................................................................... 55protocol ......................................................................................................... 56rpc-program-number ..................................................................................... 57source-port .................................................................................................... 57

viii Table of Contents

JUNOS Software; CLI Reference


9/993

term .............................................................................................................. 58uuid ............................................................................................................... 59

Chapter 4 Chassis Hierarchy and Statements 61

Chassis Configuration Statement Hierarchy ................................................... 61cluster ........................................................................................................... 65control-ports .................................................................................................. 66gratuitous-arp-count ...................................................................................... 67heartbeat-interval .......................................................................................... 67heartbeat-threshold ....................................................................................... 68interface-monitor .......................................................................................... 68node .............................................................................................................. 69

node (Cluster) ......................................................................................... 69node (Redundancy-Group) ...................................................................... 70

pic-mode ....................................................................................................... 71

preempt ........................................................................................................ 72priority .......................................................................................................... 72redundancy-group ......................................................................................... 73reth-count ...................................................................................................... 74traceoptions .................................................................................................. 75tunnel-queuing .............................................................................................. 76weight ........................................................................................................... 77

Chapter 5 Class-of-Service Hierarchy 79

Class-of-Service Configuration Statement Hierarchy ...................................... 79

Chapter 6 Event-Options Hierarchy 83

Event-Options Configuration Statement Hierarchy ........................................ 83

Chapter 7 Firewall Hierarchy 85

Firewall Configuration Statement Hierarchy .................................................. 85

Chapter 8 Forwarding-Options Hierarchy and Statements 89

Forwarding-Options Configuration Statement Hierarchy ............................... 89vpn ................................................................................................................ 93

Chapter 9 Groups Hierarchy 95

Groups Configuration Statement Hierarchy ................................................... 95

Table of Contents ix

Table of Contents


10/993

Chapter 10 Interfaces Hierarchy and Statements 97

Interfaces Configuration Statement Hierarchy ............................................... 97client-identifier ............................................................................................ 109

dhcp ............................................................................................................ 109fabric-options .............................................................................................. 110flow-control ................................................................................................. 110lease-time .................................................................................................... 111link-speed .................................................................................................... 111loopback ..................................................................................................... 112member-interfaces ...................................................................................... 112next-hop-tunnel ........................................................................................... 113no-flow-control ............................................................................................ 113no-loopback ................................................................................................ 113no-source-filtering ....................................................................................... 113redundancy-group ....................................................................................... 114redundant-ether-options .............................................................................. 114redundant-parent ........................................................................................ 115

redundant-parent (Fast Ethernet Options) ............................................. 115redundant-parent (Gigabit Ethernet Options) ........................................ 115

retransmission-attempt ............................................................................... 116retransmission-interval ................................................................................ 116server-address ............................................................................................. 117source-address-filter .................................................................................... 117source-filtering ............................................................................................ 118update-server .............................................................................................. 118vendor-id ..................................................................................................... 119web-authentication ...................................................................................... 119

Chapter 11 Policy-Options Hierarchy and Statements 121

Policy-Options Configuration Statement Hierarchy ...................................... 121condition ..................................................................................................... 122route-active-on ............................................................................................ 123

Chapter 12 Protocols Hierarchy 125

Protocols Configuration Statement Hierarchy .............................................. 125

Chapter 13 Routing-Instances Hierarchy 149

Routing-Instances Configuration Statement Hierarchy ................................149

Chapter 14 Routing-Options Hierarchy 161

Routing-Options Configuration Statement Hierarchy ...................................161

x Table of Contents



11/993

Chapter 15 Schedulers Hierarchy and Statements 169

Schedulers Configuration Statement Hierarchy ...........................................169all-day ......................................................................................................... 170

daily ............................................................................................................ 171exclude ........................................................................................................ 172friday .......................................................................................................... 173monday ....................................................................................................... 174saturday ...................................................................................................... 175scheduler ..................................................................................................... 176schedulers ................................................................................................... 177start-date ..................................................................................................... 177start-time ..................................................................................................... 178stop-date ..................................................................................................... 179stop-time ..................................................................................................... 180sunday ........................................................................................................ 181thursday ...................................................................................................... 182tuesday ....................................................................................................... 183wednesday .................................................................................................. 184

Chapter 16 Security Hierarchy and Statements 185

Security Configuration Statement Hierarchy ................................................ 185access-profile ............................................................................................... 207ack-number ................................................................................................. 207action .......................................................................................................... 208active-policy ................................................................................................ 209address ........................................................................................................ 210

address (ARP Proxy Services Gateway) .................................................210address (Destination NAT Services Gateway) ........................................ 211address (Destination NAT Services Router) ...........................................211address (IKE Gateway) .......................................................................... 212address (Source NAT) ............................................................................ 212address (Zone Address Book) ................................................................ 213address (Zone Address Set) ................................................................... 213

address-book ............................................................................................... 214address-persistent ....................................................................................... 214address-range .............................................................................................. 215

address-range (Destination NAT) ........................................................... 215address-range (Source NAT) .................................................................. 215

address-set .................................................................................................. 216

administrator .............................................................................................. 216aging ........................................................................................................... 217alarm-threshold ........................................................................................... 218alarm-without-drop ..................................................................................... 218alert ............................................................................................................. 219alg ............................................................................................................... 220algorithm ..................................................................................................... 224all-tcp .......................................................................................................... 225allow-dns-reply ............................................................................................ 225

Table of Contents xi

Table of Contents


12/993

allow-icmp-without-flow .............................................................................. 226allow-incoming ............................................................................................ 226always-send ................................................................................................. 227anomaly ...................................................................................................... 227

application .................................................................................................. 228application (Protocol Binding Custom Attack) .......................................228application (Security Policies) ................................................................ 228

application-identification ............................................................................. 229application-screen ....................................................................................... 230

application-screen (H323) .....................................................................230application-screen (MGCP) .................................................................... 231application-screen (SCCP) .....................................................................231application-screen (SIP) .........................................................................232

application-services ..................................................................................... 233application-system-cache ............................................................................ 233application-system-cache-timeout ...............................................................234attack-threshold ........................................................................................... 235attacks ......................................................................................................... 236

attacks (Exempt Rulebase) .................................................................... 236attacks (IPS Rulebase) ........................................................................... 237

attack-type .................................................................................................. 238attack-type (Anomaly) ...........................................................................238attack-type (Chain) ................................................................................ 239attack-type (Signature) .......................................................................... 240

authentication ............................................................................................. 243authentication-algorithm ............................................................................. 244authentication-method ................................................................................ 245auto-re-enrollment ....................................................................................... 246automatic .................................................................................................... 247

bind-interface .............................................................................................. 247c-timeout ..................................................................................................... 248ca-identity ................................................................................................... 248ca-profile ..................................................................................................... 249ca-profile-name ........................................................................................... 250cache-size .................................................................................................... 250call-flood ..................................................................................................... 251category ...................................................................................................... 251certificate .................................................................................................... 252certificate-id ................................................................................................ 252chain ........................................................................................................... 253challenge-password ..................................................................................... 254clear-threshold ............................................................................................ 254

code ............................................................................................................ 255connection-flood ......................................................................................... 255connections-limit ......................................................................................... 256container ..................................................................................................... 256context ........................................................................................................ 257count ........................................................................................................... 258

count (Custom Attack) .......................................................................... 258count (Security Policies) ........................................................................ 259

crl ................................................................................................................ 260

xii Table of Contents



13/993

custom-attack .............................................................................................. 261custom-attack-group .................................................................................... 265custom-attacks ............................................................................................ 265data-length .................................................................................................. 266

dead-peer-detection ..................................................................................... 267default-policy ............................................................................................... 268deny ............................................................................................................ 269

deny (Policy) ......................................................................................... 269deny (SIP) ............................................................................................. 270

description .................................................................................................. 271description (IDP Policy) .........................................................................271description (Security Policies) ............................................................... 271

destination .................................................................................................. 272destination (Destination NAT Services Gateway) ...................................273destination (IP Headers in Signature Attack) ......................................... 274

destination-address ..................................................................................... 275destination-address (Destination NAT Services Gateway) ......................275destination-address (IDP Policy) ............................................................ 276destination-address (Security Policies) .................................................. 276destination-address (Source NAT Services Gateway) .............................277destination-address (Static NAT Services Gateway) ...............................277destination-address (Traffic Policy Services Gateway) ...........................278

destination-except ....................................................................................... 278destination-ip .............................................................................................. 279destination-ip-based .................................................................................... 279destination-nat ............................................................................................ 280

destination-nat (Destination NAT Services Gateway) .............................280destination-nat (Destination NAT Services Router) ................................281destination-nat (Security Policies) .........................................................282

destination-port ........................................................................................... 283destination-port (Destination NAT Services Gateway) ............................283destination-port (Signature Attack) ........................................................ 284

destination-threshold ................................................................................... 285detect-shellcode ........................................................................................... 285detector ....................................................................................................... 286df-bit ........................................................................................................... 286dh-group ...................................................................................................... 287direction ...................................................................................................... 288

direction (Custom Attack) .....................................................................288direction (Dynamic Attack Group) ......................................................... 289

disable-call-id-hiding .................................................................................... 289distinguished-name ..................................................................................... 290

dns .............................................................................................................. 291dynamic ...................................................................................................... 292dynamic-attack-group .................................................................................. 293early-ageout ................................................................................................ 294enable-all-qmodules .................................................................................... 294enable-packet-pool ...................................................................................... 295encryption ................................................................................................... 296encryption-algorithm ................................................................................... 297endpoint-registration-timeout ...................................................................... 297

Table of Contents xiii

Table of Contents


14/993

enrollment .................................................................................................. 298establish-tunnels .......................................................................................... 299expression ................................................................................................... 300external-interface ........................................................................................ 301

external-interface (IKE Gateway) ........................................................... 301external-interface (Manual Security Association) ...................................301

false-positives .............................................................................................. 302family .......................................................................................................... 303filters ........................................................................................................... 304fin-no-ack .................................................................................................... 305firewall-authentication ................................................................................. 306

firewall-authentication (Policies) ...........................................................306firewall-authentication (Security) ...........................................................307

flood ............................................................................................................ 308flood (ICMP) .......................................................................................... 308flood (UDP) ........................................................................................... 309

flow ............................................................................................................. 310flow (IDP) .............................................................................................. 310flow (Security Flow) .............................................................................. 311

forwarding-options ...................................................................................... 312fragment ..................................................................................................... 313from ............................................................................................................ 313from-zone ................................................................................................... 314

from-zone (IDP Policy) .......................................................................... 314from-zone (Security Policies) ................................................................. 315

ftp ............................................................................................................... 317functional-zone ............................................................................................ 318gatekeeper .................................................................................................. 319gateway ....................................................................................................... 320

gateway (IKE) ........................................................................................ 321gateway (IPsec) ..................................................................................... 322gateway (Manual Security Association) .................................................322

global .......................................................................................................... 323gre-in ........................................................................................................... 324gre-out ......................................................................................................... 325group-members ........................................................................................... 326h323 ............................................................................................................ 327header-length .............................................................................................. 328high-watermark ........................................................................................... 328host-address-base ........................................................................................ 329host-address-low ......................................................................................... 329host-inbound-traffic ..................................................................................... 330

hostname .................................................................................................... 331icmp ............................................................................................................ 332icmp (Protocol Binding Custom Attack) .................................................332icmp (Security Screen) .......................................................................... 333icmp (Signature Attack) ......................................................................... 334

identification ............................................................................................... 335identification (ICMP Headers in Signature Attack) ................................. 335identification (IP Headers in Signature Attack) ...................................... 336

idle-time ...................................................................................................... 336

xiv Table of Contents



15/993

idp ............................................................................................................... 337idp-policy .................................................................................................... 344ids-option .................................................................................................... 346ignore-mem-overflow .................................................................................. 347

ignore-regular-expression ............................................................................ 348ike ............................................................................................................... 349

ike (IPsec VPN) ..................................................................................... 349ike (Security) ......................................................................................... 350

ike-policy ..................................................................................................... 351ike-user-type ................................................................................................ 352inactive-media-timeout ................................................................................ 353

inactive-media-timeout (MGCP) .............................................................353inactive-media-timeout (SCCP) .............................................................. 354inactive-media-timeout (SIP) .................................................................354

include-destination-address .........................................................................355inet .............................................................................................................. 355inet6 ............................................................................................................ 356install-interval .............................................................................................. 356interface ...................................................................................................... 357

interface (ARP Proxy Services Gateway) ...............................................357interface (NAT Services Router) ............................................................ 358

interfaces .................................................................................................... 359interval ........................................................................................................ 360

interval (IDP) ......................................................................................... 360interval (IKE) ......................................................................................... 360

ip ................................................................................................................. 361ip (Protocol Binding Custom Attack) .....................................................361ip (Security Screen) ............................................................................... 362ip (Signature Attack) ............................................................................. 364

ip-action ...................................................................................................... 365ip-block ....................................................................................................... 365ip-close ........................................................................................................ 366ip-flags ........................................................................................................ 366ip-notify ....................................................................................................... 367ips ............................................................................................................... 367ipsec-policy ................................................................................................. 368ipsec-vpn ..................................................................................................... 369

ipsec-vpn (Flow) .................................................................................... 369ipsec-vpn (Policies) ............................................................................... 370

ip-sweep ...................................................................................................... 370iso ............................................................................................................... 371land ............................................................................................................. 371

large ............................................................................................................ 372lifetime-kilobytes ......................................................................................... 372limit-session ................................................................................................ 373local ............................................................................................................ 373local-certificate ............................................................................................ 374local-identity ................................................................................................ 375

Table of Contents xv

Table of Contents


16/993

log ............................................................................................................... 376log (IDP) ................................................................................................ 376log (IDP Policy) ..................................................................................... 377log (Security Policies) ............................................................................ 377

log-attacks ................................................................................................... 378log-errors ..................................................................................................... 378log-supercede-min ....................................................................................... 379low-watermark ............................................................................................ 379management ............................................................................................... 380manual ........................................................................................................ 381match .......................................................................................................... 382

match (Destination NAT Services Gateway) .......................................... 382match (IDP Policy) ................................................................................ 383match (Security Policies) ....................................................................... 384match (Source NAT Services Gateway) .................................................. 384match (Static NAT Services Gateway) .................................................... 385

max-flow-mem ............................................................................................ 385max-logs-operate ......................................................................................... 386max-packet-mem ........................................................................................ 386max-packet-memory ................................................................................... 387max-sessions ............................................................................................... 387max-tcp-session-packet-memory .................................................................388max-time-report .......................................................................................... 388max-timers-poll-ticks ................................................................................... 389max-udp-session-packet-memory ................................................................ 389maximum-call-duration ............................................................................... 390media-source-port-any ................................................................................ 390member ...................................................................................................... 391message-flood ............................................................................................. 392

message-flood (H323) ...........................................................................392message-flood (MGCP) .......................................................................... 393mgcp ........................................................................................................... 394mode ........................................................................................................... 395

mode (Forwarding-Options) .................................................................. 395mode (Policy) ........................................................................................ 396

mpls ............................................................................................................ 396msrpc .......................................................................................................... 397mss ............................................................................................................. 398nat ............................................................................................................... 399

nat (Services Gateway Configuration) .................................................... 400nat (Services Router Configuration) ....................................................... 402

nat-keepalive ............................................................................................... 403

negate ......................................................................................................... 404no-allow-icmp-without-flow .........................................................................404no-anti-replay .............................................................................................. 404no-enable-all-qmodules ............................................................................... 404no-enable-packet-pool ................................................................................. 405no-log-errors ................................................................................................ 405no-nat-traversal ........................................................................................... 405no-policy-lookup-cache ................................................................................ 405

xvi Table of Contents



17/993

no-port-translation ....................................................................................... 406no-reset-on-policy ........................................................................................ 406no-sequence-check ...................................................................................... 406no-syn-check ............................................................................................... 407

no-syn-check-in-tunnel ................................................................................ 407notification .................................................................................................. 408optimized .................................................................................................... 408option .......................................................................................................... 409order ........................................................................................................... 409overflow-pool .............................................................................................. 410

overflow-pool (Source NAT Services Gateway) ...................................... 410overflow-pool (Source NAT Services Router) .........................................411

pair-policy ................................................................................................... 412pass-through ................................................................................................ 413pattern ........................................................................................................ 414peer-certificate-type .................................................................................... 414perfect-forward-secrecy ............................................................................... 415performance ............................................................................................... 416permit ......................................................................................................... 417ping-death ................................................................................................... 418pki ............................................................................................................... 419policies ........................................................................................................ 421policy .......................................................................................................... 423

policy (IKE) ........................................................................................... 423policy (IPsec) ......................................................................................... 424policy (Security) .................................................................................... 425

policy-lookup-cache ..................................................................................... 426policy-rematch ............................................................................................ 427pool ............................................................................................................. 428

pool (Destination NAT Services Gateway) .............................................428pool (Pool Set) ....................................................................................... 429pool (Source NAT) ................................................................................. 429pool (Source NAT Services Gateway) .....................................................430

pool-set ....................................................................................................... 430pool-utilization-alarm .................................................................................. 431port ............................................................................................................. 432port-scan ..................................................................................................... 433pptp ............................................................................................................ 434pre-filter-shellcode ....................................................................................... 435predefined-attack-groups ............................................................................. 435predefined-attacks ....................................................................................... 436pre-shared-key ............................................................................................ 436

process-ignore-s2c ....................................................................................... 437process-override .......................................................................................... 437process-port ................................................................................................ 438products ...................................................................................................... 438proposal ...................................................................................................... 439proposal-set ................................................................................................. 440

proposal-set (IKE) .................................................................................. 441proposal-set (IPsec) ............................................................................... 442

protect ......................................................................................................... 443

Table of Contents xvii

Table of Contents


18/993

protocol ....................................................................................................... 444protocol (IPsec) ..................................................................................... 444protocol (Manual Security Association) ................................................. 445protocol (IP Headers in Signature Attack) .............................................. 445

protocol (Signature Attack) .................................................................... 446protocol-binding .......................................................................................... 449protocol-name ............................................................................................. 450protocols ..................................................................................................... 451

protocols (Interface Host-Inbound Traffic) ............................................. 452protocols (Zone Host-Inbound Traffic) ................................................... 454

proxy-arp .................................................................................................... 456proxy-arp (Services Gateway Configuration) ......................................... 456proxy-arp (Services Router Configuration) ............................................ 457

proxy-identity .............................................................................................. 457raise-threshold ............................................................................................. 458real .............................................................................................................. 459re-assembler ................................................................................................ 460re-enroll-trigger-time-percentage .................................................................460recommended ............................................................................................. 461recommended-action .................................................................................. 462regexp ......................................................................................................... 463reject ........................................................................................................... 463reject-timeout .............................................................................................. 464remote ........................................................................................................ 464reset ............................................................................................................ 465reset-on-policy ............................................................................................. 465respond-bad-spi ........................................................................................... 466retain-hold-resource .................................................................................... 466revocation-check ......................................................................................... 467

route-change-timeout .................................................................................. 468routing-instance .......................................................................................... 469routing-instance (Destination NAT Services Gateway) ...........................469routing-instance (Source NAT Services Gateway) ..................................469

rpc ............................................................................................................... 470rsh ............................................................................................................... 471rst-invalidate-session ................................................................................... 472rst-sequence-check ...................................................................................... 472rtsp .............................................................................................................. 473rule .............................................................................................................. 474

rule (Destination NAT) .......................................................................... 474rule (Exempt Rulebase) ......................................................................... 475rule (IPS Rulebase) ................................................................................ 476

rule (Source NAT) .................................................................................. 477rule (Static NAT) .................................................................................... 478rule-set ........................................................................................................ 479

rule-set (Destination NAT Services Gateway) .........................................479rule-set (Source NAT Services Gateway) ................................................ 480rule-set (Static NAT Services Gateway) .................................................. 481

rulebase-exempt .......................................................................................... 482rulebase-ips ................................................................................................. 483sccp ............................................................................................................. 484

xviii Table of Contents



19/993

scheduler-name ........................................................................................... 485scope ........................................................................................................... 486

scope (Chain Attack) ............................................................................. 486scope (Custom Attack) .......................................................................... 487

screen ......................................................................................................... 488screen (Security) ................................................................................... 489screen (Zones) ...................................................................................... 490

security-package .......................................................................................... 491security-zone ............................................................................................... 492sensor-configuration .................................................................................... 494sessions ....................................................................................................... 495session-close ............................................................................................... 496session-init .................................................................................................. 496sequence-number ........................................................................................ 497

sequence-number (ICMP Headers in Signature Attack) .........................497sequence-number (TCP Headers in Signature Attack) ........................... 498

service ......................................................................................................... 499service (Anomaly Attack) ...................................................................... 499service (Dynamic Attack Group) ............................................................ 499service (Security IPsec) ......................................................................... 500

severity ....................................................................................................... 501severity (Custom Attack) ....................................................................... 501severity (Dynamic Attack Group) .......................................................... 502severity (IPS Rulebase) .......................................................................... 503

shellcode ..................................................................................................... 504signature ..................................................................................................... 505sip ............................................................................................................... 509source ......................................................................................................... 510

source (IP Headers in Signature Attack) ................................................ 510

source (Source NAT Services Gateway) .................................................511source-address ............................................................................................ 513source-address (Destination NAT Services Gateway) .............................513source-address (IDP Policy) ................................................................... 514source-address (Security Policies) ......................................................... 514source-address (Source NAT Services Gateway) ....................................515

source-except .............................................................................................. 515source-interface ........................................................................................... 516source-ip-based ........................................................................................... 516source-nat ................................................................................................... 517

source-nat (NAT) ................................................................................... 517source-nat (NAT Interface) .................................................................... 518source-nat (Security Policies) ................................................................ 519

source-nat (Source NAT Services Gateway) ...........................................519source-port .................................................................................................. 520source-threshold .......................................................................................... 521spi ............................................................................................................... 522sql ............................................................................................................... 523ssh-known-hosts .......................................................................................... 524ssl-inspection ............................................................................................... 525start-log ....................................................................................................... 525start-time ..................................................................................................... 526

Table of Contents xix

Table of Contents


20/993

static ........................................................................................................... 527static-nat ..................................................................................................... 528

static-nat (Static NAT Services Router) .................................................. 528static-nat (Static NAT Services Gateway) ...............................................529

sunrpc ......................................................................................................... 530suppression ................................................................................................. 531syn-ack-ack-proxy ....................................................................................... 532syn-fin ......................................................................................................... 532syn-flood ..................................................................................................... 533syn-flood-protection-mode .......................................................................... 534syn-frag ....................................................................................................... 535system-services ........................................................................................... 536

system-services (Interface Host-Inbound Traffic) ...................................537system-services (Zone Host-Inbound Traffic) ........................................ 539

t1-interval .................................................................................................... 540t4-interval .................................................................................................... 541talk .............................................................................................................. 542target ........................................................................................................... 543tcp ............................................................................................................... 544

tcp (Protocol Binding Custom Attack) .................................................... 544tcp (Security Screen) ............................................................................. 545tcp (Signature Attack) ............................................................................ 546

tcp-flags ....................................................................................................... 548tcp-initial-timeout ................................

Documents

Junos Es Cli Reference