-
7/23/2019 Junos Es Cli Reference
1/993
JUNOS Software
CLI Referencefor J-series Services Routers and SRX-series
ServicesGateways
Release 9.3
Juniper Networks, Inc.1194 North Mathilda Avenue
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Part Number: 530-02583201, Revision 1
-
7/23/2019 Junos Es Cli Reference
2/993
This product includes the Envoy SNMP Engine, developed by
Epilogue Technology, an Integrated Systems Company. Copyright
1986-1997, EpilogueTechnology Corporation. All rights reserved.
This program and i ts documentation were developed at private
expense, and no part of them is in the publicdomain.
This product includes memory allocation software developed by
Mark Moraes, copyright 1988, 1989, 1993, University of Toronto.
This product includes FreeBSD software developed by the
University of California, Berkeley, and its contributors. All of
the documentation and softwareincluded in the 4.4BSD and
4.4BSD-Lite Releases is copyrighted by the Regents of the
University of California. Copyright 1979, 1980, 1983, 1986,
1988,1989, 1991, 1992, 1993, 1994. The Regents of the University of
California. All rights reserved.
GateD software copyright 1995, the Regents of the University.
All rights reserved. Gate Daemon was originated and developed
through release 3.0 byCornell University and its collaborators.
Gated is based on Kirtons EGP, UC Berkeleys routing daemon
(routed), and DCNs HELLO routing protocol.Development of Gated has
been supported in part by the National Science Foundation. Portions
of the GateD software copyright 1988, Regents of theUniversity of
California. All rights reserved. Portions of the GateD software
copyright 1991, D. L. S. Associates.
This product includes software developed by Maker
Communications, Inc., copyright 1996, 1997, Maker Communications,
Inc.
Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen,
ScreenOS, and Steel-Belted Radius are registered trademarks of
Juniper Networks, Inc. inthe United States and other countries.
JUNOSe is a trademark of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, orregistered
service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies
in this document. Juniper Networks reserves the right to change,
modify, transfer, orotherwise revise this publication without
notice.
Products made or sold by Juniper Networks or components thereof
might be covered by one or more of the following patents that are
owned by or licensedto Juniper Networks: U.S. Patent Nos.
5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479,
6,406,312, 6,429,706, 6,459,579, 6,493,347,6,538,518, 6,538,899,
6,552,918, 6,567,902, 6,578,186, and 6,590,785.
JUNOS Software CLI Reference
Release 9.3Copyright 2008, Juniper Networks, Inc.All rights
reserved. Printed in USA.
Revision HistoryNovember 2008Revision 1
The information in this document is current as of the date
listed in the revision history.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000
compliant. The JUNOS software has no known time-related limitations
through the year2038. However, the NTP application is known to have
some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using this software are described
in the software license contained in the acknowledgment to your
purchase order or, to theextent applicable, to any reseller
agreement or end-user purchase agreement executed between you and
Juniper Networks. By using this software, youindicate that you
understand and agree to be bound by those terms and conditions.
Generally speaking, the software license restricts the manner in
whichyou are permitted to use the software and may contain
prohibitions against certain uses. The software license may state
conditions under which the licenseis automatically terminated. You
should consult the license for further details. For complete
product documentation, please see the Juniper Networks Website at
www.juniper.net/techpubs.
ii
-
7/23/2019 Junos Es Cli Reference
3/993
END USER LICENSE AGREEMENT
READ THIS END USER LICENSE AGREEMENT (AGREEMENT) BEFORE
DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY
DOWNLOADING,INSTALLING, OR USING THE SOFTWARE OR OTHERWISE
EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS
CUSTOMEROR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT
AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS
AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED
HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE,AND
(B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.
1. The Parties.The parties to this Agreement are (i) Juniper
Networks, Inc. (if the Customers principal office is located in the
Americas) or Juniper Networks(Cayman) Limited (if the Customers
principal office is located outside the Americas) (such applicable
entity being referred to herein as Juniper), and (ii)the person or
organization that originally purchased from Juniper or an
authorized Juniper reseller the applicable license(s) for use of
the Software (Customer)(collectively, the Parties).
2. The Software.In this Agreement, Softwaremeans the program
modules and features of the Juniper or Juniper-supplied software,
for which Customerhas paid the applicable license or support fees
to Juniper or an authorized Juniper reseller, or which was embedded
by Juniper in equipment which Customerpurchased from Juniper or an
authorized Juniper reseller. Softwarealso includes updates,
upgrades and new releases of such software. EmbeddedSoftwaremeans
Software which Juniper has embedded in or loaded onto the Juniper
equipment and any updates, upgrades, additions or replacementswhich
are subsequently embedded in or loaded onto the equipment.
3. License Grant.Subject to payment of the applicable fees and
the limitations and restrictions set forth herein, Juniper grants
to Customer a non-exclusiveand non-transferable license, without
right to sublicense, to use the Software, in executable form only,
subject to the following use restrictions:
a. Customer shall use Embedded Software solely as embedded in,
and for execution on, Juniper equipment originally purchased by
Customer from Juniperor an authorized Juniper reseller.
b. Customer shall use the Software on a single hardware chassis
having a single processing unit, or as many chassis or processing
units for which Customerhas paid the applicable license fees;
provided, however, with respect to the Steel-Belted Radius or
Odyssey Access Client software only, Customer shall usesuch
Software on a single computer containing a single physical random
access memory space and containing any number of processors. Use of
theSteel-Belted Radius or IMS AAA software on multiple computers or
virtual machines (e.g., Solaris zones) requires multiple licenses,
regardless of whethersuch computers or virtualizations are
physically contained on a single chassis.
c. Product purchase documents, paper or electronic user
documentation, and/or the particular licenses purchased by Customer
may specify limits toCustomers use of the Software. Such limits may
restrict use to a maximum number of seats, registered endpoints,
concurrent users, sessions, calls,connections, subscribers,
clusters, nodes, realms, devices, links, ports or transactions, or
require the purchase of separate licenses to use particular
features,functionalities, services, applications, operations, or
capabilities, or provide throughput, performance, configuration,
bandwidth, interface, processing,temporal, or geographical limits.
In addition, such limits may restrict the use of the Software to
managing certain kinds of networks or require the Softwareto be
used only in conjunction with other specific Software. Customers
use of the Software shall be subject to all such limitations and
purchase of all applicablelicenses.
d. For any trial copy of the Software, Customers right to use
the Software expires 30 days after download, installation or use of
the Software. Customermay operate the Software after the 30-day
trial period only if Customer pays for a license to do so. Customer
may not extend or create an additional trialperiod by re-installing
the Software after the 30-day trial period.
e. The Global Enterprise Edition of the Steel-Belted Radius
software may be used by Customer only to manage access to Customers
enterprise network.Specifically, service provider customers are
expressly prohibited from using the Global Enterprise Edition of
the Steel-Belted Radius software to support anycommercial network
access services.
The foregoing license is not transferable or assignable by
Customer. No license is granted herein to any user who did not
originally purchase the applicablelicense(s) for the Software from
Juniper or an authorized Juniper reseller.
4. Use Prohibitions.Notwithstanding the foregoing, the l icense
provided herein does not permit the Customer to, and Customer
agrees not to and shallnot: (a) modify, unbundle, reverse engineer,
or create derivative works based on the Software; (b) make
unauthorized copies of the Software (except asnecessary for backup
purposes); (c) rent, sell, transfer, or grant any rights in and to
any copy of the Software, in any form, to any third party; (d)
removeany proprietary notices, labels, or marks on or in any copy
of the Software or any product in which the Software is embedded;
(e) dist ribute any copy ofthe Software to any third party,
including as may be embedded in Juniper equipment sold in the
secondhand market; (f) use any lockedor key-restricted
feature, function, service, application, operation, or
capability without first purchasing the applicable license(s) and
obtaining a valid key from Juniper, evenif such feature, function,
service, application, operation, or capability is enabled without a
key; (g) distribute any key for the Software provided by Juniperto
any third party; (h) use the Software in any manner that extends or
is broader than the uses purchased by Customer from Juniper or an
authorized Juniperreseller; (i) use Embedded Software on
non-Juniper equipment; (j) use Embedded Software (or make it
available for use) on Juniper equipment that theCustomer did not
originally purchase from Juniper or an authorized Juniper reseller;
(k) disclose the results of testing or benchmarking of the Software
toany third party without the prior written consent of Juniper; or
(l) use the Software in any manner other than as expressly provided
herein.
5. Audit.Customer shall maintain accurate records as necessary
to verify compliance with this Agreement. Upon request by Juniper,
Customer shall furnishsuch records to Juniper and certify its
compliance with this Agreement.
iii
-
7/23/2019 Junos Es Cli Reference
4/993
6. Confidentiality.The Parties agree that aspects of the
Software and associated documentation are the confidential property
of Juniper. As such, Customershall exercise all reasonable
commercial efforts to maintain the Software and associated
documentation in confidence, which at a minimum includesrestricting
access to the Software to Customer employees and contractors having
a need to use the Software for Customers internal business
purposes.
7. Ownership.Juniper and Junipers licensors, respectively,
retain ownership of all right, title, and interest (including
copyright) in and to the Software,
associated documentation, and all copies of the Software.
Nothing in this Agreement constitutes a transfer or conveyance of
any right, title, or interest inthe Software or associated
documentation, or a sale of the Software, associated documentation,
or copies of the Software.
8. Warranty, Limitation of Liability, Disclaimer of Warranty.The
warranty applicable to the Software shall be as set forth in the
warranty statement thataccompanies the Software (the Warranty
Statement). Nothing in this Agreement shall give rise to any
obligation to support the Software. Support servicesmay be
purchased separately. Any such support shall be governed by a
separate, written support services agreement. TO THE MAXIMUM EXTENT
PERMITTEDBY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS,
LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES,OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES
ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER
ORJUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE
FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANYJUNIPER
OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE
WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW,JUNIPER DISCLAIMS
ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS,
IMPLIED, STATUTORY, OR OTHERWISE), INCLUDINGANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NONINFRINGEMENT. IN NO EVENT DOES JUNIPERWARRANT THAT THE SOFTWARE,
OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE
WITHOUT ERROR OR INTERRUPTION,OR WILL BE FREE OF VULNERABILITY TO
INTRUSION OR ATTACK. In no event shall Junipers or its suppliersor
licensorsliability to Customer, whetherin contract, tort (including
negligence), breach of warranty, or otherwise, exceed the price
paid by Customer for the Software that gave rise to the claim, orif
the Software is embedded in another Juniper product, the price paid
by Customer for such other product. Customer acknowledges and
agrees that Juniperhas set its prices and entered into this
Agreement in reliance upon the disclaimers of warranty and the
limitations of liability set forth herein, that the same
reflect an allocation of risk between the Parties (including the
risk that a contract remedy may fail of its essential purpose and
cause consequential loss),and that the same form an essential basis
of the bargain between the Parties.
9. Termination.Any breach of this Agreement or failure by
Customer to pay any applicable fees due shall result in automatic
termination of the licensegranted herein. Upon such termination,
Customer shall destroy or return to Juniper all copies of the
Software and related documentation in Customerspossession or
control.
10. Taxes.All license fees payable under this agreement are
exclusive of tax. Customer shall be responsible for paying Taxes
arising from the purchase ofthe license, or importation or use of
the Software. If applicable, valid exemption documentation for each
taxing jurisdiction shall be provided to Juniper priorto invoicing,
and Customer shall promptly notify Juniper if their exemption is
revoked or modified. All payments made by Customer shall be net of
anyapplicable withholding tax. Customer will provide reasonable
assistance to Juniper in connection with such withholding taxes by
promptly: providing Juniperwith valid tax receipts and other
required documentation showing Customers payment of any withholding
taxes; completing appropriate applications thatwould reduce the
amount of withholding tax to be paid; and notifying and assisting
Juniper in any audit or tax proceeding related to transactions
hereunder.Customer shall comply with all applicable tax laws and
regulations, and Customer will promptly pay or reimburse Juniper
for all costs and damages relatedto any liability incurred by
Juniper as a result of Customers non-compliance or delay with its
responsibilities herein. Customers obligations under thisSection
shall survive termination or expiration of this Agreement.
11. Export.Customer agrees to comply with all applicable export
laws and restrictions and regulations of any United States and any
applicable foreignagency or authority, and not to export or
re-export the Software or any direct product thereof in violation
of any such restrictions, laws or regulations, orwithout all
necessary approvals. Customer shall be liable for any such
violations. The version of the Software supplied to Customer may
contain encryptionor other capabilities restricting Customers
ability to export the Software without an export license.
12. Commercial Computer Software.The Software is commercial
computer softwareand is provided with restricted rights. Use,
duplication, or disclosureby the United States government is
subject to restrictions set forth in this Agreement and as provided
in DFARS 227.7201 through 227.7202-4, FAR 12.212,FAR 27.405(b)(2),
FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.
13. Interface Information.To the extent required by applicable
law, and at Customer's written request, Juniper shall provide
Customer with the interfaceinformation needed to achieve
interoperability between the Software and another independently
created program, on payment of applicable fee, if any.Customer
shall observe strict obligations of confidentiality with respect to
such information and shall use such information in compliance with
any applicableterms and conditions upon which Juniper makes such
information available.
14. Third Party Software.Any licensor of Juniper whose software
is embedded in the Software and any supplier of Juniper whose
products or technologyare embedded in (or services are accessed by)
the Software shall be a third party beneficiary with respect to
this Agreement, and such licensor or vendor
shall have the right to enforce this Agreement in its own name
as if it were Juniper. In addition, certain third party software
may be provided with theSoftware and is subject to the accompanying
license(s), if any, of its respective owner(s). To the extent
portions of the Software are distributed under andsubject to open
source licenses obligating Juniper to make the source code for such
portions publicly available (such as the GNU General Public
License(GPL) or the GNU Library General Public License (LGPL)),
Juniper will make such source code portions (including Juniper
modifications, as appropriate)available upon request for a period
of up to three years from the date of distribution. Such request
can be made in writing to Juniper Networks, Inc., 1194
N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel.
You may obtain a copy of the GPL at
http://www.gnu.org/licenses/gpl.html, anda copy of the LGPL at
http://www.gnu.org/licenses/lgpl.html.
15. Miscellaneous. This Agreement shall be governed by the laws
of the State of California without reference to its conflicts of
laws principles. The provisionsof the U.N. Convention for the
International Sale of Goods shall not apply to this Agreement. For
any disputes arising under this Agreement, the Partieshereby
consent to the personal and exclusive jurisdiction of, and venue
in, the state and federal courts within Santa Clara County,
California. This Agreementconstitutes the entire and sole agreement
between Juniper and the Customer with respect to the Software, and
supersedes all prior and contemporaneous
iv
http://www.gnu.org/licenses/gpl.htmlhttp://www.gnu.org/licenses/lgpl.htmlhttp://www.gnu.org/licenses/lgpl.htmlhttp://www.gnu.org/licenses/gpl.html
-
7/23/2019 Junos Es Cli Reference
5/993
agreements relating to the Software, whether oral or written
(including any inconsistent terms contained in a purchase order),
except that the terms of aseparate written agreement executed by an
authorized Juniper representative and Customer shall govern to the
extent such terms are inconsistent or conflictwith terms contained
herein. No modification to this Agreement nor any waiver of any
rights hereunder shall be effective unless expressly assented to
inwriting by the party to be charged. If any portion of this
Agreement is held invalid, the Parties agree that such invalidity
shall not affect the validity of theremainder of this Agreement.
This Agreement and associated documentation has been written in the
English language, and the Parties agree that the English
version will govern. (For Canada: Les parties aux prsents
confirment leur volont que cette convention de mme que tous les
documents y compris toutavis qui s'y rattach, soient redigs en
langue anglaise. (Translation: The parties confirm that this
Agreement and all related documentation is and will bein the
English language)).
v
-
7/23/2019 Junos Es Cli Reference
6/993
vi
-
7/23/2019 Junos Es Cli Reference
7/993
Table of Contents
About This Guide xxvii
Objectives
..................................................................................................
xxviiAudience
...................................................................................................
xxviiiSupported Routing Platforms
....................................................................
xxviiiHow to Use This Manual
...........................................................................
xxviiiDocument Conventions
...............................................................................
xxxList of Technical Publications
.....................................................................xxxii
Documentation Feedback
.........................................................................
xxxiiiRequesting Technical Support
...................................................................
xxxiv
Part 1 Configuration Statements
Chapter 1 Access Hierarchy and Statements 3
Access Configuration Statement Hierarchy
......................................................
3admin-search
..................................................................................................
6assemble
.........................................................................................................
7
authentication-order
........................................................................................
8banner
............................................................................................................
9
banner (FTP, HTTP, Telnet)
.......................................................................
9banner (Web Authentication)
..................................................................
10
base-distinguished-name
...............................................................................
11client-group
...................................................................................................
12client-idle-timeout
.........................................................................................
12client-name-filter
...........................................................................................
13client-session-timeout
....................................................................................
13configuration-file
...........................................................................................
14count
.............................................................................................................
14default-profile
................................................................................................
15distinguished-name
.......................................................................................
15domain-name
................................................................................................
16fail
.................................................................................................................
16firewall-authentication
...................................................................................
17firewall-user
..................................................................................................
18ftp
.................................................................................................................
18http
...............................................................................................................
19ldap-options
..................................................................................................
20ldap-server
....................................................................................................
21login
..............................................................................................................
22
Table of Contents vii
-
7/23/2019 Junos Es Cli Reference
8/993
pass-through
..................................................................................................
23password
.......................................................................................................
24port
...............................................................................................................
25
port (LDAP)
.............................................................................................
25
port (RADIUS)
.........................................................................................
25radius-options
...............................................................................................
26radius-server
.................................................................................................
27retry
..............................................................................................................
28
retry (LDAP)
............................................................................................
28retry (RADIUS)
........................................................................................
29
revert-interval
................................................................................................
30revert-interval (LDAP)
.............................................................................
30revert-interval (RADIUS)
..........................................................................
31
routing-instance
............................................................................................
32routing-instance (LDAP)
..........................................................................
32routing-instance (RADIUS)
......................................................................
33
search
...........................................................................................................
33search-filter
...................................................................................................
34secret
............................................................................................................
34securid-server
................................................................................................
35separator
.......................................................................................................
36session-options
..............................................................................................
37source-address
..............................................................................................
38
source-address (LDAP)
............................................................................
38source-address (RADIUS)
........................................................................
38
success
..........................................................................................................
39telnet
.............................................................................................................
40timeout
.........................................................................................................
41
timeout (LDAP Server)
............................................................................
41
timeout (RADIUS Server)
.........................................................................
42traceoptions
..................................................................................................
43web-authentication
........................................................................................
44
Chapter 2 Accounting-Options Hierarchy 45
Accounting-Options Configuration Statement Hierarchy
............................... 45
Chapter 3 Applications Hierarchy and Statements 47
Applications Configuration Statement Hierarchy
........................................... 47alg
.................................................................................................................
49application-protocol
.......................................................................................
50destination-port
.............................................................................................
51icmp-code
.....................................................................................................
54icmp-type
......................................................................................................
55inactivity-timeout
..........................................................................................
55protocol
.........................................................................................................
56rpc-program-number
.....................................................................................
57source-port
....................................................................................................
57
viii Table of Contents
JUNOS Software; CLI Reference
-
7/23/2019 Junos Es Cli Reference
9/993
term
..............................................................................................................
58uuid
...............................................................................................................
59
Chapter 4 Chassis Hierarchy and Statements 61
Chassis Configuration Statement Hierarchy
................................................... 61cluster
...........................................................................................................
65control-ports
..................................................................................................
66gratuitous-arp-count
......................................................................................
67heartbeat-interval
..........................................................................................
67heartbeat-threshold
.......................................................................................
68interface-monitor
..........................................................................................
68node
..............................................................................................................
69
node (Cluster)
.........................................................................................
69node (Redundancy-Group)
......................................................................
70
pic-mode
.......................................................................................................
71
preempt
........................................................................................................
72priority
..........................................................................................................
72redundancy-group
.........................................................................................
73reth-count
......................................................................................................
74traceoptions
..................................................................................................
75tunnel-queuing
..............................................................................................
76weight
...........................................................................................................
77
Chapter 5 Class-of-Service Hierarchy 79
Class-of-Service Configuration Statement Hierarchy
...................................... 79
Chapter 6 Event-Options Hierarchy 83
Event-Options Configuration Statement Hierarchy
........................................ 83
Chapter 7 Firewall Hierarchy 85
Firewall Configuration Statement Hierarchy
.................................................. 85
Chapter 8 Forwarding-Options Hierarchy and Statements 89
Forwarding-Options Configuration Statement Hierarchy
............................... 89vpn
................................................................................................................
93
Chapter 9 Groups Hierarchy 95
Groups Configuration Statement Hierarchy
................................................... 95
Table of Contents ix
Table of Contents
-
7/23/2019 Junos Es Cli Reference
10/993
Chapter 10 Interfaces Hierarchy and Statements 97
Interfaces Configuration Statement Hierarchy
............................................... 97client-identifier
............................................................................................
109
dhcp
............................................................................................................
109fabric-options
..............................................................................................
110flow-control
.................................................................................................
110lease-time
....................................................................................................
111link-speed
....................................................................................................
111loopback
.....................................................................................................
112member-interfaces
......................................................................................
112next-hop-tunnel
...........................................................................................
113no-flow-control
............................................................................................
113no-loopback
................................................................................................
113no-source-filtering
.......................................................................................
113redundancy-group
.......................................................................................
114redundant-ether-options
..............................................................................
114redundant-parent
........................................................................................
115
redundant-parent (Fast Ethernet Options)
............................................. 115redundant-parent
(Gigabit Ethernet Options) ........................................
115
retransmission-attempt
...............................................................................
116retransmission-interval
................................................................................
116server-address
.............................................................................................
117source-address-filter
....................................................................................
117source-filtering
............................................................................................
118update-server
..............................................................................................
118vendor-id
.....................................................................................................
119web-authentication
......................................................................................
119
Chapter 11 Policy-Options Hierarchy and Statements 121
Policy-Options Configuration Statement Hierarchy
...................................... 121condition
.....................................................................................................
122route-active-on
............................................................................................
123
Chapter 12 Protocols Hierarchy 125
Protocols Configuration Statement Hierarchy
.............................................. 125
Chapter 13 Routing-Instances Hierarchy 149
Routing-Instances Configuration Statement Hierarchy
................................149
Chapter 14 Routing-Options Hierarchy 161
Routing-Options Configuration Statement Hierarchy
...................................161
x Table of Contents
JUNOS Software; CLI Reference
-
7/23/2019 Junos Es Cli Reference
11/993
Chapter 15 Schedulers Hierarchy and Statements 169
Schedulers Configuration Statement Hierarchy
...........................................169all-day
.........................................................................................................
170
daily
............................................................................................................
171exclude
........................................................................................................
172friday
..........................................................................................................
173monday
.......................................................................................................
174saturday
......................................................................................................
175scheduler
.....................................................................................................
176schedulers
...................................................................................................
177start-date
.....................................................................................................
177start-time
.....................................................................................................
178stop-date
.....................................................................................................
179stop-time
.....................................................................................................
180sunday
........................................................................................................
181thursday
......................................................................................................
182tuesday
.......................................................................................................
183wednesday
..................................................................................................
184
Chapter 16 Security Hierarchy and Statements 185
Security Configuration Statement Hierarchy
................................................ 185access-profile
...............................................................................................
207ack-number
.................................................................................................
207action
..........................................................................................................
208active-policy
................................................................................................
209address
........................................................................................................
210
address (ARP Proxy Services Gateway)
.................................................210address
(Destination NAT Services Gateway)
........................................ 211address (Destination
NAT Services Router)
...........................................211address (IKE Gateway)
..........................................................................
212address (Source NAT)
............................................................................
212address (Zone Address Book)
................................................................
213address (Zone Address Set)
...................................................................
213
address-book
...............................................................................................
214address-persistent
.......................................................................................
214address-range
..............................................................................................
215
address-range (Destination NAT)
...........................................................
215address-range (Source NAT)
..................................................................
215
address-set
..................................................................................................
216
administrator
..............................................................................................
216aging
...........................................................................................................
217alarm-threshold
...........................................................................................
218alarm-without-drop
.....................................................................................
218alert
.............................................................................................................
219alg
...............................................................................................................
220algorithm
.....................................................................................................
224all-tcp
..........................................................................................................
225allow-dns-reply
............................................................................................
225
Table of Contents xi
Table of Contents
-
7/23/2019 Junos Es Cli Reference
12/993
allow-icmp-without-flow
..............................................................................
226allow-incoming
............................................................................................
226always-send
.................................................................................................
227anomaly
......................................................................................................
227
application
..................................................................................................
228application (Protocol Binding Custom Attack)
.......................................228application (Security
Policies)
................................................................
228
application-identification
.............................................................................
229application-screen
.......................................................................................
230
application-screen (H323)
.....................................................................230application-screen
(MGCP)
....................................................................
231application-screen (SCCP)
.....................................................................231application-screen
(SIP)
.........................................................................232
application-services
.....................................................................................
233application-system-cache
............................................................................
233application-system-cache-timeout
...............................................................234attack-threshold
...........................................................................................
235attacks
.........................................................................................................
236
attacks (Exempt Rulebase)
....................................................................
236attacks (IPS Rulebase)
...........................................................................
237
attack-type
..................................................................................................
238attack-type (Anomaly)
...........................................................................238attack-type
(Chain)
................................................................................
239attack-type (Signature)
..........................................................................
240
authentication
.............................................................................................
243authentication-algorithm
.............................................................................
244authentication-method
................................................................................
245auto-re-enrollment
.......................................................................................
246automatic
....................................................................................................
247
bind-interface
..............................................................................................
247c-timeout
.....................................................................................................
248ca-identity
...................................................................................................
248ca-profile
.....................................................................................................
249ca-profile-name
...........................................................................................
250cache-size
....................................................................................................
250call-flood
.....................................................................................................
251category
......................................................................................................
251certificate
....................................................................................................
252certificate-id
................................................................................................
252chain
...........................................................................................................
253challenge-password
.....................................................................................
254clear-threshold
............................................................................................
254
code
............................................................................................................
255connection-flood
.........................................................................................
255connections-limit
.........................................................................................
256container
.....................................................................................................
256context
........................................................................................................
257count
...........................................................................................................
258
count (Custom Attack)
..........................................................................
258count (Security Policies)
........................................................................
259
crl
................................................................................................................
260
xii Table of Contents
JUNOS Software; CLI Reference
-
7/23/2019 Junos Es Cli Reference
13/993
custom-attack
..............................................................................................
261custom-attack-group
....................................................................................
265custom-attacks
............................................................................................
265data-length
..................................................................................................
266
dead-peer-detection
.....................................................................................
267default-policy
...............................................................................................
268deny
............................................................................................................
269
deny (Policy)
.........................................................................................
269deny (SIP)
.............................................................................................
270
description
..................................................................................................
271description (IDP Policy)
.........................................................................271description
(Security Policies)
...............................................................
271
destination
..................................................................................................
272destination (Destination NAT Services Gateway)
...................................273destination (IP Headers in
Signature Attack) ......................................... 274
destination-address
.....................................................................................
275destination-address (Destination NAT Services Gateway)
......................275destination-address (IDP Policy)
............................................................
276destination-address (Security Policies)
..................................................
276destination-address (Source NAT Services Gateway)
.............................277destination-address (Static NAT
Services Gateway)
...............................277destination-address (Traffic
Policy Services Gateway) ...........................278
destination-except
.......................................................................................
278destination-ip
..............................................................................................
279destination-ip-based
....................................................................................
279destination-nat
............................................................................................
280
destination-nat (Destination NAT Services Gateway)
.............................280destination-nat (Destination NAT
Services Router) ................................281destination-nat
(Security Policies)
.........................................................282
destination-port
...........................................................................................
283destination-port (Destination NAT Services Gateway)
............................283destination-port (Signature Attack)
........................................................ 284
destination-threshold
...................................................................................
285detect-shellcode
...........................................................................................
285detector
.......................................................................................................
286df-bit
...........................................................................................................
286dh-group
......................................................................................................
287direction
......................................................................................................
288
direction (Custom Attack)
.....................................................................288direction
(Dynamic Attack Group)
......................................................... 289
disable-call-id-hiding
....................................................................................
289distinguished-name
.....................................................................................
290
dns
..............................................................................................................
291dynamic
......................................................................................................
292dynamic-attack-group
..................................................................................
293early-ageout
................................................................................................
294enable-all-qmodules
....................................................................................
294enable-packet-pool
......................................................................................
295encryption
...................................................................................................
296encryption-algorithm
...................................................................................
297endpoint-registration-timeout
......................................................................
297
Table of Contents xiii
Table of Contents
-
7/23/2019 Junos Es Cli Reference
14/993
enrollment
..................................................................................................
298establish-tunnels
..........................................................................................
299expression
...................................................................................................
300external-interface
........................................................................................
301
external-interface (IKE Gateway)
...........................................................
301external-interface (Manual Security Association)
...................................301
false-positives
..............................................................................................
302family
..........................................................................................................
303filters
...........................................................................................................
304fin-no-ack
....................................................................................................
305firewall-authentication
.................................................................................
306
firewall-authentication (Policies)
...........................................................306firewall-authentication
(Security)
...........................................................307
flood
............................................................................................................
308flood (ICMP)
..........................................................................................
308flood (UDP)
...........................................................................................
309
flow
.............................................................................................................
310flow (IDP)
..............................................................................................
310flow (Security Flow)
..............................................................................
311
forwarding-options
......................................................................................
312fragment
.....................................................................................................
313from
............................................................................................................
313from-zone
...................................................................................................
314
from-zone (IDP Policy)
..........................................................................
314from-zone (Security Policies)
.................................................................
315
ftp
...............................................................................................................
317functional-zone
............................................................................................
318gatekeeper
..................................................................................................
319gateway
.......................................................................................................
320
gateway (IKE)
........................................................................................
321gateway (IPsec)
.....................................................................................
322gateway (Manual Security Association)
.................................................322
global
..........................................................................................................
323gre-in
...........................................................................................................
324gre-out
.........................................................................................................
325group-members
...........................................................................................
326h323
............................................................................................................
327header-length
..............................................................................................
328high-watermark
...........................................................................................
328host-address-base
........................................................................................
329host-address-low
.........................................................................................
329host-inbound-traffic
.....................................................................................
330
hostname
....................................................................................................
331icmp
............................................................................................................
332icmp (Protocol Binding Custom Attack)
.................................................332icmp (Security
Screen)
..........................................................................
333icmp (Signature Attack)
.........................................................................
334
identification
...............................................................................................
335identification (ICMP Headers in Signature Attack)
................................. 335identification (IP Headers in
Signature Attack) ...................................... 336
idle-time
......................................................................................................
336
xiv Table of Contents
JUNOS Software; CLI Reference
-
7/23/2019 Junos Es Cli Reference
15/993
idp
...............................................................................................................
337idp-policy
....................................................................................................
344ids-option
....................................................................................................
346ignore-mem-overflow
..................................................................................
347
ignore-regular-expression
............................................................................
348ike
...............................................................................................................
349
ike (IPsec VPN)
.....................................................................................
349ike (Security)
.........................................................................................
350
ike-policy
.....................................................................................................
351ike-user-type
................................................................................................
352inactive-media-timeout
................................................................................
353
inactive-media-timeout (MGCP)
.............................................................353inactive-media-timeout
(SCCP)
..............................................................
354inactive-media-timeout (SIP)
.................................................................354
include-destination-address
.........................................................................355inet
..............................................................................................................
355inet6
............................................................................................................
356install-interval
..............................................................................................
356interface
......................................................................................................
357
interface (ARP Proxy Services Gateway)
...............................................357interface (NAT
Services Router)
............................................................
358
interfaces
....................................................................................................
359interval
........................................................................................................
360
interval (IDP)
.........................................................................................
360interval (IKE)
.........................................................................................
360
ip
.................................................................................................................
361ip (Protocol Binding Custom Attack)
.....................................................361ip
(Security Screen)
...............................................................................
362ip (Signature Attack)
.............................................................................
364
ip-action
......................................................................................................
365ip-block
.......................................................................................................
365ip-close
........................................................................................................
366ip-flags
........................................................................................................
366ip-notify
.......................................................................................................
367ips
...............................................................................................................
367ipsec-policy
.................................................................................................
368ipsec-vpn
.....................................................................................................
369
ipsec-vpn (Flow)
....................................................................................
369ipsec-vpn (Policies)
...............................................................................
370
ip-sweep
......................................................................................................
370iso
...............................................................................................................
371land
.............................................................................................................
371
large
............................................................................................................
372lifetime-kilobytes
.........................................................................................
372limit-session
................................................................................................
373local
............................................................................................................
373local-certificate
............................................................................................
374local-identity
................................................................................................
375
Table of Contents xv
Table of Contents
-
7/23/2019 Junos Es Cli Reference
16/993
log
...............................................................................................................
376log (IDP)
................................................................................................
376log (IDP Policy)
.....................................................................................
377log (Security Policies)
............................................................................
377
log-attacks
...................................................................................................
378log-errors
.....................................................................................................
378log-supercede-min
.......................................................................................
379low-watermark
............................................................................................
379management
...............................................................................................
380manual
........................................................................................................
381match
..........................................................................................................
382
match (Destination NAT Services Gateway)
.......................................... 382match (IDP Policy)
................................................................................
383match (Security Policies)
.......................................................................
384match (Source NAT Services Gateway)
.................................................. 384match (Static
NAT Services Gateway)
.................................................... 385
max-flow-mem
............................................................................................
385max-logs-operate
.........................................................................................
386max-packet-mem
........................................................................................
386max-packet-memory
...................................................................................
387max-sessions
...............................................................................................
387max-tcp-session-packet-memory
.................................................................388max-time-report
..........................................................................................
388max-timers-poll-ticks
...................................................................................
389max-udp-session-packet-memory
................................................................
389maximum-call-duration
...............................................................................
390media-source-port-any
................................................................................
390member
......................................................................................................
391message-flood
.............................................................................................
392
message-flood (H323)
...........................................................................392message-flood
(MGCP)
..........................................................................
393mgcp
...........................................................................................................
394mode
...........................................................................................................
395
mode (Forwarding-Options)
..................................................................
395mode (Policy)
........................................................................................
396
mpls
............................................................................................................
396msrpc
..........................................................................................................
397mss
.............................................................................................................
398nat
...............................................................................................................
399
nat (Services Gateway Configuration)
.................................................... 400nat
(Services Router Configuration)
....................................................... 402
nat-keepalive
...............................................................................................
403
negate
.........................................................................................................
404no-allow-icmp-without-flow
.........................................................................404no-anti-replay
..............................................................................................
404no-enable-all-qmodules
...............................................................................
404no-enable-packet-pool
.................................................................................
405no-log-errors
................................................................................................
405no-nat-traversal
...........................................................................................
405no-policy-lookup-cache
................................................................................
405
xvi Table of Contents
JUNOS Software; CLI Reference
-
7/23/2019 Junos Es Cli Reference
17/993
no-port-translation
.......................................................................................
406no-reset-on-policy
........................................................................................
406no-sequence-check
......................................................................................
406no-syn-check
...............................................................................................
407
no-syn-check-in-tunnel
................................................................................
407notification
..................................................................................................
408optimized
....................................................................................................
408option
..........................................................................................................
409order
...........................................................................................................
409overflow-pool
..............................................................................................
410
overflow-pool (Source NAT Services Gateway)
...................................... 410overflow-pool (Source NAT
Services Router) .........................................411
pair-policy
...................................................................................................
412pass-through
................................................................................................
413pattern
........................................................................................................
414peer-certificate-type
....................................................................................
414perfect-forward-secrecy
...............................................................................
415performance
...............................................................................................
416permit
.........................................................................................................
417ping-death
...................................................................................................
418pki
...............................................................................................................
419policies
........................................................................................................
421policy
..........................................................................................................
423
policy (IKE)
...........................................................................................
423policy (IPsec)
.........................................................................................
424policy (Security)
....................................................................................
425
policy-lookup-cache
.....................................................................................
426policy-rematch
............................................................................................
427pool
.............................................................................................................
428
pool (Destination NAT Services Gateway)
.............................................428pool (Pool Set)
.......................................................................................
429pool (Source NAT)
.................................................................................
429pool (Source NAT Services Gateway)
.....................................................430
pool-set
.......................................................................................................
430pool-utilization-alarm
..................................................................................
431port
.............................................................................................................
432port-scan
.....................................................................................................
433pptp
............................................................................................................
434pre-filter-shellcode
.......................................................................................
435predefined-attack-groups
.............................................................................
435predefined-attacks
.......................................................................................
436pre-shared-key
............................................................................................
436
process-ignore-s2c
.......................................................................................
437process-override
..........................................................................................
437process-port
................................................................................................
438products
......................................................................................................
438proposal
......................................................................................................
439proposal-set
.................................................................................................
440
proposal-set (IKE)
..................................................................................
441proposal-set (IPsec)
...............................................................................
442
protect
.........................................................................................................
443
Table of Contents xvii
Table of Contents
-
7/23/2019 Junos Es Cli Reference
18/993
protocol
.......................................................................................................
444protocol (IPsec)
.....................................................................................
444protocol (Manual Security Association)
................................................. 445protocol (IP
Headers in Signature Attack)
.............................................. 445
protocol (Signature Attack)
....................................................................
446protocol-binding
..........................................................................................
449protocol-name
.............................................................................................
450protocols
.....................................................................................................
451
protocols (Interface Host-Inbound Traffic)
............................................. 452protocols (Zone
Host-Inbound Traffic)
................................................... 454
proxy-arp
....................................................................................................
456proxy-arp (Services Gateway Configuration)
......................................... 456proxy-arp (Services
Router Configuration) ............................................
457
proxy-identity
..............................................................................................
457raise-threshold
.............................................................................................
458real
..............................................................................................................
459re-assembler
................................................................................................
460re-enroll-trigger-time-percentage
.................................................................460recommended
.............................................................................................
461recommended-action
..................................................................................
462regexp
.........................................................................................................
463reject
...........................................................................................................
463reject-timeout
..............................................................................................
464remote
........................................................................................................
464reset
............................................................................................................
465reset-on-policy
.............................................................................................
465respond-bad-spi
...........................................................................................
466retain-hold-resource
....................................................................................
466revocation-check
.........................................................................................
467
route-change-timeout
..................................................................................
468routing-instance
..........................................................................................
469routing-instance (Destination NAT Services Gateway)
...........................469routing-instance (Source NAT Services
Gateway) ..................................469
rpc
...............................................................................................................
470rsh
...............................................................................................................
471rst-invalidate-session
...................................................................................
472rst-sequence-check
......................................................................................
472rtsp
..............................................................................................................
473rule
..............................................................................................................
474
rule (Destination NAT)
..........................................................................
474rule (Exempt Rulebase)
.........................................................................
475rule (IPS Rulebase)
................................................................................
476
rule (Source NAT)
..................................................................................
477rule (Static NAT)
....................................................................................
478rule-set
........................................................................................................
479
rule-set (Destination NAT Services Gateway)
.........................................479rule-set (Source NAT
Services Gateway) ................................................
480rule-set (Static NAT Services Gateway)
.................................................. 481
rulebase-exempt
..........................................................................................
482rulebase-ips
.................................................................................................
483sccp
.............................................................................................................
484
xviii Table of Contents
JUNOS Software; CLI Reference
-
7/23/2019 Junos Es Cli Reference
19/993
scheduler-name
...........................................................................................
485scope
...........................................................................................................
486
scope (Chain Attack)
.............................................................................
486scope (Custom Attack)
..........................................................................
487
screen
.........................................................................................................
488screen (Security)
...................................................................................
489screen (Zones)
......................................................................................
490
security-package
..........................................................................................
491security-zone
...............................................................................................
492sensor-configuration
....................................................................................
494sessions
.......................................................................................................
495session-close
...............................................................................................
496session-init
..................................................................................................
496sequence-number
........................................................................................
497
sequence-number (ICMP Headers in Signature Attack)
.........................497sequence-number (TCP Headers in
Signature Attack) ........................... 498
service
.........................................................................................................
499service (Anomaly Attack)
......................................................................
499service (Dynamic Attack Group)
............................................................
499service (Security IPsec)
.........................................................................
500
severity
.......................................................................................................
501severity (Custom Attack)
.......................................................................
501severity (Dynamic Attack Group)
..........................................................
502severity (IPS Rulebase)
..........................................................................
503
shellcode
.....................................................................................................
504signature
.....................................................................................................
505sip
...............................................................................................................
509source
.........................................................................................................
510
source (IP Headers in Signature Attack)
................................................ 510
source (Source NAT Services Gateway)
.................................................511source-address
............................................................................................
513source-address (Destination NAT Services Gateway)
.............................513source-address (IDP Policy)
...................................................................
514source-address (Security Policies)
.........................................................
514source-address (Source NAT Services Gateway)
....................................515
source-except
..............................................................................................
515source-interface
...........................................................................................
516source-ip-based
...........................................................................................
516source-nat
...................................................................................................
517
source-nat (NAT)
...................................................................................
517source-nat (NAT Interface)
....................................................................
518source-nat (Security Policies)
................................................................
519
source-nat (Source NAT Services Gateway)
...........................................519source-port
..................................................................................................
520source-threshold
..........................................................................................
521spi
...............................................................................................................
522sql
...............................................................................................................
523ssh-known-hosts
..........................................................................................
524ssl-inspection
...............................................................................................
525start-log
.......................................................................................................
525start-time
.....................................................................................................
526
Table of Contents xix
Table of Contents
-
7/23/2019 Junos Es Cli Reference
20/993
static
...........................................................................................................
527static-nat
.....................................................................................................
528
static-nat (Static NAT Services Router)
.................................................. 528static-nat
(Static NAT Services Gateway)
...............................................529
sunrpc
.........................................................................................................
530suppression
.................................................................................................
531syn-ack-ack-proxy
.......................................................................................
532syn-fin
.........................................................................................................
532syn-flood
.....................................................................................................
533syn-flood-protection-mode
..........................................................................
534syn-frag
.......................................................................................................
535system-services
...........................................................................................
536
system-services (Interface Host-Inbound Traffic)
...................................537system-services (Zone
Host-Inbound Traffic) ........................................
539
t1-interval
....................................................................................................
540t4-interval
....................................................................................................
541talk
..............................................................................................................
542target
...........................................................................................................
543tcp
...............................................................................................................
544
tcp (Protocol Binding Custom Attack)
.................................................... 544tcp
(Security Screen)
.............................................................................
545tcp (Signature Attack)
............................................................................
546
tcp-flags
.......................................................................................................
548tcp-initial-timeout ................................