CLI Operational Mode Commands | CLI Configuration Mode Commands
The following configuration statements hierarchy is supported at this time. The supported commands are likely to be expanded with each revision of the software.
Edit interfaces hierarchy level
interfaces {
interface-name {
disable;
description <text>;
encapsulation <type>;
hold-time up <milliseconds> down <milliseconds>;
no-keepalives;
keepalives interval down-count up-count;
serial-options {
clock-rate <rate>;
}
speed (10m | 100m);
unit <logical-unit-number> {
bandwidth <rate>;
description <text>;
disable;
family family {
address <address>;
}
}
}
Edit routing options hierarchy level
routing-options {
static {
route destination-prefix {
next-hop <next-hop ip-address>;
}
}
}
system {
backup-router address <destination destination-address>;
domain-name <domain-name>;
host-name <host-name>;
}
name-server {
<address>;
}
root-authentication {
(encrypted-password "password" | plain-text-password);
}
}
Edit policy-options hierarchy level
policy-options {
policy-statement <policy-name> {
term <term-name> {
from {
match-conditions;
}
to {
match-conditions;
}
then actions;
}
}
}
Edit protocols hierarchy level
rip {
group <group-name> {
export [ policy-names ]; neighbor neighbor-name { import [ policy-names ]; }
}
}
ospf {
area <area-id> {
interface interface-name {
disable;
hello-interval <seconds>;
dead-interval <seconds>;
neighbor <neighbor_address>;
}
stub <(no-summaries | summaries)>;
virtual-link neighbor-id router-id transit-area area-id {
}
}
export [ policy-names ];
}
bgp
{
group <group_name> {
type <type-name>
peer-as <asnum of the peer>
neighbor <neg_ipaddress>
neighbor <neg_ipaddress> {
peer-as <asnum of the peer>
}
hold-time <seconds>
}
}
Firewall Hierarchy
Firewall{
family family-name {
filter filter-name {
term term-name {
from {
match-conditions;
}
then {
action;
action-modifiers;
}
}
}
}
}
NAT Hierarchy
Source Nat hierarchy
Source {
pool <poolname>{
address <address>;
}
rule-set<rule-set-name> {
from zone trust;
to zone untrust;
from interface <interfacelist>
rule <rule-name> {
match {
source-address <source-address/prefix-list>;
destination-address <destination-address/prefix-list>;
}
then source-nat{
interface|off|pool <poolname> ;
}
}
}
}
Destination NAT hierarchy
destination{
pool <poolname {
address <address> port <portnumber>;
}
rule-set <rule-set-name> {
from interface <interfacelist>;
from zone <zonename>;
rule <rule-name> {
match {
destination-address <destination-address/prefix-list>;
destination-port <destination port>;
}
then destination-nat {
pool <poolname>;
}
}
}
}
Static NAT Hierarchy
static {
rule-set <rule-set-name>{
from interface <interfacelist>;
from zone <zonename>;
rule <rule-name>{
match {
destination-address <destination-address/prefix-list>;
}
then static-nat {
prefix <address prefix>;
}
}
}
}
[edit security address-book] Hierarchy Level*
security {
address-book (book-name | global) {
address address-name {
ip-prefix {
description text;
}
description text;
}
address-set address-set-name {
address address-name;
address-set address-set-name;
description text;
}
attach {
zone zone-name;
}
description text;
}
}
[edit security ike] Hierarchy Level*
IKE Phase 1 Proposal Hierarchy
[edit security ike]
proposal <proposal-name>{
authentication-method [pre-shared-keys | rsa-signatures];
dh-group [group1 | group2 | group5];
authentication-algorithm [md5 | sha-256 | sha1];
encryption-algorithm [3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc];
lifetime-seconds <seconds>;
}
IKE Phase 1 Policy Hierarchy
[edit security ike]
policy <policy-name>{
mode [main | aggressive];
(proposals proposal-name) | (proposal-set [basic | compatible | standard]);
pre-shared-key [ascii-text | hexadecimal];
}
IKE Phase 1 Gateway Hierarchy
[edit security ike]
gateway <gateway-name>{
ike-policy <policy-name>;
address <ip-address>;
external-interface <interface-name>;
dead-peer-detection {
interval <seconds>;
threshold <number>;
}
}
[edit security ipsec] Hierarchy Level*
IPSEC Phase 2 Proposal Hierarchy
[edit security ipsec]
proposal <proposal-name>{
protocol [ah | esp];
authentication-algorithm [hmac-md5-96 | hmac-sha1-96];
encryption-algorithm [3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc];
lifetime-kilobytes <kilobytes>;
lifetime-seconds <seconds>;
}
IPSEC Phase 2 Policy Hierarchy
[edit security ipsec]
policy <policy-name>{
perfect-forward-secrecy {
keys [group1 | group2 | group5];
}
(proposals <proposal-name>) | (proposal-set [basic | compatible | standard]);
}
IPSEC Phase 2 VPN Tunnel hierarchy
[edit security ipsec]
vpn <vpn-name>{
bind-interface st0.x; -------------------- is necessary only for route based VPNs
ike {
gateway <gateway-name>;
ipsec-policy <policy-name>;
}
manual { --------------------------- is necessary if using manual key
}
establish-tunnels [immediately | on-traffic];
}
Security policies for tunnel traffic hierarchy
[edit security policies]
from-zone <source-zone-name> to-zone <destination-zone-name>{
policy <policy-name>{
match {
}
then {
permit {
tunnel {
ipsec-vpn <ipsec-tunnel-name>; ----------------- Reference to the IPsec VPN tunnel
}
}
}
}
}
Edit interfaces hierarchy level (switch)
ge-fpc/pic/port {
description <text>;
disable;
ether-options {
link-mode <mode>;
speed (auto-negotiation | speed);
}
unit <logical-unit-number> {
bandwidth <rate>;
description <text>;
disable;
family family-name {...}
vlan-id <vlan-id-number>;
}
}
me0{
unit <logical-unit-number> {
family family-name {..}
}
}
vlan {
unit <logical-unit-number> {
family family-name {..}
}
}
Edit vlans hierarchy level (switch)
vlans {
<vlan-name> {
description <text-description>;
l3-interface <vlan.logical-interface-number>;
mac-table-aging-time <seconds>;
primary-vlan <vlan-name>;
vlan-id <number>;
vlan-range <vlan-id-low-vlan-id-high>;
}
}
Edit protocols hierarchy level (switch)
stp {
bridge-priority <priority>;
disable;
forward-delay <seconds>;
hello-time <seconds>;
interface (all | interface-name) {
edge;
mode <mode>;
no-root-port;
priority <priority>;
}
max-age <seconds>;
}
vstp {
vlan (all | vlan-id | vlan-name) {
bridge-priority <priority>;
forward-delay <seconds>;
hello-time <seconds>;
interface (all | interface-name) {
edge;
mode <mode>;
no-root-port;
priority <priority>;
}
max-age <seconds>;
}
}
Edit poe hierarchy level (switch)
poe {
guard-band <watts>;
interface (all | interface-name) {
disable;
maximum-power (Interface) <watts>
priority (high | low);
}
management (class | static);
} 
