We tend to use the following as our template to disable interfaces:
/* --- EXAMPLE SPARE PORT --- */
ge-0/0/0 {
description "GE-0/0/0 SPARE";
disable;
unit 0 {
disable;
family inet {
filter {
input DENY-ALL;
}
}
}
}
You can do this in bulk in a much more granular fashion than the Cisco 'interface range' command since you can use REGEX patterns. Here's an example that produces the output above, but on multiple interfaces:
/* --- EXAMPLE PORT RANGE COMMAND --- */
wildcard range set interfaces <INT>[<RANGE>] <COMMANDS>
/* --- EXAMPLE PORT RANGE COMMAND for SPARE PORTS --- */
wildcard range set interfaces ge-1/[0-3]/[0-3,5,7-9] description "GE-1/_/_ SPARE"
wildcard range set interfaces ge-1/[0-3]/[0-3,5,7-9] disable
wildcard range set interfaces ge-1/[0-3]/[0-3,5,7-9] unit 0 disable
wildcard range set interfaces ge-1/[0-3]/[0-3,5,7-9] unit 0 family inet filter input DENY-ALL
Lastly, here's the 'DENY-ALL' filter referenced above:
firewall {
filter DENY-ALL {
term 1 {
then {
syslog;
discard;
}
}
}
}
This seems to keep our IA Team happy and is a component of keeping our devices DISA STIG hardened. Hopefully you'll find it useful.