Hi
If you just need to limit some services on the interface (zone), you do not need junos-host zone. For example, to allow ike, ssh, https services on a zone (this is for local, not transit traffic!):
security-zone ZZZ {
host-inbound-traffic {
system-services {
ike;
ssh;
https;
}
}
interfaces {
ge-0/0/1.300;
}
}
Policies for junos-host zone are needed if you need a more granular filtering (for example, allow not just ssh, but ssh only from particular hosts). In this case such a policy will do additional (to host-inbound-traffic) filtering.