Knowledge Center Search


 

SRX Getting Started - Configure Screen Protection

  [KB16618] Show KB Properties

  [KB16618] Hide KB Properties

Categories:
Knowledge Base ID: KB16618
Last Updated: 21 Oct 2013
Version: 8.0

Summary:

This article shows how to tell which screen options are configured and how to configure screen options.

For other topics, go to the SRX Getting Started main page.

Problem or Goal:

Configure screen protection.

Cause:

Solution:

You can use screen options on SRX Series devices to prevent attacks, such as IP address sweeps, port scans, denial of service (DOS) attacks, ICMP, UDP, and SYN floods. For information about types of attacks and how to prevent them, see http://www.juniper.net/techpubs/en_US/junos10.4/information-products/topic-collections/security/software-all/security/index.html?jd0e80889.html.

SRX screen options are applied at the zone level. No license is required.

This section contains the following


CLI Configuration

The following procedure configures screen protection:

  1. Run the following command to see the screen options currently configured:

    user@host> show security | match screen | display set

    By default, all of the following screen options in a profile named untrust-screen are configured:

    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security zones security-zone untrust screen untrust-screen

  2. Configure any additional screen options.  For example, the following enables the destination IP session limit to 50 sessions:

    user@host# set security screen ids-option untrust-screen limit-session destination-ip-based 50

    For information about this screen option, see http://www.juniper.net/techpubs/en_US/junos10.4/information-products/topic-collections/security/software-all/security/index.html?topic-43932.html.

    Important:
    The more screen protections that you configure, more overhead is generated for the SRX Series device.

  3. Apply the screen profile to a security zone. In the default configuration, the profile named untrust-screen is applied to the untrust zone:
    set security zones security-zone untrust screen untrust-screen


J-Web Configuration

For J-Web configuration information, see http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/id-74994.html#id-74994.

Note that certain screen options are selected by default in the profile named untrust-screen.

Important: The more screen protections that you configure, more overhead is generated for the SRX Series device.

 

Technical Documentation

Junos 12.1x45 Junos 11.4
  • PDF -- See Chapter 40, Attack Detection and Prevention (page 1171).
  • HTML
Junos 10.4
  • PDF -- See Chapter 35, Attack Detection and Prevention (page 899).
  • HTML
    Note:
    Significant changes (examples, instructions, explanations) were made to the Junos 11.4 technical documentation. So, although your device is running Junos 10.4, you may refer to the Junos 11.4 technical documentation for detailed explanations.




Verification

  • Monitor screen counters with the following command:

    user@host> show security screen statistics zone untrust
  • Syslog messages help identify the IP addresses triggering the screen. See the following sample output from the /var/log/messages file, which has been configured to log the screen alerts.

    Feb 3 03:30:05 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0
    Feb 3 03:30:05 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0
    Feb 3 03:30:10 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0
    Feb 3 03:30:38 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0
    Feb 3 03:30:38 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0
    Feb 3 03:30:43 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0
    Feb 3 03:30:54 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0
    Feb 3 03:30:54 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0

    Use the following configuration command to send messages with any severity (including all the screen alerts) to the local file on the SRX Branch Series device called messages:

    user@host# set system syslog file messages any any
    user@host#  set system syslog file messages match RT_Screen

    Use the following command to display the messages file:

    user@host> show log messages

    For SRX high end devices, the default logging mode is stream. You can configure stream mode logging to see these messages. Or You can set the logging mode as event. To set the log mode:
    user@host# set security log mode event 


    For more information on configuring the stream mode for security logs, refer to KB16506 - SRX Getting Started - Configure Traffic Logs (or Security Policy Logs) for SRX High-End Devices.

    For Configuration examples and guides to configuring syslog, refer to the following link:

    http://www.juniper.net/techpubs/software/junos-security/junos-security10.4/junos-security-admin-guide/index.html?syslog-chapter.html

Purpose:
Configuration
Implementation
Installation
Specifications

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.