Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] [ScreenOS] How to reduce the CPU utilization on the device when a large number of malicious sessions are received

0

0

Article ID: KB12524 KB Last Updated: 26 Mar 2021Version: 6.0
Summary:

This article provides information on how to reduce the CPU utilization on the device, when a large number of malicious sessions are received.


Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE). 
Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.
Symptoms:

CPU utilization is high due to a large amount of undesired traffic. This was determined by a higher than usual number of sessions being generated in the output of get perf session detail command. Further review of the event log or traffic log indicated that undesired traffic was reaching the firewall.

Solution:

Malicious traffic can be blocked in ScreenOS 6.0.0r2 or later by creating a blocklist for the malicious traffic.

Note:The blocklist feature is not available on ScreenOS versions that are prior to 6.0.0r2 or on appliance devices (such as SSG devices). If you have an appliance level device or a system device that is running a version of ScreenOS below 6.0.0r2 and receiving undesired traffic that causes high CPU usage, then the traffic can be blocked on a device; before reaching the firewall. The remainder of this article is applicable only to system level devices that are running ScreenOS 6.0.0r2 or later. The supported devices for this feature are as follows:

  • ISG-1000

  • ISG-2000

  • NS-5200

  • NS-5400
 

To create a new blocklist entry via the WebUI or CLI, perform the following procedure:

Note: The following information is mentioned in the following documentation:


Refer to the CPU Protection with Blocklisting DoS Attack Traffic section in Chapter 3 for more information.  Even though the ScreenOS 6.0 Concepts and Examples Guide does not reference this information as of the publication date of this article, the same information below is applicable:


WebUI

Configuration > CPU Protection > Black List > New:
Enter the following, then click OK:
ID: 1
Source IP/Netmask: 1.1.1.0/24
Source Port: 5
Destination IP/Netmask : 2.2.2.0/24
Destination Port: 7
Protocol: 17
Timeout: 90

CLI

set cpu-protection blacklist id 1 1.1.1.0/24 2.2.2.0/24 protocol 17 src-port 5
dst-port 7 timeout 90
save


Description of options:

  • Source Port:  The source port in a TCP or UDP session. Setting this to 0 matches all ports
  • Destination Port:  The destination port in a TCP or UDP session. Setting this to 0 matches all ports.
  • Protocol:  Set this to 0 to match any protocol. The source port and destination port are valid only when you have set the protocol as UDP or TCP
  • Source IP:  Address Mask Range is 0–32. Setting this to 0 matches all source IP addresses.
  • Destination IP:  Mask Range is 0–32. Setting this to 0 matches all destination IP addresses.
  • ID:  The ID of the blocklists. Range is 0–31.
  • Timeout:  The time out for the blocklist entry in the range 0 to 600 minutes. If you set the timeout for a blocklist entry to 0, the security device never times out that entry. The security device saves only the permanent entries in the blocklist configuration.
Modification History:
2021-03-24: ‚Äč: Updated the article terminology to align with Juniper's Inclusion & Diversity initiatives.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search