Knowledge Search


×
 

SRX Getting Started - Configure Screen Protection

  [KB16618] Show Article Properties


Summary:

This article shows how to tell which screen options are configured and how to configure screen options.

For other topics, go to the SRX Getting Started main page.

Symptoms:

Configure screen protection.

Solution:

Screen options on SRX Series devices are used to prevent attacks, such as IP address sweeps, port scans, denial of service (DOS) attacks, ICMP, UDP, and SYN floods. For information about types of attacks and how to prevent them, see Screens Options for Attack Detection and Prevention.

SRX screen options are applied at the zone level. No license is required.

This article contains the following:

 

CLI Configuration

The following procedure configures screen protection:

  1. Run the following command to see the screen options currently configured:

    user@host> show security | match screen | display set

    By default, all of the following screen options in a profile named untrust-screen are configured:

    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security zones security-zone untrust screen untrust-screen

  2. Configure any additional screen options.  For example, the following enables the destination IP session limit to 50 sessions:

    user@host# set security screen ids-option untrust-screen limit-session destination-ip-based 50

    For information about this screen option, see destination-ip-based.

    Important: The more screen protections that you configure, more overhead is generated for the SRX Series device.


  3. Apply the screen profile to a security zone. In the default configuration, the profile named untrust-screen is applied to the untrust zone:
    set security zones security-zone untrust screen untrust-screen

 

Technical Documentation

 Junos OS Attack Detection and Prevention Library for Security Devices



Verification

  • Monitor screen counters with the following command:

    user@host> show security screen statistics zone untrust

  • Syslog messages help identify the IP addresses triggering the screen. See the following sample output from the /var/log/messages file, which has been configured to log the screen alerts.

    Feb 3 03:30:05 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0
    Feb 3 03:30:05 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0
    Feb 3 03:30:10 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0
    Feb 3 03:30:38 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0
    Feb 3 03:30:38 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0
    Feb 3 03:30:43 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0
    Feb 3 03:30:54 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0
    Feb 3 03:30:54 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0

    Use the following configuration command to send messages with any severity (including all the screen alerts) to the local file on the SRX Branch Series device called messages:

    user@host# set system syslog file messages any any
    user@host#  set system syslog file messages match RT_Screen

    Use the following command to display the messages file:

    user@host> show log messages

    For SRX high end devices, the default logging mode is stream. You can configure stream mode logging to see these messages, or you can set the logging mode as event. To set the log mode:

    user@host# set security log mode event 

    Important: Setting the event mode on SRX High-End devices can cause high CPU on the device. Use it with caution.

    For more information on configuring the stream mode for security logs, refer to KB16506 - SRX Getting Started - Configure Traffic Logs (or Security Policy Logs) for SRX High-End Devices.

    For configuration examples and guides to configuring syslog, refer to Setting the System to Send All Log Messages.

Modification History:
2019-02-12: Minor edits and updated documentation URL references.
Related Links: