Knowledge Search


×
 

SRX Getting Started - Configure Screen Protection

  [KB16618] Show Article Properties


Summary:

This article shows how to determine which screen options are configured and how to configure screen options on SRX devices.

For other topics, go to KB15694 - SRX Getting Started - Configuration Examples & Troubleshooting (JumpStation).

 

Symptoms:

Configure screen protection.

 

Solution:

Screen options on SRX Series devices are used to prevent attacks, such as IP address sweeps, port scans, denial of service (DOS) attacks, ICMP, UDP, and SYN floods. For information about the types of attacks and how to prevent them, see Screens Options for Attack Detection and Prevention.

SRX screen options are applied at the zone level. No license is required.

This article contains the following:

 

CLI Configuration

The following procedure configures screen protection:

  1. Run the following command to see the screen options currently configured:
user@host> show configuration security | match screen | display set

By default, all of the following screen options in a profile named untrust-screen are configured:

set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security zones security-zone untrust screen untrust-screen
  1. Configure any additional screen options. For example, the following enables the destination IP session limit to 50 sessions:
user@host# set security screen ids-option untrust-screen limit-session destination-ip-based 50

For information about this screen option, see destination-ip-based.

Important: The more screen protections that you configure, more the overhead that is generated for the SRX Series device.

  1. Apply the screen profile to a security zone. In the default configuration, the profile named untrust-screen is applied to the untrust zone:
set security zones security-zone untrust screen untrust-screen
 

Technical Documentation

Junos OS Attack Detection and Prevention Library for Security Devices

 

Verification

  • Monitor screen counters with the following command:

user@host> show security screen statistics zone untrust
  • Syslog messages help identify the IP addresses triggering the screen. See the following sample output from the /var/log/messages file, which has been configured to log screen alerts.

Feb 3 03:30:05 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0
Feb 3 03:30:05 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0
Feb 3 03:30:10 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0
Feb 3 03:30:38 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0
Feb 3 03:30:38 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0
Feb 3 03:30:43 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0
Feb 3 03:30:54 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0
Feb 3 03:30:54 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.24.28.213, destination: 172.24.28.76, zone name: manage, interface name: ge-0/0/0.0

Use the following configuration command to send messages with any severity (including all the screen alerts) to the local file on the SRX Branch Series device called messages:

user@host# set system syslog file messages any any
user@host#  set system syslog file messages match RT_SCREEN

Alternatively, you can create a new log file in order to write the entries. For example:

user@host# set system syslog file traffic-screens any any
user@host#  set system syslog file messages match RT_SCREEN

Use the following command to display the messages file:

user@host> show log messages

For SRX high-end devices, the default logging mode is stream. You can configure stream mode logging to see these messages, or you can set the logging mode as event. To set the log mode:

user@host# set security log mode event 

If you choose to use event mode, which will write the traffic logs to the control plane, make sure to set the event-rate:

user@host# set security log mode event event-rate (0...5000 logs per second)

Important: Setting event mode on SRX High-End devices can cause high CPU on the devices. Use it with caution.

For more information about configuring the stream mode for security logs, refer to KB16506 - SRX Getting Started - Configure Traffic Logs (or Security Policy Logs) for SRX High-End Devices.

For configuration examples and guides to configuring syslog, refer to Setting the System to Send All Log Messages.

 

Modification History:

2019-07-25: Command in Solution modified to: user@host> show configuration security | match screen | display set; minor, non-technical formatting changes made

 

Related Links: