Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Timeout for deny sessions



Article ID: KB25753 KB Last Updated: 28 Dec 2020Version: 2.0

This article provides information about the timeout value for deny sessions.



When deny sessions are enabled on the device, how long is the entry maintained in the deny session table?



When a deny session is enabled via the set flow deny-session command, a lightweight deny session is created when a packet fails the first packet processing due to the policy "deny."

When a packet does not find a match in the session table, the deny table is looked up. If the packet matches one of the entries, it will be dropped immediately without further first packet processing and an event logged based on policy configuration. The field feedback is that by enabling this feature, CPU utilization drops dramatically for the type of attacks it is designed to mitigate.

The deny session table is a separate table from the valid session table. This is to keep the impact of this feature on the main session management to a minimum. This table has 1024 buckets each of which has 4 session entries. This allows for a maximum of 4096 deny sessions. Each entry has the same key as a normal session; that is, the key is composed of 6-tuple: source IP address, destination IP address, protocol, source port, destination port, and session token. The other content contained in each entry includes the time the entry was created and the policy that denied the creation of a normal session.

The time field in each entry is initialized to 0, which indicates that the entry is not used. After each entry is created, it expires in 2 seconds.


Modification History:

2020-12-28: Article reviewed for accuracy; no changes required; article valid and relevant


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search