Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Modifying destination IP session limit

0

0

Article ID: KB33750 KB Last Updated: 23 Jan 2019Version: 1.0
Summary:

This article provides information about modifying the destination IP session limit to suit the needs of your environment and platform.

 

Symptoms:

When the destination IP limit is reached, the following messages are seen:

2018-05-14 11:15:44 crit Dst IP session limit! From XXX.XXX.XX.XX:53 to YY.YYY.YYY.YYY:1222, proto UDP (zone Untrust, int ethernet0/6). Occurred 1 times.
2018-05-14 11:15:44 crit Dst IP session limit! From XXX.XXX.XX.XX:53 to YY.YYY.YYY.YYY:2287, proto UDP (zone Untrust, int ethernet0/6). Occurred 1 times.
2018-05-14 11:15:44 crit Dst IP session limit! From XXX.XXX.XX.XX:53 to YY.YYY.YYY.YYY:1640, proto UDP (zone Untrust, int ethernet0/6). Occurred 1 times.
2018-05-14 11:15:44 crit Dst IP session limit! From XXX.XXX.XX.XX:53 to YY.YYY.YYY.YYY:2936, proto UDP (zone Untrust, int ethernet0/6). Occurred 1 times.

 

Cause:

By default, the destination-IP-based threshold is set to 128.

This is as per design of the screening functionality. By default, the firewall allows only a certain number of sessions. This protection provides defense against infected/compromised/attacker machines from overtaking the session pool.

 

Solution:

To know the session limit set on the firewall, use the following command:

Firewall-> get zone <zone name> screen | inc Destination-IP
Result= Destination-IP-based Threshold: 128

To make changes to the session limit for a zone, use the following command:

Firewall-> set zone <zone name> screen limit-session destination-ip-based "<number>"

Note: "number" here is equal to concurrent sessions. This value might need adjustment to suit the needs of your network environment and the platform.

Note: It is recommended to carefully determine the optimum session limit according to network environment to avoid false triggers and also to provide security to the customer network from attacks.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search