Knowledge Base
Search our Knowledge Base sites to find answers to your questions.
Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articlesConfiguring a Traffic Alarm
Symptoms:
Solution:
Your NetScreen supports traffic alarms when traffic exceeds thresholds that you have defined in policies. You can configure your NetScreen to alert you through one or more of the following methods whenever a traffic alarm is generated:
- Console
- Internal (Event Log)
- SNMP
- Syslog
- WebTrends
- NetScreen-Global PRO
You set alarm thresholds to detect anomalous activity. To know what constitutes anomalous activity, you must first establish a baseline of normal activity. To create such a baseline for network traffic, you must observe traffic patterns over a period of time. Then, after you have determined the amount of traffic that you consider as normal, you can set alarm thresholds above that amount. Traffic exceeding that threshold triggers an alarm to call your attention to a deviation from the baseline. You can then evaluate the situation to determine what caused the deviation and whether you need to take action in response. You can also use traffic alarms to provide policy-based intrusion detection and notification of a compromised system.
In this example, we have a Web server with IP address 211.20.1.5, with the name web1 in the DMZ zone. We will detect any attempts from the Untrust zone to access this Web server via Telnet. To accomplish this, we will create a policy denying Telnet traffic from any address in the Untrust zone destined to the Web server named web1 in the DMZ zone, and set a traffic alarm threshold of 64 bytes. Because the smallest size of IP packet is 64 bytes, even one Telnet packet attempting to reach the Web server from the Untrust zone will trigger this alarm. To configure a traffic alarm, perform the following steps:
Open the WebUI. For more information on accessing the WebUI, select your product from the list below: 
From the NetScreen options menu, click Objects, select Addresses, and then click List. 
Click New. 
In the Address Name text box, enter an Address Name. 
From IP Address/Domain Name, click to select IP/Netmask. In the IP/Netmask text box, enter an IP/Netmask.
In the Zone drop-down menu, click to select DMZ. 
Click OK.
From the NetScreen options menu, click Policies. 
In the From drop-down menu, click to select Untrust. In the To drop-down menu, click to select DMZ. 
Click New.
In the Name (optional) text box, enter a policy name. 
Under Source Address, click to select Address Book. In the Address Book drop-down menu, click to select Any. 
Under Destination Address, click to select Address Book. In the Address Book drop-down menu, click to select web1.
In the Service drop-down menu, click to select TELNET. In the Action drop-down menu, click to select Deny. 
Click Advanced. 
Click to select Counting. 
From Alarm Threshold, enter a value in the Bytes/Sec text box.
Click Return. 
Click OK. 
Your alarm threshold will now be set. 
Getting Up and Running with Junos
Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search