帮助我们改善您的体验。

让我们了解您的想法。

您是否能抽出两分钟的时间完成一份问卷调查?

close
keyboard_arrow_left
Junos CLI 参考
Table of Contents Expand all
list Table of Contents

机器翻译对您有帮助吗?

starstarstarstarstar
Go to English page
免责声明:

我们将使用第三方机器翻译软件翻译本页面。瞻博网络虽已做出相当大的努力提供高质量译文,但无法保证其准确性。如果对译文信息的准确性有任何疑问,请参阅英文版本. 可下载的 PDF 仅提供英文版.

screen

date_range 18-Dec-23

语法

content_copy zoom_out_map
screen {
    ids-option name {
        aggregation {
            destination-prefix-mask destination-prefix-mask;
            destination-prefix-v6-mask destination-prefix-v6-mask;
            source-prefix-mask source-prefix-mask;
            source-prefix-v6-mask source-prefix-v6-mask;
        }
        alarm-without-drop;
        description (Security Screen) description;
        icmp (Security Screen) {
            flood (Security ICMP) <threshold ICMP packets per second>;
            fragment;
            icmpv6-malformed;
            ip-sweep <threshold microseconds in which 10 ICMP packets are detected>;
            large;
            ping-death;
        }
        ip (Security Screen) {
            bad-option;
            block-frag;
            ipv6-extension-header {
                AH-header;
                destination-header {
                    home-address-option;
                    ILNP-nonce-option;
                    line-identification-option;
                    tunnel-encapsulation-limit-option;
                    user-defined-option-type name {
                        to type-high;
                    }
                }
                ESP-header;
                fragment-header;
                HIP-header;
                hop-by-hop-header {
                    CALIPSO-option;
                    jumbo-payload-option;
                    quick-start-option;
                    router-alert-option;
                    RPL-option;
                    SMF-DPD-option;
                    user-defined-option-type name {
                        to type-high;
                    }
                }
                mobility-header;
                no-next-header;
                routing-header;
                shim6-header;
                user-defined-header-type name {
                    to type-high;
                }
            }
            ipv6-extension-header-limit ipv6-extension-header-limit;
            ipv6-malformed-header;
            loose-source-route-option;
            record-route-option;
            security-option;
            source-route-option;
            spoofing;
            stream-option;
            strict-source-route-option;
            tear-drop;
            timestamp-option;
            tunnel (Security Screen) {
                bad-inner-header;
                gre {
                    gre-4in4;
                    gre-4in6;
                    gre-6in4;
                    gre-6in6;
                }
                ip-in-udp {
                    teredo;
                }
                ipip {
                    dslite;
                    ipip-4in4;
                    ipip-4in6;
                    ipip-6in4;
                    ipip-6in6;
                    ipip-6over4;
                    ipip-6to4relay;
                    isatap;
                }
            }
            unknown-protocol;
        }
        limit-session {
            by-destination {
                by-protocol {
                    icmp {
                        maximum-sessions maximum-sessions;
                        packet-rate packet-rate;
                        session-rate session-rate;
                    }
                    tcp {
                        maximum-sessions maximum-sessions;
                        packet-rate packet-rate;
                        session-rate session-rate;
                    }
                    udp {
                        maximum-sessions maximum-sessions;
                        packet-rate packet-rate;
                        session-rate session-rate;
                    }
                }
                maximum-sessions maximum-sessions;
                packet-rate packet-rate;
                session-rate session-rate;
            }
            by-source {
                by-protocol {
                    icmp {
                        maximum-sessions maximum-sessions;
                        packet-rate packet-rate;
                        session-rate session-rate;
                    }
                    tcp {
                        maximum-sessions maximum-sessions;
                        packet-rate packet-rate;
                        session-rate session-rate;
                    }
                    udp {
                        maximum-sessions maximum-sessions;
                        packet-rate packet-rate;
                        session-rate session-rate;
                    }
                }
                maximum-sessions maximum-sessions;
                packet-rate packet-rate;
                session-rate session-rate;
            }
            destination-ip-based destination-ip-based;
            source-ip-based source-ip-based;
        }
        match-direction (input | input-output | output);
        tcp (Security Screen) {
            fin-no-ack;
            land;
            port-scan <threshold microseconds in which 10 attack packets are detected>;
            syn-ack-ack-proxy <threshold un-authenticated connections>;
            syn-fin;
            syn-flood {
                alarm-threshold requests per second;
                attack-threshold proxied requests per second;
                destination-threshold SYN pps;
                source-threshold SYN pps;
                timeout (Security Screen) seconds;
                white-list name {
                    destination-address [ destination-address ... ];
                    source-address [ source-address ... ];
                }
            }
            syn-frag;
            tcp-no-flag;
            tcp-sweep <threshold microseconds in which 10 TCP packets are detected>;
            winnuke;
        }
        udp (Security Screen) {
            flood (Security UDP) {
                threshold UDP packets per second;
                white-list [ white-list ... ];
            }
            port-scan <threshold microseconds in which 10 attack packets are detected>;
            udp-sweep <threshold microseconds in which 10 UDP packets are detected>;
        }
    }
    traceoptions (Security Screen) {
        file <filename> <files files> <match match> <size size> <(world-readable | no-world-readable)>;
        flag name;
        no-remote-trace;
    }
    trap <interval seconds>;
    white-list name {
        address [ address ... ];
    }
}

层次结构级别

content_copy zoom_out_map
[edit security]
[edit tenant tenant-name security]

描述

配置安全屏幕选项。对于每个安全区域,您可以启用一组预定义的屏幕选项,用于检测和阻止设备确定为可能有害的各种流量。

选项

ids-options screen-name

在级别配置 security screen ids-options 的屏幕的名称。定义入侵检测服务 (IDS) 的屏幕。

trap

配置陷阱间隔。启用或禁用在连接状态更改时发送简单网络管理协议 (SNMP) 通知。陷阱是从 SNMP 代理发送到远程网络管理系统或陷阱接收器的未经请求的消息。

white-list

允许列表的 IP 地址集。配置在 SYN 泛屏保护过程中发生的 SYN cookie 和 SYN 代理机制中免除的 IP 地址的允许列表。允许列表包含已知的可信 IP 地址和 URL。从允许列表上的位置下载的内容不必检查是否存在恶意软件。

其余语句将单独解释。请参阅 CLI 资源管理器

所需权限级别

安全性 - 在配置中查看此语句。

安全控制 — 将此语句添加到配置中。

发布信息

Junos OS 8.5 版中引入的语句。

Junos OS 12.1 版中添加的选项 description

tenant 选项在 Junos OS 18.3R1 版中引入。

external-footer-nav