show security screen ids-option
Syntax
show security screen ids-optionscreen-namelogical-systemroot-logical-systemtenant
Description
Display the configuration information about the specified security screen. You can configure a
ids-option to enable screen protection on the SRX Series Firewalls.
Options
screen-name—Name of the screen.logical-system—Name of the logical system.root-logical-system—Displays root logical system as default.tenant—Name of the tenant system.
Required Privilege Level
view
Output Fields
Table 1 lists the output fields for the show security screen ids-option command. Output fields are
listed in the approximate order in which they appear.
Field Name |
Field Description |
|---|---|
|
Number of microseconds for which the device accepts 10 TCP packets from the same remote source to different destination addresses. |
|
Number of microseconds during which the device accepts packets from the same remote source with up to 10 different port numbers. |
|
Number of microseconds during which up to 10 ICMP echo requests from the same host are allowed into the device. |
|
Number of UDP packets per second allowed to ping the same destination address before the device rejects further UDP packets. |
|
Number of microseconds during which the device accepts packets from the same remote source IP with up to 10 different destination port numbers. |
|
Enable or disable the detection of TCP WinNuke attacks. |
|
Number of SYN packets per second required to trigger the SYN proxy response. |
|
Number of half-complete proxy connections per second at which the device makes entries in the event alarm log. |
|
Number of SYN segments to be received per second before the device begins dropping connection requests. |
|
Number of SYN segments received per second before the device begins dropping connection requests. |
|
Maximum length of time before a half-completed connection is dropped from the queue. |
|
Number of proxy connection requests that can be held in the proxy connection queue before the device begins rejecting new connection requests. |
|
Enable or disable the detection of any ICMP frame with an IP length greater than 1024 bytes. |
|
Number of microseconds for which the device accepts 10 UDP packets from the same remote source to different destination addresses. |
|
Enable or disable the IPv6 extension routing screen option. |
|
Enable or disable the IPv6 extension shim6 screen option. |
|
Enable or disable the IPv6 extension fragment screen option. |
|
Enable or disable the IPv6 extension Authentication Header Protocol screen option. |
|
Enable or disable the IPv6 extension Encapsulating Security Payload screen option. |
|
Enable or disable the IPv6 extension mobility screen option. |
|
Enable or disable the IPv6 extension Host Identify Protocol screen option. |
|
Enable or disable the IPv6 extension no-next screen option. |
|
Enable or disable the IPv6 extension user-defined screen option. |
|
Enable or disable the IPv6 extension HbyH jumbo screen option. |
|
Enable or disable the IPv6 extension HbyH RPL screen option. |
|
Enable or disable the IPv6 extension HbyH router screen option. |
|
Enable or disable the IPv6 extension HbyH quick-start screen option. |
|
Enable or disable the IPv6 extension HbyH Common Architecture Label IPv6 Security Screen option. |
|
Enable or disable the IPv6 extension HbyH Simplified Multicast Forwarding IPv6 Duplicate Packet Detection screen option. |
|
Enable or disable the IPv6 extension HbyH user-defined screen option. |
|
Enable or disable the IPv6 extension distributed (network) storage tunnel encapsulation limit screen option. |
|
Enable or disable the IPv6 extension DST home address screen option. |
|
Enable or disable the IPv6 extension DST Identifier-Locator Network Protocol nonce screen option. |
|
Enable or disable the IPv6 extension DST line-ID screen option. |
|
Enable or disable the IPv6 extension DST user-defined screen option. |
|
Threshold for the number of IPv6 extension headers that can pass through the screen. |
|
Enable or disable the IPv6 malformed header screen option. |
|
Enable or disable the ICMPv6 malformed packet screen option. |
|
Allowlist of IP addresses to bypass UDP flood detection. |
|
|
Allowlist of IP addresses to bypass IP block fragmentation check. |
|
Limit the number of concurrent sessions the device can initiate from a single source IP address or the number of sessions it can direct to a single destination IP address. |
|
Name of the logical system or tenant system. |
Sample Output
show security screen ids-option jscreen
user@host> show security screen ids-option jscreen Screen object status: Name Value TCP port scan threshold 5000 UDP port scan threshold 10000 ICMP address sweep threshold 5000
Sample Output
show security screen ids-option jscreen (IPv6)
user@host> show security screen ids-option jscreen Screen object status: Name Value ICMP ping of death enabled …… IPv6 extension routing enabled IPv6 extension shim6 enabled IPv6 extension fragment enabled IPv6 extension AH enabled IPv6 extension ESP enabled IPv6 extension mobility enabled IPv6 extension HIP enabled IPv6 extension no next enabled IPv6 extension user-defined enabled IPv6 extension HbyH jumbo enabled IPv6 extension HbyH RPL enabled IPv6 extension HbyH router alert enabled IPv6 extension HbyH quick start enabled IPv6 extension HbyH CALIPSO enabled IPv6 extension HbyH SMF DPD enabled IPv6 extension HbyH user-defined enabled IPv6 extension Dst tunnel encap limit enabled IPv6 extension Dst home address enabled IPv6 extension Dst ILNP nonce enabled IPv6 extension Dst line-id enabled IPv6 extension Dst user-defined enabled IPv6 extension header limit 20 IPv6 Malformed header enabled ICMPv6 malformed packet enabled
Sample Output
- show security screen ids-option jscreen1 node all
- show security screen ids-option jscreen tenant TN1
- show security screen ids-option jscreen tenant all
- show security screen ids-option jscreen (IP block fragment screen)
show security screen ids-option jscreen1 node all
user@host> show security screen ids-option jscreen1 node all node0: -------------------------------------------------------------------------- Screen object status: Name Value UDP flood threshold 1000 TCP winnuke enabled TCP SYN flood attack threshold 200 TCP SYN flood alarm threshold 512 TCP SYN flood source threshold 4000 TCP SYN flood destination threshold 4000 TCP SYN flood timeout 20 TCP SYN flood queue size 1024 ICMP large packet enabled node1: -------------------------------------------------------------------------- Screen object status: Name Value UDP flood threshold 1000 TCP winnuke enabled TCP SYN flood attack threshold 200 TCP SYN flood alarm threshold 512 TCP SYN flood source threshold 4000 TCP SYN flood destination threshold 4000 TCP SYN flood timeout 20 TCP SYN flood queue size 1024 ICMP large packet enabled
show security screen ids-option jscreen tenant TN1
user@host> show security screen ids-option jscreen tenant TN1 Screen object status: Name value UDP flood threshold 1000 UDP flood white-list a1 UDP flood white-list a2
show security screen ids-option jscreen tenant all
user@host> show security screen ids-option jscreen tenant all Logical system: root-logical-system Screen object status: Name value UDP flood threshold 1 UDP flood white-list a1 UDP flood white-list a2 IP block fragment enabled Session source limit threshold 5 Tenant: TN1 Screen object status: Name value UDP flood threshold 1000 UDP flood white-list a1 UDP flood white-list a2
show security screen ids-option jscreen (IP block fragment screen)
user@host> show security screen ids-option jscreen Screen object status: Name value IP block fragment enabled IP block fragment white-list a1 IP block fragment white-list a2
Release Information
Command introduced in Junos OS Release
8.5. Support for UDP port scan added in Junos OS Release
12.1X47-D10.
Support for node option added in Junos OS Release 9.0.
Support for IPv6 extension header screens added in Junos OS Release 12.1X46-D10.
The tenant option is introduced in Junos OS Release 18.3R1.
The IP block fragment allowlist option added in Junos OS Release 22.2R1.