potential-violation
Syntax
potential-violation {
authentication failures;
cryptographic-self-test;
decryption-failures {
threshold value;
}
encryption-failures {
threshold value;
}
idp;
ike-phase1-failures {
threshold value;
}
ike-phase2-failures {
threshold value;
}
key-generation-self-test;
non-cryptographic-self-test;
policy {
application {
duration interval;
size count;
threshold value;
}
destination-ip {
duration interval;
size count;
threshold value;
}
policy match {
duration interval;
size count;
threshold value;
}
source-ip {
duration interval;
size count;
threshold value;
}
}
replay-attacks {
threshold value;
}
security-log-percent-full percentage;
}
Hierarchy Level
[edit security alarms]
Description
Configure alarms for potential violation.
Options
| authentication | Raise a security alarm when the device or switch detects a specified number of authentication failures (bad password attempts) before an alarm is raised. |
| cryptographic-self-test | Raise a security alarm when the device or switch detects a cryptographic self-test failure. Cryptographic self-tests are a set of preoperational tests that are performed after the device or switch is powered on. The self-tests run without operator intervention. No alarm is raised upon failure of a cryptographic self-test. |
| decryption-failures | Raise a security alarm after exceeding a specified number of decryption failures. |
| encryption-failures | Raise a security alarm after exceeding a specified number of encryption failures. |
| ike-phase1-failures | Raise a security alarm after exceeding a specified number of Internet Key Exchange (IKE) Phase 1 failures. |
| ike-phase2-failures | Raise a security alarm after exceeding a specified number of Internet Key Exchange (IKE) phase 2 failures. |
| key-generation-self-test | Raise a security alarm when the device or switch detects a key generation self-test failure. Key generation is the process of generating keys for cryptography. A key is used to encrypt and decrypt data. The self-tests run without operator intervention. No alarm is raised upon failure of a key generation self-test. |
| non-cryptographic-self-test | Raise a security alarm when the device or switch detects a noncryptographic self-test failure. The self-tests run without operator intervention. No alarm is raised upon failure of a noncryptographic self-test. |
| non-cryptographic-self-test | Raise a security alarm when the device or switch detects a noncryptographic self-test failure. The self-tests run without operator intervention. No alarm is raised upon failure of a noncryptographic self-test. |
| policy | Configure alarms for policy violation, based on source IP, destination IP, application, and policy rule. |
| replay-attacks | Raise a security alarm when the device detects a replay attack. |
| security-log-percent-full | Raise a security alarm when security log exceeds a specified percent of total capacity. |
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 11.2.