tcp (Security Screen)
Syntax
tcp {
fin-no-ack;
land;
port-scan {
threshold number;
}
syn-ack-ack-proxy {
threshold number;
}
syn-fin;
syn-flood {
alarm-threshold number;
attack-threshold number;
destination-threshold number;
source-threshold number;
timeout seconds;
white-list name {
destination-address destination-address;
source-address source-address;
}
}
syn-frag;
tcp-no-flag;
tcp-sweep {
threshold threshold number;
}
winnuke;
}
Hierarchy Level
[edit security screen ids-option screen-name]
Description
Configure TCP-layer intrusion detection service (IDS) options.
Note:
On all SRX Series Firewalls, the TCP synchronization flood alarm threshold value does not indicate the number of packets dropped, however the value does show the packet information after the alarm threshold has been reached.
The synchronization cookie or proxy never drops packets; therefore
the alarm-without-drop (not drop) action is shown in the system log.
Options
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 8.5.