Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

ids-option

Syntax

Hierarchy Level

Description

Define screens for the intrusion detection service (IDS). An ids-option can be used for enabling the screen protection on the SRX Series Firewalls. One ids-option can be associated with several zones. However each zone can be linked with only one ids-option.

Options

description text—Descriptive text about a screen.

alarm-without-drop—Direct the device to generate an alarm when detecting an attack but not block the attack.

icmp—Configure the ICMP ids options.

ip—Configure the IP layer ids options.

limit-session—Limit the number of concurrent sessions the device can initiate from a single source IP address or the number of sessions it can direct to a single destination IP address.

tcp—Configure the TCP Layer ids options.

udp—Configure the UDP Layer ids options.

loose-source-route-option—The device detects packets where the IP option is 3 (Loose Source Routing) and records the event in the screen counters list for the ingress interface. This option specifies a partial route list for a packet to take on its journey from source to destination. The packet must proceed in the order of addresses specified, but it is allowed to pass through other devices in between those specified.

source-route-option—Enable this option to block all IP traffic that employs the loose or strict source route option. Source route options can allow an attacker to enter a network with a false IP address.

strict-source-route-option—The device detects packets where the IP option is 9 (Strict Source Routing) and records the event in the screen counters list for the ingress interface. This option specifies the complete route list for a packet to take on its journey from source to destination. The last address in the list replaces the address in the destination field. Currently, this screen option is applicable to IPv4 only.

Note:

Loose source route option and strict source route option will only alarm and will not be dropped when there is overflow of traffic. When only IP source option is configured, the attacked packets are dropped.

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5.

Support for the description option added in Junos OS Release 12.1.

UDP supports port-scan option starting from Junos OS Release 12.1X47-D10.

The tenant option is introduced in Junos OS Release 18.3R1.