Screen Options for Tenant Systems
Screen options for Tenant Systems on SRX Series Firewalls prevent attacks as , such as IP address sweeps, port scans, denial of service (DOS) attacks, ICMP, UDP, and SYN floods as same as Logical Systems. For more information, see the following topics:
Understanding Tenant System Screen Options
Using screen options, the device secures a zone by inspecting, and then allowing or denying all connection attempts that require crossing an interface bound to that zone. Junos OS applies the firewall policies, which can contain the content filtering and the IDP components to the traffic that passes the screen filters. All screen options that are available on the device are also available in each tenant system.
Starting in Junos OS Release 18.3R1, the screen options that are supported for logical systems are extended to tenant systems.
See Also
Example: Configuring Screen Options for a Tenant System
This example shows how to configure screen options for a tenant system.
Requirements
Before you begin:
Understand the tenant system configuration process. See Tenant System Configuration Overview to understand how this task fits into the overall configuration process.
Configure the zones for the tenant system. See Security Zones for Tenant Systemsto understand how to configure the zones for the tenant systems.
Overview
Using screen options, the security device can protect against the different internal and external attacks for security zones. You can limit the number of concurrent sessions to the same destination IP address in a tenant system. Setting a destination based session limit can ensure that Junos OS allows only an acceptable number of concurrent connection requests—no matter what the source—to reach any one host. When the number of concurrent connection requests to an IP address surpasses the limit, Junos OS blocks further connection attempts to that IP address.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set tenants TN1 security screen ids-option jscreen limit-session destination-ip-based 80 set tenants TN1 security screen ids-option jscreen icmp ip-sweep threshold 1000 set tenants TN1 security screen ids-option jscreen icmp fragment set tenants TN1 security screen ids-option jscreen icmp large set tenants TN1 security screen ids-option jscreen icmp flood threshold 200 set tenants TN1 security screen ids-option jscreen icmp ping-death set tenants TN1 security screen ids-option jscreen ip bad-option set tenants TN1 security screen ids-option jscreen ip stream-option set tenants TN1 security screen ids-option jscreen ip spoofing set tenants TN1 security screen ids-option jscreen ip strict-source-route-option set tenants TN1 security screen ids-option jscreen ip unknown-protocol set tenants TN1 security screen ids-option jscreen ip tear-drop set tenants TN1 security screen ids-option jscreen tcp syn-fin set tenants TN1 security screen ids-option jscreen tcp tcp-no-flag set tenants TN1 security screen ids-option jscreen tcp syn-frag set tenants TN1 security screen ids-option jscreen tcp port-scan threshold 1000 set tenants TN1 security screen ids-option jscreen tcp syn-ack-ack-proxy threshold 500 set tenants TN1 security screen ids-option jscreen tcp syn-flood alarm-threshold 500 set tenants TN1 security screen ids-option jscreen tcp syn-flood attack-threshold 500 set tenants TN1 security screen ids-option jscreen tcp syn-flood source-threshold 50 set tenants TN1 security screen ids-option jscreen tcp syn-flood destination-threshold 1000 set tenants TN1 security screen ids-option jscreen tcp syn-flood timeout 10 set tenants TN1 security screen ids-option jscreen tcp land set tenants TN1 security screen ids-option jscreen tcp winnuke set tenants TN1 security screen ids-option jscreen tcp tcp-sweep threshold 1000 set tenants TN1 security screen ids-option jscreen udp flood threshold 500 set tenants TN1 security screen ids-option jscreen udp udp-sweep threshold 1000 set tenants TN1 security zones security-zone untrust screen jscreen
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure destination-based session limits in a tenant system:
Log in to the tenant system as the administrator and enter configuration mode.
user@host:TN1#> configure user@host:TN1#
Define the tenant system name as TN1 and configure a screen option for a destination-based session limit.
[edit tenants TN1] user@host:TN1# set security screen ids-option jscreen limit-session destination-ip-based 80
Configure the ICMP screening options.
[edit tenants TN1 security screen ids-option jscreen] user@host:TN1# set icmp ip-sweep threshold 1000 user@host:TN1# set icmp fragment user@host:TN1# set icmp large user@host:TN1# set icmp flood threshold 200 user@host:TN1# set icmp ping-death
Configure the IP screening options.
[edit tenants TN1 security screen ids-option jscreen] user@host:TN1# set ip bad-option user@host:TN1# set ip stream-option user@host:TN1# set ip spoofing user@host:TN1# set ip strict-source-route-option user@host:TN1# set ip unknown-protocol user@host:TN1# set ip tear-drop
Configure the TCP screening options.
[edit tenants TN1 security screen ids-option jscreen] user@host:TN1# set tcp syn-fin user@host:TN1# set tcp tcp-no-flag user@host:TN1# set tcp syn-frag user@host:TN1# set tcp port-scan threshold 1000 user@host:TN1# set tcp syn-ack-ack-proxy threshold 500 user@host:TN1# set tcp syn-flood alarm-threshold 500 user@host:TN1# set tcp syn-flood attack-threshold 500 user@host:TN1# set tcp syn-flood source-threshold 50 user@host:TN1# set tcp syn-flood destination-threshold 1000 user@host:TN1# set tcp syn-flood timeout 10 user@host:TN1# set tcp land user@host:TN1# set tcp winnuke user@host:TN1# set tcp tcp-sweep threshold 1000
Configure the UDP screening options.
[edit tenants TN1 security screen ids-option jscreen] user@host:TN1# set udp flood threshold 500 user@host:TN1# set udp udp-sweep threshold 1000
Attach the IDS profile to the zone.
[edit tenants TN1] user@host:TN1# set security zones security-zone untrust screen jscreen
Results
From configuration mode, confirm your configuration
by entering the show tenants TN1 security screen command.
If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
user@host# show tenants TN1 security screen
ids-option jscreen {
limit-session {
destination-ip-based 80;
}
}
ids-option jscreen {
icmp {
ip-sweep threshold 1000;
fragment;
large;
flood threshold 200;
ping-death;
}
ip {
bad-option;
stream-option;
spoofing;
strict-source-route-option;
unknown-protocol;
tear-drop;
}
tcp {
syn-fin;
tcp-no-flag;
syn-frag;
port-scan threshold 1000;
syn-ack-ack-proxy threshold 500;
syn-flood {
alarm-threshold 500;
destination-threshold 1000;
timeout 10;
}
land;
winnuke;
tcp-sweep threshold 1000;
}
udp {
flood {
threshold 500;
}
udp-sweep threshold 1000;
}
}
Verification
To confirm that the configuration is working properly, perform the below task:
Verifying security screen status
Purpose
Verify that the IDS profile for multiple screening options is configured properly:
Action
To verify the configuration is working properly, enter
the show security screen ids-option jscreen tenant TN1 and show security zone tenant TN1command from operational mode.
user@host> show security screen ids-option jscreen tenant TN1
Screen object status:
Name Value
ICMP flood threshold 200
UDP flood threshold 500
TCP winnuke enabled
TCP port scan threshold 1000
ICMP address sweep threshold 1000
TCP sweep threshold 1000
UDP sweep threshold 1000
IP tear drop enabled
TCP SYN flood attack threshold 500
TCP SYN flood alarm threshold 500
TCP SYN flood source threshold 50
TCP SYN flood destination threshold 1000
TCP SYN flood timeout 10
IP spoofing enabled
ICMP ping of death enabled
TCP land attack enabled
TCP SYN fragment enabled
TCP no flag enabled
IP unknown protocol enabled
IP bad options enabled
IP strict source route option enabled
IP stream option enabled
ICMP fragmentation enabled
ICMP large packet enabled
TCP SYN FIN enabled
TCP SYN-ACK-ACK proxy threshold 500
user@host> show security zone tenant TN1
Security zone: untrust
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Screen: jscreen
Interfaces bound: 0
Interfaces:Meaning
The output displays the screen status in the tenant system.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.