Add a Screen
You are here: Security Policies & Objects > Zones/Screens.
To add a screen:
Table 1 describes the fields on the Add Screen page.
Field |
Action |
---|---|
Main | |
Screen name |
Enter a name for the screen object. |
Screen description |
Enter a description for the screen object. |
Generate alarms without dropping packet |
Select the check box to enable this feature. |
IP spoofing |
Select the check box to enable this feature. Specifies that you can enable IP address spoofing. IP spoofing is when a false source address is inserted in the packet header to make the packet appear to come from a trusted source. |
IP sweep |
Select the check box to enable this feature. Specifies the number of ICMP address sweeps. An IP address sweep can occur with the intent of triggering responses from active hosts. |
Threshold |
Enter the time interval for an IP sweep. Note:
If a remote host sends ICMP traffic to 10 addresses within this interval, an IP address sweep attack is flagged and further ICMP packets from the remote host are rejected. Range: 1000 through 1000000 microseconds. The default value is 5000 microseconds. |
Port scan |
Select the check box to enable this feature. Specifies the number of TCP port scans. The purpose of this attack is to scan the available services in the hopes that at least one port will respond, thus identifying a service to target. |
Threshold |
Enter the time interval for a TCP port scan. Note:
If a remote host scans 10 ports within this interval, a port scan attack is flagged and further packets from the remote host are rejected. Range: 1000 through 1000000 microseconds. The default value is 5000 microseconds. |
MS-Windows Defense |
WinNuke attack protection—Select the check box to enable this feature. Note:
WinNuke is a DoS attack targeting any computer on the Internet running Windows operating system. |
IPv6 Check |
Enter the following details:
|
Denial of Service | |
Land attack protection |
Select the check box to enable this feature. Note:
Land attacks occur when an attacker sends spoofed SYN packets containing the IP address of the victim as both the destination and source IP address. |
Teardrop attack protection |
Select the check box to enable this feature. Note:
Teardrop attacks exploit the reassembly of fragmented IP packets. |
ICMP fragment protection |
Select the check box to enable this feature. Note:
ICMP packets contain very short messages. There is no legitimate reason for ICMP packets to be fragmented. |
Ping of death attack protection |
Select the check box to enable this feature. Note:
A ping of death occurs when IP packets are sent that exceed the maximum legal length (65,535 bytes). |
Large size ICMP packet protection |
Select the check box to enable this feature. |
Block fragment traffic |
Select the check box to enable this feature. |
SYN-ACK-ACK proxy protection |
Select the check box to enable this feature. |
Threshold |
Enter the threshold value for SYN-ACK-ACK proxy protection. Note:
The range is from 1 through 250000 sessions. The default value is 512 sessions. |
Anomalies | |
IP |
Enter the following details:
|
TCP |
Enter the following details:
|
Flood Defense | |
Limit sessions from the same source |
Enter the range within which the sessions are limited from the same source IP. Range: 1 through 50000 sessions. |
Limit sessions from the same destination |
Enter the range within which the sessions are limited from the same destination IP. The range is from 1 through 50000 sessions. Range: 1 through 8000000 sessions per second. The default value is 128 sessions. |
ICMP flood protection |
Select the check box to enable the Internet Control Message Protocol (ICMP) flood counter. Note:
An ICMP flood typically occurs when ICMP echo requests use all resources in responding, such that valid network traffic can no longer be processed. |
Threshold |
Enter the threshold value for ICMP flood protection. Note:
Range: 1 through 4000000 ICMP pps. |
UDP flood protection |
Select the check box to enable the User Datagram Protocol (UDP) flood counter. Note:
UDP flooding occurs when an attacker sends IP packets containing UDP datagrams to slow system resources, such that valid connections can no longer be handled. |
Threshold |
Enter the threshold value for UDP flood protection. Note:
Range: 1 through 100000 session. The default value is 1000 sessions. |
UDP allowlist |
Note:
To edit an allowlist in the UDP White List page, select the allowlist name and click on the pencil icon. To delete an allowlist in the UDP White List page, select the allowlist name and click on the delete icon. |
SYN flood protection |
Select the check box to enable all the threshold and ager timeout options. Specifies that SYN flooding occurs when a host becomes so overwhelmed by SYN segments initiating incomplete connection requests that it can no longer process legitimate connection requests. |
TCP allowlist |
Note:
To edit a allowlist in the TCP White List page, select the allowlist name and click on the pencil icon. To delete a allowlist in the TCP White List page, select the allowlist name and click on the delete icon. |
Attack threshold |
Enter a value to specify the number of SYN packets per second required to trigger the SYN proxy mechanism. Note:
Range: 1 through 1000000 proxied requests per second. The default attack threshold value is 625 pps. |
Alarm threshold |
Enter a value to specify the number of half-complete proxy connections per second at which the device makes entries in the event alarm log. Note:
Range: 1 through 1000000 segments per second. The default alarm threshold value is 250 pps. |
Source threshold |
Enter a value to specify the number of SYN segments received per second from a single source IP address (regardless of the destination IP address and port number), before the device begins dropping connection requests from that source. Note:
Range: 4 through 1000000 segments per second. The default source threshold value is 25 pps. |
Destination threshold |
Enter a value to specify the number of SYN segments received per second for a single destination IP address before the device begins dropping connection requests to that destination. If a protected host runs multiple services, you might want to set a threshold based only on destination IP address, regardless of the destination port number. Note:
Range: 4 through 1000000 segments per second. The default destination threshold value is 0 pps. |
Ager timeout |
Enter a value to specify the maximum length of time before a half-completed connection is dropped from the queue. You can decrease the timeout value until you see any connections dropped during normal traffic conditions. Range: 1 through 50 seconds. The default value is 20 seconds. Note:
20 seconds is a reasonable length of time to hold incomplete connection requests. |
IPv6 EXT Header | |
Predefined Header Type |
Configure the following screen options:
|
Routing header |
Select the check box to enable the IPv6 routing header screen option. |
ESP header |
Select the check box to enable the IPv6 Encapsulating Security Payload header screen option. |
No-Next header |
Select the check box to enable the IPv6 no next header screen option. |
Mobility header |
Select the check box to enable the IPv6 mobility header screen option. |
Fragment header |
Select the check box to enable the IPv6 fragment header screen option. |
AH header |
Select the check box to enable the IPv6 Authentication Header screen option. |
Shim6 header |
Select the check box to enable the IPv6 shim header screen option. |
HIP header |
Select the check box to enable the IPv6 Host Identify Protocol header screen option. |
Customer Defined Header Type |
Enter a value to define the type of header range and click + to add it. Range: 0 through 255. To delete, select one or more header types and click X. |
IPv6 ext header limit |
Enter a value to set the number of IPv6 extension headers that can pass through the screen. Range: 0 through 32. |
Apply to Zones | |
Apply to Zones |
Select zones from the Available column and move them to the Selected column using the right arrow. |