Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add a Screen

You are here: Security Policies & Objects > Zones/Screens.

To add a screen:

  1. Click the add icon (+) on the upper right side of the Screen List page.

    The Add Screen page appears.

  2. Complete the configuration according to the guidelines provided in Table 1.
  3. Click OK to save the changes. If you want to discard your changes, click Cancel.

Table 1 describes the fields on the Add Screen page.

Table 1: Fields on the Add Screen Page

Field

Action

Main

Screen name

Enter a name for the screen object.

Screen description

Enter a description for the screen object.

Generate alarms without dropping packet

Select the check box to enable this feature.

IP spoofing

Select the check box to enable this feature.

Specifies that you can enable IP address spoofing. IP spoofing is when a false source address is inserted in the packet header to make the packet appear to come from a trusted source.

IP sweep

Select the check box to enable this feature.

Specifies the number of ICMP address sweeps. An IP address sweep can occur with the intent of triggering responses from active hosts.

Threshold

Enter the time interval for an IP sweep.

Note:

If a remote host sends ICMP traffic to 10 addresses within this interval, an IP address sweep attack is flagged and further ICMP packets from the remote host are rejected.

Range: 1000 through 1000000 microseconds. The default value is 5000 microseconds.

Port scan

Select the check box to enable this feature.

Specifies the number of TCP port scans. The purpose of this attack is to scan the available services in the hopes that at least one port will respond, thus identifying a service to target.

Threshold

Enter the time interval for a TCP port scan.

Note:

If a remote host scans 10 ports within this interval, a port scan attack is flagged and further packets from the remote host are rejected.

Range: 1000 through 1000000 microseconds. The default value is 5000 microseconds.

MS-Windows Defense

WinNuke attack protection—Select the check box to enable this feature.

Note:

WinNuke is a DoS attack targeting any computer on the Internet running Windows operating system.

IPv6 Check

Enter the following details:

  • Malformed IPv6—Select this check box to enable the IPv6 malformed header intrusion detection service (IDS) option.

  • Malformed ICMPv6—Select this check box to enable the ICMPv6 malformed IDS option.

Denial of Service

Land attack protection

Select the check box to enable this feature.

Note:

Land attacks occur when an attacker sends spoofed SYN packets containing the IP address of the victim as both the destination and source IP address.

Teardrop attack protection

Select the check box to enable this feature.

Note:

Teardrop attacks exploit the reassembly of fragmented IP packets.

ICMP fragment protection

Select the check box to enable this feature.

Note:

ICMP packets contain very short messages. There is no legitimate reason for ICMP packets to be fragmented.

Ping of death attack protection

Select the check box to enable this feature.

Note:

A ping of death occurs when IP packets are sent that exceed the maximum legal length (65,535 bytes).

Large size ICMP packet protection

Select the check box to enable this feature.

Block fragment traffic

Select the check box to enable this feature.

SYN-ACK-ACK proxy protection

Select the check box to enable this feature.

Threshold

Enter the threshold value for SYN-ACK-ACK proxy protection.

Note:

The range is from 1 through 250000 sessions. The default value is 512 sessions.

Anomalies

IP

Enter the following details:

  • Bad option—Select the check box to specify the number of bad options counter.

  • Security—Select the check box to enable the method for hosts to send security.

  • Unknown protocol—Select the check box to enable the IP address with security option.

  • Strict source route—Select the check box to enable the complete route list for a packet to take on its journey from source to destination.

  • Source route—Select the check box to enable this feature.

    Specifies the number of IP addresses of the devices set at the source that an IP transmission is allowed to take on its way to its destination.

  • Timestamp—Select the check box to enable the time recorded (in UTC) when each network device receives the packet during its trip from the point of origin to its destination.

  • Stream—Select the check box to enable a method for the 16-bit SATNET stream identifier to be carried through networks that do not support streaming.

  • Loose source route—Select the check box to enable a partial route list for a packet to take on its journey from source to destination.

  • Record route—Select the check box to enable that IP addresses of network devices along the path that the IP packet travels can be recorded.

TCP

Enter the following details:

  • SYN Fragment Protection—Select the check box to enable the number of TCP SYN fragments.

  • SYN and FIN Flags Set Protection—Select the check box to enable the number of TCP SYN and FIN flags.

    Note:

    When you enable this option, Junos OS checks if the SYN and FIN flags are set in TCP headers. If it discovers such a header, it drops the packet.

  • FIN Flag Without ACK Flag Set Protection—Select the check box to enable the number of TCP FIN flags set without an ACK flag set.

  • TCP Packet Without Flag Set Protection—Select the check box to enable the number of TCP headers without flags set.

    Note:

    A normal TCP segment header has at least one flag control set.

Flood Defense

Limit sessions from the same source

Enter the range within which the sessions are limited from the same source IP.

Range: 1 through 50000 sessions.

Limit sessions from the same destination

Enter the range within which the sessions are limited from the same destination IP. The range is from 1 through 50000 sessions.

Range: 1 through 8000000 sessions per second. The default value is 128 sessions.

ICMP flood protection

Select the check box to enable the Internet Control Message Protocol (ICMP) flood counter.

Note:

An ICMP flood typically occurs when ICMP echo requests use all resources in responding, such that valid network traffic can no longer be processed.

Threshold

Enter the threshold value for ICMP flood protection.

Note:

Range: 1 through 4000000 ICMP pps.

UDP flood protection

Select the check box to enable the User Datagram Protocol (UDP) flood counter.

Note:

UDP flooding occurs when an attacker sends IP packets containing UDP datagrams to slow system resources, such that valid connections can no longer be handled.

Threshold

Enter the threshold value for UDP flood protection.

Note:

Range: 1 through 100000 session. The default value is 1000 sessions.

UDP allowlist

  1. Click Select.

    The UDP Allowlist window appears.

  2. Click + to add IP addresses that you wish to allowlist.

    The Add Allowlist window appears.

  3. Enter the following details:

    • Name—Enter a Name to identify the group of IP addresses.

    • IPv4/IPv6 Address—Enter IPv4 or IPv6 address.

    • IPv4/IPv6 Address(es)—Lists the address that you have entered.

      Note:

      You can select the IP address and click X to delete it.

  4. Click OK to save the changes.

  5. Select the allowlist name in the UDP Allowlist page that you associated with the group of IP addresses that you entered in the Add Allowlist window from the Available column and move it to the Selected column using the right arrow.

  6. Click OK to save the changes.

Note:
  • The UDP Allowlist option is enabled only if you select UDP flood protection.

  • The allowlist that you created in the UDP Allowlist window will be available in the TCP Allowlist window also for selection.

To edit an allowlist in the UDP Allowlist page, select the allowlist name and click on the pencil icon.

To delete an allowlist in the UDP Allowlist page, select the allowlist name and click on the delete icon.

SYN flood protection

Select the check box to enable all the threshold and ager timeout options.

Specifies that SYN flooding occurs when a host becomes so overwhelmed by SYN segments initiating incomplete connection requests that it can no longer process legitimate connection requests.

TCP allowlist

  1. Click Select.

    The TCP Allowlist window appears.

  2. Click + to add IP addresses that you wish to allowist.

    The Add Allowlist window appears.

  3. Enter the following details:

    • Name—Enter a Name to identify the group of IP addresses.

    • IPv4/IPv6 Address—Enter IPv4 or IPv6 address.

    • IPv4/IPv6 Address(es)—Lists the address that you have entered.

      Note:

      You can select the IP address and click X to delete it.

  4. Click OK to save the changes.

  5. Select the allowlist name in the TCP Allowlist page that you associated with the group of IP addresses that you entered in the Add Allowlist window from the Available column and move it to the Selected column using the right arrow.

  6. Click OK to save the changes.

Note:
  • The TCP Allowlist option is enabled only if you select SYN flood protection.

  • The allowlist that you created in the TCP allowlist window will be available in the UDP Allowlist window also for selection.

To edit a allowlist in the TCP Allowlist page, select the allowlist name and click on the pencil icon.

To delete a allowlist in the TCP Allowlist page, select the allowlist name and click on the delete icon.

Attack threshold

Enter a value to specify the number of SYN packets per second required to trigger the SYN proxy mechanism.

Note:

Range: 1 through 1000000 proxied requests per second. The default attack threshold value is 625 pps.

Alarm threshold

Enter a value to specify the number of half-complete proxy connections per second at which the device makes entries in the event alarm log.

Note:

Range: 1 through 1000000 segments per second. The default alarm threshold value is 250 pps.

Source threshold

Enter a value to specify the number of SYN segments received per second from a single source IP address (regardless of the destination IP address and port number), before the device begins dropping connection requests from that source.

Note:

Range: 4 through 1000000 segments per second. The default source threshold value is 25 pps.

Destination threshold

Enter a value to specify the number of SYN segments received per second for a single destination IP address before the device begins dropping connection requests to that destination. If a protected host runs multiple services, you might want to set a threshold based only on destination IP address, regardless of the destination port number.

Note:

Range: 4 through 1000000 segments per second. The default destination threshold value is 0 pps.

Ager timeout

Enter a value to specify the maximum length of time before a half-completed connection is dropped from the queue. You can decrease the timeout value until you see any connections dropped during normal traffic conditions.

Range: 1 through 50 seconds. The default value is 20 seconds.

Note:

20 seconds is a reasonable length of time to hold incomplete connection requests.

IPv6 EXT Header

Predefined Header Type

Configure the following screen options:

  • Hop-by-Hop header—Select an option from the list and enter the value and click + to add it.

    To delete, select one or more headers and click X.

  • Destination header—Select an option from the list and enter the value and click + to add it.

    To delete, select one or more headers and click X.

Routing header

Select the check box to enable the IPv6 routing header screen option.

ESP header

Select the check box to enable the IPv6 Encapsulating Security Payload header screen option.

No-Next header

Select the check box to enable the IPv6 no next header screen option.

Mobility header

Select the check box to enable the IPv6 mobility header screen option.

Fragment header

Select the check box to enable the IPv6 fragment header screen option.

AH header

Select the check box to enable the IPv6 Authentication Header screen option.

Shim6 header

Select the check box to enable the IPv6 shim header screen option.

HIP header

Select the check box to enable the IPv6 Host Identify Protocol header screen option.

Customer Defined Header Type

Enter a value to define the type of header range and click + to add it.

Range: 0 through 255.

To delete, select one or more header types and click X.

IPv6 ext header limit

Enter a value to set the number of IPv6 extension headers that can pass through the screen.

Range: 0 through 32.

Apply to Zones

Apply to Zones

Select zones from the Available column and move them to the Selected column using the right arrow.