Juniper SRX sample Internet screen configuration

Configuration for Screen and Flow Option Sample Deployment
This configuration would look as follows:

root@SRX5800> show configuration security screen
ids-option Internet-Screen {
icmp {
ip-sweep threshold 1000;
fragment;
large;
flood threshold 300;
ping-death;
}
ip {
bad-option;
record-route-option;
timestamp-option;
security-option;
stream-option;
spoofing;
source-route-option;
loose-source-route-option;
strict-source-route-option;
unknown-protocol;
tear-drop;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
port-scan threshold 1000;
syn-flood {
alarm-threshold 750;
attack-threshold 2000;
source-threshold 50;
destination-threshold 1000;
timeout 30;
}
land;
winnuke;
tcp-sweep threshold 1000;
}
udp {
flood threshold 1000;
udp-sweep threshold 1000;
}
limit-session {
source-ip-based 100;
destination-ip-based 25000;
}
}

root@SRX5800> show configuration security flow
syn-flood-protection-mode syn-cookie;
aging {
early-ageout 2;
low-watermark 66;
high-watermark 80;
}
tcp-session {
strict-syn-check;
}

–From Juniper SRX Series – Sample Deployment

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s