Navigation Back up to About Overview

Example: Blocking IP Spoofing

This example shows how to configure a screen to block IP spoof attacks.


Before you begin, understand how IP Spoofing works. See Understanding IP Spoofing.


One method of attempting to gain access to a restricted area of a network is to insert a bogus source address in the packet header to make the packet appear to come from a trusted source. This technique is called IP spoofing.

In this example, you configure a screen called screen-1 to block IP spoof attacks and enable the screen in the zone-1 security zone.


Step-by-Step Procedure

To block IP spoofing:

  1. Configure the screen.
    [edit ]user@host# set security screen ids-option screen-1 ip spoofing
  2. Enable the screen in the security zone.
    [edit]user@host# set security zone security-zone zone-1 screen screen-1
  3. If you are done configuring the device, commit the configuration.
    [edit]user@host# commit


To confirm that the configuration is working properly, perform these tasks:

Verifying the Screens in the Security Zone


Verify that the screen is enabled in the security zone.


From operational mode, enter the show security zones command.


user@host> show security zones
Security zone: zone-1
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes  
  Screen: screen-1  
  Interfaces bound: 1

Verifying the Security Screen Configuration


Display the configuration information about the security screen.


From operational mode, enter the show security screen ids-option screen-name command.


user@host> show security screen ids-option screen-1
Screen object status:

  Name                      Value
  IP spoofing               enabled   


Published: 2012-10-05