screen
语法
screen { ids-option name { aggregation { destination-prefix-mask destination-prefix-mask; destination-prefix-v6-mask destination-prefix-v6-mask; source-prefix-mask source-prefix-mask; source-prefix-v6-mask source-prefix-v6-mask; } alarm-without-drop; description (Security Screen) description; icmp (Security Screen) { flood (Security ICMP) <threshold ICMP packets per second>; fragment; icmpv6-malformed; ip-sweep <threshold microseconds in which 10 ICMP packets are detected>; large; ping-death; } ip (Security Screen) { bad-option; block-frag; ipv6-extension-header { AH-header; destination-header { home-address-option; ILNP-nonce-option; line-identification-option; tunnel-encapsulation-limit-option; user-defined-option-type name { to type-high; } } ESP-header; fragment-header; HIP-header; hop-by-hop-header { CALIPSO-option; jumbo-payload-option; quick-start-option; router-alert-option; RPL-option; SMF-DPD-option; user-defined-option-type name { to type-high; } } mobility-header; no-next-header; routing-header; shim6-header; user-defined-header-type name { to type-high; } } ipv6-extension-header-limit ipv6-extension-header-limit; ipv6-malformed-header; loose-source-route-option; record-route-option; security-option; source-route-option; spoofing; stream-option; strict-source-route-option; tear-drop; timestamp-option; tunnel (Security Screen) { bad-inner-header; gre { gre-4in4; gre-4in6; gre-6in4; gre-6in6; } ip-in-udp { teredo; } ipip { dslite; ipip-4in4; ipip-4in6; ipip-6in4; ipip-6in6; ipip-6over4; ipip-6to4relay; isatap; } } unknown-protocol; } limit-session { by-destination { by-protocol { icmp { maximum-sessions maximum-sessions; packet-rate packet-rate; session-rate session-rate; } tcp { maximum-sessions maximum-sessions; packet-rate packet-rate; session-rate session-rate; } udp { maximum-sessions maximum-sessions; packet-rate packet-rate; session-rate session-rate; } } maximum-sessions maximum-sessions; packet-rate packet-rate; session-rate session-rate; } by-source { by-protocol { icmp { maximum-sessions maximum-sessions; packet-rate packet-rate; session-rate session-rate; } tcp { maximum-sessions maximum-sessions; packet-rate packet-rate; session-rate session-rate; } udp { maximum-sessions maximum-sessions; packet-rate packet-rate; session-rate session-rate; } } maximum-sessions maximum-sessions; packet-rate packet-rate; session-rate session-rate; } destination-ip-based destination-ip-based; source-ip-based source-ip-based; } match-direction (input | input-output | output); tcp (Security Screen) { fin-no-ack; land; port-scan <threshold microseconds in which 10 attack packets are detected>; syn-ack-ack-proxy <threshold un-authenticated connections>; syn-fin; syn-flood { alarm-threshold requests per second; attack-threshold proxied requests per second; destination-threshold SYN pps; source-threshold SYN pps; timeout (Security Screen) seconds; white-list name { destination-address [ destination-address ... ]; source-address [ source-address ... ]; } } syn-frag; tcp-no-flag; tcp-sweep <threshold microseconds in which 10 TCP packets are detected>; winnuke; } udp (Security Screen) { flood (Security UDP) { threshold UDP packets per second; white-list [ white-list ... ]; } port-scan <threshold microseconds in which 10 attack packets are detected>; udp-sweep <threshold microseconds in which 10 UDP packets are detected>; } } traceoptions (Security Screen) { file <filename> <files files> <match match> <size size> <(world-readable | no-world-readable)>; flag name; no-remote-trace; } trap <interval seconds>; white-list name { address [ address ... ]; } }
层次结构级别
[edit security] [edit tenant tenant-name security]
描述
配置安全屏幕选项。对于每个安全区域,您可以启用一组预定义的屏幕选项,用于检测和阻止设备确定为可能有害的各种流量。
选项
ids-options screen-name |
在级别配置 |
trap |
配置陷阱间隔。启用或禁用在连接状态更改时发送简单网络管理协议 (SNMP) 通知。陷阱是从 SNMP 代理发送到远程网络管理系统或陷阱接收器的未经请求的消息。 |
white-list |
允许列表的 IP 地址集。配置在 SYN 泛屏保护过程中发生的 SYN cookie 和 SYN 代理机制中免除的 IP 地址的允许列表。允许列表包含已知的可信 IP 地址和 URL。从允许列表上的位置下载的内容不必检查是否存在恶意软件。 |
其余语句将单独解释。请参阅 CLI 资源管理器。
所需权限级别
安全性 - 在配置中查看此语句。
安全控制 — 将此语句添加到配置中。
发布信息
Junos OS 8.5 版中引入的语句。
Junos OS 12.1 版中添加的选项 description
。
该 tenant
选项在 Junos OS 18.3R1 版中引入。