Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Mandatory Reject Rules for Invalid Fragments and Fragmented IP Packets

    This topic describes how to configure mandatory reject rules for invalid fragments and fragmented IP packets that cannot be reassembled.

    • Before you begin, log in with your root account to an SRX Series device running Junos OS Release 12.1X44-D15.

    Note: You can enter the configuration commands in any order and commit all the commands at once.

    To configure mandatory reject rules:

    1. Specify the flow configuration to forcefully reassemble the IP fragments.
      [edit]user@host# set security flow force-ip-reassembly
    2. Delete the screen ID and the IDS options and enable the ICMP fragment IDS option.
      [edit]user@host# delete security screen ids-option trustScreen icmp fragment
    3. Delete the IP layer IDS option and enable the IP fragment blocking IDS option.
      [edit]user@host# delete security screen ids-option trustScreen ip block-frag

    Published: 2013-12-10