Configuring Mandatory Reject Rules for Invalid Fragments and Fragmented IP Packets
This topic describes how to configure mandatory reject rules for invalid fragments and fragmented IP packets that cannot be reassembled.
Before you begin, log in with your root account on a Junos OS device running Junos OS Release 20.2R1and edit the configuration.
You can enter the configuration commands in any order and commit all the commands at once.
To configure mandatory reject rules:
- Specify the flow configuration to forcefully reassemble
the IP fragments.user@host# set security flow force-ip-reassembly
- Delete the screen ID and the IDS options and enable the
ICMP fragment IDS option.user@host# delete security screen ids-option trustScreen icmp fragment
- Delete the IP layer IDS option and enable the IP fragment
blocking IDS option.user@host# delete security screen ids-option trustScreen ip block-frag