Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Mandatory Reject Rules for Invalid Fragments and Fragmented IP Packets

    This topic describes how to configure mandatory reject rules for invalid fragments and fragmented IP packets that cannot be reassembled.

    • Before you begin, log in with your root account on a Junos OS device running Junos OS Release 12.1X46-D20 and edit the configuration.

    Note: You can enter the configuration commands in any order and commit all the commands at once.

    To configure mandatory reject rules:

    1. Specify the flow configuration to forcefully reassemble the IP fragments.
      [edit]user@host# set security flow force-ip-reassembly
    2. Delete the screen ID and the IDS options and enable the ICMP fragment IDS option.
      [edit]user@host# delete security screen ids-option trustScreen icmp fragment
    3. Delete the IP layer IDS option and enable the IP fragment blocking IDS option.
      [edit]user@host# delete security screen ids-option trustScreen ip block-frag

    Modified: 2014-05-28