Screen Options for User Logical Systems
Screen options on SRX Series devices prevent attacks, such as IP address sweeps, port scans, denial of service (DOS) attacks, ICMP, UDP, and SYN floods. For more information, see the following topics:
Understanding Logical Systems Screen Options
Junos OS screen options secure a zone by inspecting, then allowing or denying, all connection attempts that require crossing an interface bound to that zone. Junos OS then applies firewall policies, which can contain content filtering and IDP components, to the traffic that passes the screen filters.
All screen options available on the device are available in each logical system. Each user logical system administrator can configure screen options for their user logical system. The master administrator can configure screen options for the master logical system as well as all user logical systems.
The user logical system administrator can configure and view all screen options in a user logical system. All screen options in a user logical system are visible to the master administrator.
Example: Configuring Screen Options for a User Logical Systems
This example shows how to configure screen options for a user logical system.
Before you begin:
Log in to the user logical system as the user logical system administrator. See User Logical Systems Configuration Overview.
Configure zones for the user logical system. See Example: Configuring Security Zones for a User Logical Systems.
This example configures the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.
You can limit the number of concurrent sessions to the same destination IP address in a user logical system. Setting a destination-based session limit can ensure that Junos OS allows only an acceptable number of concurrent connection requests—no matter what the source—to reach any one host. When the number of concurrent connection requests to an IP address surpasses the limit, Junos OS blocks further connection attempts to that IP address. This example creates the screen options described in Table 1.
Table 1: User Logical System Screen Options Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the  hierarchy level, and then enter commit from configuration mode.
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure destination-based session limits in a user logical system:
- Log in to the user logical system as the logical system
administrator and enter configuration mode.lsdesignadmin1@host:ls-product-design> configurelsdesignadmin1@host:ls-product-design#
- Configure a screen option for a destination-based session
limit.[edit security]lsdesignadmin1@host:ls-product-design# set screen ids-option limit-destination-sessions limit-session destination-ip-based 80
- Set the security zone for the screen option.[edit security]lsdesignadmin1@host:ls-product-design# set zones security-zone ls-product-design-untrust screen limit-destination-sessions
From configuration mode, confirm your configuration by entering the show security screen and show security zone commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).
If you are done configuring the device, enter commit from configuration mode.