Help Center User GuideGetting Started
 
X
User Guide
Getting Started
Contents  

Global Options

You are here: Configure > Security Services > Security Policy > Rules.

Procedure

To add global options:

  1. Click Global Options available on the upper right side of the Rules page.

    The Global Options page appears.

  2. Complete the configuration according to the guidelines provided in Table 185.
  3. Click OK to save the changes. If you want to discard your changes, click Cancel.

Table 185 describes the fields on the Global Options page.

Table 185: Fields on the Global Options Page

Field

Action

Policy Options

Default policy action

Select a value from the list.

Specifies that specific protocol actions are overridden. This action is also non terminating. The options available are:

  • permit-all

  • deny-all

Policy rematch

Select the check box.

Specifies that a policy is added that has just been modified to a deferred action list for reevaluation. For every session associated with the policy, the device reevaluates the policy lookup. If the policy is different from the one associated with the session, the device drops the session. If the policy matches, the session continues.

Extensive

Select the check box.

Unified Policy Explicit Match

Select the check box.

Flow - Main

Early ageout

Enter a value from 1 through 65,535 seconds. The default value is 20 seconds.

Specifies the amount of time before the device aggressively ages out a session from its session table.

High watermark

Enter a value from 0 through 100 percent. The default value is 100 percent.

Specifies the percentage of session table capacity at which the aggressive aging-out process begins.

Low watermark

Enter a value from 0 through 100 percent. The default value is 100 percent.

Specifies the percentage of session table capacity at which the aggressive aging-out process ends.

Enable SYN cookie protection

Select the check box.

Enables SYN cookie defenses against SYN attacks.

Enable SYN proxy protection

Select the check box.

Enables SYN proxy defenses against SYN attacks.

Allow DNS reply

Select the check box.

Specifies that an incoming DNS reply packet without a matched request is allowed.

Force IP reassembly

Specifies reassemble all IP fragmented packets before forwarding.

Enable Routing Mode

Enables routing mode on uPIM and ePIM ports that correspond to the interfaces that will carry the VPLS traffic.

Route change to nonexistent route timeout

Specifies the session timeout value on a route change to a nonexistent route.

Enter a value from 6 through 1800 seconds.

Flow - TCP MSS

Enable MSS override for all packets

Select the check box.

Enables maximum segment size override for all TCP packets for network traffic.

Enter an maximum segment size value from 64 through 65,535.

Enable MSS override for all GRE packets coming out of an IPSec tunnel

Select the check box.

Enables maximum segment size override for all generic routing encapsulation packets exiting an IPsec tunnel.

Enter a maximum segment size value from 64 through 65,535 bytes. The default value is 1320 bytes.

Enable MSS override for all GRE packets entering an IPsec tunnel

Select the check box.

Enables maximum segment size override for all generic routing encapsulation packets entering an IPsec tunnel.

Enter a maximum segment size value from 64 through 65,535 bytes. The default value is 1320 bytes.

Enable MSS override for all packets entering IPSec tunnel

Select the check box.

Enables maximum segment size override for all packets entering an IPsec tunnel.

Enter a maximum segment size value from 64 through 65,535 bytes. The default value is 1320 bytes.

Flow - TCP Session

Disable sequence-number checking

Select the check box.

Disables checking of sequence numbers in TCP segments during stateful inspections. By default, the device monitors the sequence numbers in TCP segments.

Strict SYN-flag check

Select the check box.

Enables the strict three-way handshake check for the TCP session. This check enhances security by dropping data packets before the three-way handshake is done. By default, this check is disabled.

Disable SYN-flag check

Disables the checking of the TCP SYN bit before creating a session. By default, the device checks that the SYN bit is set in the first packet of a session. If it is not set, the device drops the packet.

Select the check box.

Disable SYN-flag check (tunnel packets)

Select the check box.

Disables the first packet check for the SYN flag when forming a TCP flow session.

RST invalidate session

Select the check box.

Specifies that a session ismarked for immediate termination when it receives a TCP RST segment. By default, this statement is unset. When unset, the device applies the normal session timeout interval—for TCP, session timeout is 30 minutes; for HTTP, it is 5 minutes; and for UDP, it is 1 minute.

RST sequence check

Select the check box.

Specifies that the TCP sequence number in a TCP segment can be checked, with the RST bit enabled. This matches the previous sequence number for a packet in that session or is the next higher number incrementally.

TCP Initial Timeout

Select the check box.

Specifies the length of time (in seconds) that the device keeps an initial TCP session in the session table before dropping it, or until the device receives a FIN or RST packet.

Pre-id Default Policy

Session Timeout

ICMP

Type the interval in seconds from 4 through 86400.

ICMP6

Type the interval in seconds from 4 through 86400.

OSPF

Type the interval in seconds from 4 through 86400.

Others

Type the interval in seconds from 4 through 86400.

TCP

Type the interval in seconds from 4 through 86400.

UDP

Type the interval in seconds from 4 through 86400.

Log

Enable Session init

Select the check box to enable Session init.

Enable Session close

Select the check box to enable Session close.

NGFW Options

Default SSL Profile

Select the default SSL profile.

Related Documentation

Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit