Help Center User GuideGetting Started
 
X
User Guide
Getting Started
Contents  

Global Options

You are here: Security Policies & Objects > Security Policies.

Procedure

To add global options:

  1. Click Global Options available on the upper right side of the Security Policies page.

    The Global Options page appears.

  2. Complete the configuration according to the guidelines provided in Table 248.
  3. Click OK to save the changes. If you want to discard your changes, click Cancel.

Table 248 describes the fields on the Global Options page.

Table 248: Fields on the Global Options Page

Field

Action

Pre-id Default Policy

Session Timeout

ICMP

Enter the timeout value for ICMP sessions ranging from 4 through 86400 seconds.

ICMP6

Enter the timeout value for ICMP6 sessions ranging from 4 through 86400 seconds.

OSPF

Enter the timeout value for OSPF sessions ranging from 4 through 86400 seconds.

TCP

Enter the timeout value for TCP sessions ranging from 4 through 86400 seconds.

UDP

Enter the timeout value for UDP sessions ranging from 4 through 86400 seconds.

Others

Enter the timeout value for others sessions ranging from 4 through 86400 seconds.

Logging

Session Initiate

Enable this option to start logging at the beginning of a session.

Warning: Configuring session-init logging for the pre-id-default-policy can generate a large amount of logs.

Session Close

Enable this option to start logging at the closure of a session.

Note: Configuring session-close logging ensures that the SRX device generates the security logs if a flow is unable to leave the pre-id-default-policy.

Flow
Aggressive Session Aging

Note: This option is not supported for logical systems and tenants.

Early Ageout

Enter a value from 1 through 65,535 seconds. The default value is 20 seconds.

Specifies the amount of time before the device aggressively ages out a session from its session table.

Low watermark

Enter a value from 0 through 100 percent. The default value is 100 percent.

Specifies the percentage of session table capacity at which the aggressive aging-out process ends.

High watermark

Enter a value from 0 through 100 percent. The default value is 100 percent.

Specifies the percentage of session table capacity at which the aggressive aging-out process begins.

SYN Flood Protection

SYN Flood Protection

Enable this option to defend against SYN attacks.

Mode

Select one of the following options:

  • Cookie—Uses a cryptographic hash to generate a unique Initial Sequence Number (ISN). This is enabled by default.

  • Proxy—Uses a proxy to handle the SYN attack.

TCP MSS

All TCP Packets

Enter an maximum segment size value from 64 through 65,535 to override all TCP packets for network traffic.

Packets entering IPsec Tunnel

Enter a maximum segment size value from 64 through 65,535 bytes to override all packets entering an IPsec tunnel. The default value is 1320 bytes.

GRE Packets entering IPsec Tunnel

Enter a maximum segment size value from 64 through 65,535 bytes to override all generic routing encapsulation packets entering an IPsec tunnel. The default value is 1320 bytes.

GRE Packets exiting IPsec Tunnel

Enter a maximum segment size value from 64 through 65,535 bytes to override all generic routing encapsulation packets exiting an IPsec tunnel. The default value is 1320 bytes.

TCP Session

Sequence number check

By default, this option is enabled to check sequence numbers in TCP segments during stateful inspections. The device monitors the sequence numbers in TCP segments.

SYN flag check

By default, this option is enabled to check the TCP SYN bit before creating a session. The device checks that the SYN bit is set in the first packet of a session. If it is not set, the device drops the packet.

Related Documentation

Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit