Global Options
You are here: Security Policies & Objects > Security Policies.
To add global options:
- Click Global Options available on the upper
right side of the Security Policies page.
The Global Options page appears.
- Complete the configuration according to the guidelines provided in Table 1.
- Click OK to save the changes. If you want to discard your changes, click Cancel.
Table 1 describes the fields on the Global Options page.
Table 1: Fields on the Global Options Page
Field | Action |
---|---|
Pre-id Default Policy | |
Session Timeout | |
ICMP | Enter the timeout value for ICMP sessions ranging from 4 through 86400 seconds. |
ICMP6 | Enter the timeout value for ICMP6 sessions ranging from 4 through 86400 seconds. |
OSPF | Enter the timeout value for OSPF sessions ranging from 4 through 86400 seconds. |
TCP | Enter the timeout value for TCP sessions ranging from 4 through 86400 seconds. |
UDP | Enter the timeout value for UDP sessions ranging from 4 through 86400 seconds. |
Others | Enter the timeout value for other sessions ranging from 4 through 86400 seconds. |
Logging | |
Session Initiate | Enable this option to start logging at the beginning of a session. Warning: Configuring session-init logging for the pre-id-default-policy can generate a large number of logs. |
Session Close | Enable this option to start logging at the closure of a session. Note: Configuring session-close logging ensures that the SRX device generates the security logs if a flow is unable to leave the pre-id-default-policy. |
Flow | |
Aggressive Session
Aging Note: This option is not supported for logical systems and tenants. | |
Early Ageout | Enter a value from 1 through 65,535 seconds. The default value is 20 seconds. Specifies the amount of time before the device aggressively ages out a session from its session table. |
Low watermark | Enter a value from 0 through 100 percent. The default value is 100 percent. Specifies the percentage of session table capacity at which the aggressive aging-out process ends. |
High watermark | Enter a value from 0 through 100 percent. The default value is 100 percent. Specifies the percentage of session table capacity at which the aggressive aging-out process begins. |
SYN Flood Protection | |
SYN Flood Protection | Enable this option to defend against SYN attacks. |
Mode | Select one of the following options:
|
TCP MSS | |
All TCP Packets | Enter a maximum segment size value from 64 through 65,535 to override all TCP packets for network traffic. |
Packets entering IPsec Tunnel | Enter a maximum segment size value from 64 through 65,535 bytes to override all packets entering an IPsec tunnel. The default value is 1320 bytes. |
GRE Packets entering IPsec Tunnel | Enter a maximum segment size value from 64 through 65,535 bytes to override all generic routing encapsulation packets entering an IPsec tunnel. The default value is 1320 bytes. |
GRE Packets exiting IPsec Tunnel | Enter a maximum segment size value from 64 through 65,535 bytes to override all generic routing encapsulation packets exiting an IPsec tunnel. The default value is 1320 bytes. |
TCP Session | |
Sequence number check | By default, this option is enabled to check sequence numbers in TCP segments during stateful inspections. The device monitors the sequence numbers in TCP segments. |
SYN flag check | By default, this option is enabled to check the TCP SYN bit before creating a session. The device checks that the SYN bit is set in the first packet of a session. If it is not set, the device drops the packet. |