Configuring Stateful Access Control
To configure stateful access control, you can define certain timeout values, limit the number of half-open connections, and change the default alert, as well as enable an audit trail and define inspection lists.
Defining Flow Timeout Values
The JUNOSe stateful firewall enables you to define timeout values for specific states of a Domain Name System (DNS), ICMP, TCP, and UDP flow.
ip inspect dns-timeout
host1(config)#ip inspect dns-timeout 300Use the no version to restore the default value of 5 seconds. ip inspect icmp idle-time
host1(config)#ip inspect icmp idle-time 5000Use the no version to restore the default value of 10 seconds. ip inspect tcp
- synwait-time—Length of time, in seconds, the software waits for a TCP session
- finwait-time—Length of time, in seconds, a TCP session is managed after the firewall detects a FIN-exchange
- idle-time—Length of time, in seconds, a TCP session is managed following no activity
host1(config)#ip inspect tcp synwait-time 55Example 2 host1(config)#ip inspect tcp finwait-time 20Example 3 host1(config)#ip inspect tcp idle-time 6000Use the no version to restore the default value of the timer. ip inspect udp idle-time
host1(config)#ip inspect udp idle-time 100Use the no version to restore the default value of 30 seconds. Limiting the Number of Half-Open Sessions
You can specify limits for the number of concurrent half-open sessions and the session establishment rate for those sessions. For TCP connections, you can also specify a limit for any destination host, as well as block connections to a targeted host after reaching that limit.
ip inspect max-incomplete
- Use to define the number of half-open (incomplete) sessions that cause the router to start deleting half-complete sessions (the high value) and stop deleting half-complete sessions (the low value).
- When the high value is reached, the router drops the oldest half-open session before it allows a new one.
- When the low value is reached, the router no longer drops half-open sessions before it allows new sessions.
- Example 1
host1(config)#ip inspect max-incomplete high 800Example 2 host1(config)#ip inspect max-incomplete low 200Use the no version to restore the high default value (500) or low default value (400). ip inspect one-minute
- Use to define the connection establishment rate at which the router starts deleting half-complete sessions (the high value) and stops deleting half-complete sessions (the low value).
- When the high value is reached, the router drops the oldest half-open session before it allows a new one.
- When the low value is reached, the router no longer drops half-open sessions before it allows new sessions.
- Example 1
host1(config)#ip inspect one-minute high 800Example 2 host1(config)#ip inspect one-minute low 200Use the no version to restore the high default value (500) or low default value (400). ip inspect tcp max-incomplete host
- Use to define the maximum number of half-open TCP connections that the router allows to the same destination before it begins removing sessions, and an amount of time that the router disallows all connections to an affected host after removing sessions to that host.
- A block-time value of zero (the default) begins removing the oldest incomplete sessions as the router meets the specified limit for half-open TCP connections to a specific host.
- A positive block-time value removes all half-open TCP connections when the specified limit is reached, and disallows connections to that host for the specified amount of time.
- Example
host1(config)#ip inspect tcp max-incomplete host 3000 block-time 3Use the no version to restore the session number default value (250) or the block-time default value (0).