[Contents] [Prev] [Next] [Index] [Report an Error]

[edit security] Hierarchy Level

security {
alg {
dns {
disable;
traceoptions flag all <extensive>;
}
ftp {
disable;
traceoptions flag all <extensive>;
}
h323 {
disable;
application-screen {
message-flood {
gatekeeper threshold messages-per-second;
}
unknown-message {
permit-nat-applied;
permit-routed;
}
}
endpoint-registration-timeout seconds;
media-source-port-any;
traceoptions {
flag flag <flag-modifier>;
}
}
mgcp {
disable;
application-screen {
connection-flood threshold requests-per-second;
message-flood threshold messages-per-second;
unknown-message {
permit-nat-applied;
permit-routed;
}
}
inactive-media-timeout seconds;
maximum-call-duration minutes;
traceoptions {
flag flag <extensive>;
}
transaction-timeout seconds;
}
msrpc {
disable;
traceoptions flag all <extensive>;
}
pptp {
disable;
traceoptions flag all <extensive>;
}
real {
disable;
traceoptions flag all <extensive>;
}
rsh {
disable;
traceoptions flag all <extensive>;
}
rtsp {
disable;
traceoptions flag all <extensive>;
}
sccp {
disable;
application-screen {
call-flood threshold calls-per-second;
unknown-message {
permit-nat-applied;
permit-routed;
}
}
inactive-media-timeout seconds;
traceoptions {
flag flag <extensive>;
}
}
sip {
disable;
application-screen {
protect {
deny {
all;
destination-ip {
address;
}
timeout seconds;
}
}
unknown-message {
permit-nat-applied;
permit-routed;
}
}
c-timeout minutes;
disable-call-id-hiding;
inactive-media-timeout seconds;
maximum-call-duration minutes;
retain-hold-resource;
t1-interval milliseconds;
t4-interval seconds;
traceoptions {
flag flag <flag-modifier>;
}
}
sql {
disable;
traceoptions flag all <extensive>;
}
sunrpc {
disable;
traceoptions flag all <extensive>;
}
talk {
disable;
traceoptions flag all <extensive>;
}
tftp {
disable;
traceoptions flag all <extensive>;
}
}
authentication-key-chains {
key-chain key-chain-name {
description text-description;
key key-id {
secret secret-data;
start-time YYYY-MM-DD.hh:mm;
}
tolerance seconds;
}
}
certificates {
cache-size bytes;
cache-timeout-negative seconds;
certification-authority ca-profile-name {
ca-name certificate-authority-name;
crl filename;
encoding (binary | pem);
enrollment-url url-name;
file certificate-filename;
ldap-url url-name;
}
enrollment-retry number;
local certificate-filename;
maximum-certificates number;
path-length bytes;
}
firewall-authentication {
traceoptions {
flag flag <flag-modifier>;
}
}
flow {
aging {
early-ageout seconds;
high-watermark percentage;
low-watermark percentage;
}
allow-dns-reply;
route-change-timeout seconds;
syn-flood-protection-mode (syn-cookie | syn-proxy);
tcp-mss {
all-tcp {
mss number;
}
gre-in {
mss number;
}
gre-out {
mss number;
}
ipsec-vpn {
mss number;
}
}
tcp-session {
no-sequence-check;
no-syn-check;
no-syn-check-in-tunnel;
rst-invalidate-session;
rst-sequence-check;
tcp-initial-timeout seconds;
}
traceoptions {
file <filename> <files number> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>;
flag flag;
no-remote-trace;
packet-filter filter-name {
destination-port port-identifier;
destination-prefix address;
interface interface-name;
protocol protocol-identifier;
source-port port-identifier;
source-prefix address;
}
rate-limit messages-per-second;
}
}
idp {
active-policy policy-name;
custom-attack {
... custom-attack-configuration ...
}
custom-attack-group group-name {
group-members [ group-and-attack-names ];
}
dynamic-attack-group group-name {
filters {
category {
values [ values ];
}
direction {
values [ any client-to-server exclude-any exclude-client-to-server exclude-server-to-client server-to-client ];
}
false-positives {
values [ frequently occasionally rarely unknown ];
}
performance {
values [ fast normal slow unknown ];
}
products {
values [ values ];
}
recommended;
service {
values [ values ];
}
severity {
values [ critical info major minor warning ];
}
type {
values [ anomaly signature ];
}
}
idp-policy policy-name {
... idp-policy-configuration ...
}
security-package {
automatic {
enable;
interval hours;
start-time MM-DD.hh:mm;
}
url url;
}
sensor-configuration {
... sensor-configuration-configuration ...
}
ssl-inspection {
sessions number;
}
traceoptions {
file <filename> <files number> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>;
}
flag all;
level severity;
no-remote-trace;
}
custom-attack attack-name {
attack-type {
anomaly {
direction (any | client-to-server | server-to-client);
service service-name;
shellcode (all | intel | no-shellcode | sparc);
test test-condition;
}
chain {
expression boolean-expression;
member member-name {
attack-type {
(anomaly | signature);
}
}
order;
protocol-binding {
application application-name;
icmp;
ip {
protocol-number transport-layer-protocol-number;
}
rpc {
program-number rpc-program-number;
}
tcp {
minimum-port port-number maximum-port port-number;
}
udp {
minimum-port port-number maximum-port port-number;
}
}
reset;
scope (session | transaction);
}
signature {
context context-name;
direction (any | client-to-server | server-to-client);
negate;
pattern signature-pattern;
protocol {
icmp {
code {
match (equal | greater-than | less-than | not-equal);
value code-value;
}
data-length {
match (equal | greater-than | less-than | not-equal);
value data-length;
}
identification {
match (equal | greater-than | less-than | not-equal);
value identification-value;
}
sequence-number {
match (equal | greater-than | less-than | not-equal);
value sequence-number;
}
type {
match (equal | greater-than | less-than | not-equal);
value type-value;
}
}
ip {
destination {
match (equal | greater-than | less-than | not-equal);
value hostname;
}
identification {
match (equal | greater-than | less-than | not-equal);
value identification-value;
}
ip-flags {
(df | no-df);
(mf | no-mf);
(rb | no-rb);
}
protocol {
match (equal | greater-than | less-than | not-equal);
value transport-layer-protocol-id;
}
source {
match (equal | greater-than | less-than | not-equal);
value hostname;
}
tos {
match (equal | greater-than | less-than | not-equal);
value type-of-service-in-decimal;
}
total-length {
match (equal | greater-than | less-than | not-equal);
value length-of-ip-datagram;
}
ttl {
match (equal | greater-than | less-than | not-equal);
value time-to-live;
}
}
tcp {
ack-number {
match (equal | greater-than | less-than | not-equal);
value acknowledgment-number;
}
data-length {
match (equal | greater-than | less-than | not-equal);
value tcp-data-length;
}
destination-port {
match (equal | greater-than | less-than | not-equal);
value port-number;
}
header-length {
match (equal | greater-than | less-than | not-equal);
value header-length;
}
mss {
match (equal | greater-than | less-than | not-equal);
value maximum-segment-size;
}
option {
match (equal | greater-than | less-than | not-equal);
value tpc-option;
}
sequence-number {
match (equal | greater-than | less-than | not-equal);
value sequence-number;
}
source-port {
match (equal | greater-than | less-than | not-equal);
value port-number;
}
tcp-flags {
(ack | no-ack);
(fin | no-fin);
(psh | no-psh);
(r1 | no-r1);
(r2 | no-r2);
(rst | no-rst);
(syn | no-syn);
(urg | no-urg);
}
urgent-pointer {
match (equal | greater-than | less-than | not-equal);
value urgent-pointer;
}
window-scale {
match (equal | greater-than | less-than | not-equal);
value window-scale-factor;
}
window-size {
match (equal | greater-than | less-than | not-equal);
value window-size;
}
}
udp {
data-length {
match (equal | greater-than | less-than | not-equal);
value udp-data-length;
}
destination-port {
match (equal | greater-than | less-than | not-equal);
value port-number;
}
source-port {
match (equal | greater-than | less-than | not-equal);
value port-number;
}
}
}
protocol-binding {
application application-name;
icmp;
ip {
protocol-number transport-layer-protocol-number;
}
rpc {
program-number rpc-program-number;
}
tcp {
minimum-port port-number maximum-port port-number;
}
udp {
minimum-port port-number maximum-port port-number;
}
}
regexp regular-expression;
shell-code (all | intel | no-shellcode | sparc);
}
recommended-action (close | close-client | close-server | drop | drop-packet | ignore | none);
severity (critical | info | major | minor | warning);
time-binding {
count count-value;
scope (destination | peer | source);
}
}
}
idp-policy policy-name {
rulebase-exempt {
rule rule-name {
description text;
match {
attacks {
custom-attack-groups [ group-names ];
custom-attacks [ attack-names ];
dynamic-attack-groups [ group-names ];
predefined-attack-groups [ group-names ];
predefined-attacks [ attack-names ];
}
destination-address [ names ];
destination-except [ names ];
from-zone zone-name;
source-address [ names ];
source-except [ names ];
to-zone zone-name;
}
}
}
rulebase-ips {
rule rule-name {
description text;
match {
application application-name;
attacks {
custom-attack-groups [ group-names ];
custom-attacks [ attack-names ];
dynamic-attack-groups [ group-names ];
predefined-attack-groups [ group-names ];
predefined-attacks [ attack-names ];
}
destination-address [ addresses ];
destination-except [ addresses ];
from-zone zone-name;
source-address [ addresses ];
source-except [ addresses ];
to-zone zone-name;
}
terminal;
then {
action {
(close-client | close-client-and-server | close-server | drop-connection | drop-packet | ignore-connection | mark-diffserv value | no-action | recommended);
}
ip-action {
(ip-block | ip-close | ip-notify);
log;
target (destination-address | service | source-address | source-zone | zone-service);
timeout seconds;
}
notification {
log-attacks {
alert;
}
}
severity (critical | info | major | minor | warning);
}
}
}
}
sensor-configuration {
application-identification {
disable;
(application-system-cache | no-application-system-cache);
application-system-cache-timeout value;
max-packet-memory value;
max-sessions value;
max-tcp-session-packet-memory value;
max-udp-session-packet-memory value;
}
detector {
protocol-name protocol-name {
tunable-name tunable-name {
tunable-value value;
}
}
}
flow {
(allow-icmp-without-flow | no-allow-icmp-without-flow);
fifo-max-size value;
hash-table-size bytes;
(log-errors | no-log-errors);
max-timers-poll-ticks value;
reject-timeout value;
(reset-on-policy | no-reset-on-policy);
udp-anticipated-timeout value;
}
global {
(enable-all-qmodules | no-enable-all-qmodules);
(enable-packet-pool | no-enable-packet-pool);
memory-limit-percent percentage;
(policy-lookup-cache | no-policy-lookup-cache);
}
ips {
(detect-shellcode | no-detect-shellcode);
fifo-max-size value;
(ignore-regular-expression | no-ignore-regular-expression);
log-supercede-min minimum-value;
(pre-filter-shellcode | no-pre-filter-shellcode);
(process-ignore-s2c | no-process-ignore-s2c);
(process-override | no-process-override);
process-port port-number;
}
log {
cache-size size;
suppression {
disable;
(include-destination-address | no-include-destination-address);
max-logs-operate value;
max-time-report value;
start-log value;
}
}
re-assembler {
(ignore-memory-overflow | no-ignore-memory-overflow);
ignore-reassembly-overflow;
max-flow-mem value;
max-packet-mem value;
}
}
}
ike {
gateway gateway-name {
address [ addresses-or-hostnames ];
dead-peer-detection {
always-send;
interval seconds;
threshold number;
}
dynamic {
connections-limit number;
distinguished-name {
container container-name;
wildcard wildcard;
}
hostname hostname;
ike-user-type (group-ike-id | shared-ike-id);
inet ipv4-address;
user-at-hostname “email-address”;
}
external-interface interface-name;
ike-policy policy-name;
local-identity (distinguished-name | hostname hostname | inet ipv4-address | user-at-hostname “email-address”);
nat-keepalive seconds;
no-nat-traversal;
xauth access-profile profile-name;
}
policy (address | policy-name) {
certificate {
local-certificate certificate-identifier;
peer-certificate-type (pkcs7 | x509-signature);
trusted-ca (ca-index | use-all);
}
description policy-description;
encoding (binary | pem);
identity identity-name;
local-certificate certificate-filename;
local-key-pair private-public-key-file;
mode (aggressive | main);
pre-shared-key (ascii-text key | hexadecimal key);
proposal-set (basic | compatible | standard);
proposals [ proposal-names ];
}
proposal ike-proposal-name {
authentication-algorithm (md5 | sha1 | sha-256);
authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures);
description description;
dh-group (group1 | group2 | group5);
encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc);
lifetime-seconds seconds;
}
respond-bad-spi number;
traceoptions {
file <filename> <files number> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>;
flag flag;
no-remote-trace;
}
}
ipsec {
policy ipsec-policy-name {
description description;
perfect-forward-secrecy {
keys (group1 | group2 | group5);
}
proposal-set (basic | compatible | standard);
proposals [ proposal-names ];
}
proposal ipsec-proposal-name {
authentication-algorithm (hmac-md5-96 | hmac-sha1-96);
description description;
encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc);
lifetime-kilobytes kilobytes;
lifetime-seconds seconds;
protocol (ah | bundle | esp);
}
security-association sa-name {
description description;
dynamic {
ipsec-policy policy-name;
replay-window-size (32 | 64);
}
manual {
direction (bidirectional | inbound | outbound) {
authentication {
algorithm (hmac-md5-96 | hmac-sha1-96);
key (ascii-text key | hexadecimal key);
}
auxiliary-spi spi-index;
encryption {
encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc);
key (ascii-text key | hexadecimal key);
}
protocol (ah | bundle | esp);
spi spi-index;
}
}
mode (transport | tunnel);
}
traceoptions {
flag flag;
}
vpn vpn-name {
bind-interface interface-name;
df-bit (clear | copy | set);
establish-tunnels (immediately | on-traffic);
ike {
gateway gateway-name;
idle-time seconds;
install-interval seconds;
ipsec-policy policy-name;
no-anti-replay;
proxy-identity {
local ip-prefix</prefix-length>;
remote ip-prefix</prefix-length>;
service service-name;
}
}
manual {
authentication {
algorithm (hmac-md5-96 | hmac-sha1-96);
key (ascii-text key | hexadecimal key);
}
encryption {
encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc);
key (ascii-text key | hexadecimal key);
}
external-interface interface-name;
gateway address;
protocol (ah | esp);
spi spi-index;
}
vpn-monitor {
destination-ip address;
optimized;
source-interface interface-name;
}
vpn-monitor-options {
interval seconds;
threshold failures;
}
}
}
nat {
destination {
... destination-configuration ...
}
destination-nat nat-name (address address <port port-number> | address-range low address high address);
interface interface-name {
allow-incoming;
proxy-arp {
address {
address;
}
address-range {
low address high address;
}
}
source-nat {
pool pool-name {
address {
address;
}
address-range {
low address high address;
}
allow-incoming;
host-address-low address-prefix;
no-port-translation;
overflow-pool (interface | pool-name);
}
}
static-nat ip-prefix/prefix-length host ip-prefix</prefix-length> <virtual-router hostname>;
}
proxy-arp {
interface interface-name {
address ip-address to ip-address;
}
}
source {
... source-configuration ...
}
source-nat {
address-persistent;
pool-set pool-set-name {
pool pool-name;
}
pool-utilization-alarm {
clear-threshold number;
raise-threshold number;
}
}
traceoptions {
file <filename> <files number> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>;
flag flag <syslog>;
no-remote-trace;
}
destination {
pool pool-name {
address <ip-address> (to ip-address | port port-number);
routing-instance routing-instance-name;
}
rule-set rule-set-name {
from (interface [ interface-names ] | routing-instance [ routing-instance-names ] | zone [ zone-names ]);
rule rule-name {
match {
destination-address destination-address;
destination-port port-number;
source-address [ source-addresses ];
}
then {
destination-nat (off | pool pool-name);
}
}
}
}
source {
address-persistent;
pool pool-name {
address ip-address to ip-address;
host-address-base ip-address;
overflow-pool (interface | ip-address);
port no-translation | range high ip-address low ip-address;
routing-instance ip-address;
}
pool-utilization-alarm {
clear-threshold threshold-value;
raise-threshold threshold-value;
}
rule-set rule-set-name {
from (interface [ interface-names ] | routing-instance [ routing-instance-names ] | zone [ zone-names ]);
rule rule-name {
match {
destination-address destination-address;
source-address [ source-addresses ];
}
then {
source-nat (off | pool pool-name);
}
}
to (interface [ interface-names ] | routing-instance [ routing-instance-names ] | zone [ zone-names ]);
}
}
}
pki {
auto-re-enrollment {
certificate-id certificate-id {
ca-profile-name profile-name;
challenge-password password;
re-enroll-trigger-time-percentage percentage;
re-generate-keypair;
}
}
ca-profile ca-profile-name {
administrator {
email-address email-address;
}
ca-identity ca-identifier;
enrollment {
retry attempts;
retry-interval seconds;
url url;
}
revocation-check {
disable;
crl {
disable on-download-failure;
refresh-interval hours;
url url-name {
password password;
}
}
}
}
traceoptions {
file <filename> <files number> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>;
flag flag;
no-remote-trace;
}
}
policies {
default-policy {
(deny-all | permit-all);
}
from-zone zone-name to-zone zone-name {
... from-zone-configuration ...
}
policy-rematch;
traceoptions {
file <filename> <files number> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>;
flag flag;
no-remote-trace;
}
from-zone zone-name to-zone zone-name {
policy policy-name {
match {
application [ application-names-or-sets ];
destination-address [ addresses <any> ];
source-address [ addresses <any> ];
}
scheduler-name scheduler-name;
then {
count {
alarm per-second-threshold bytes per-minute-threshold kilobytes;
}
(deny | permit {... permit-configuration ...} | reject);
permit {
application-services {
idp;
redirect-wx;
reverse-redirect-wx;
utm-policy;
}
destination-address {
drop-translated;
drop-untranslated;
}
destination-nat nat-name;
firewall-authentication {
pass-through {
access-profile profile-name;
client-match user-or-group-name;
web-redirect;
}
web-authentication (
client-match user-or-group-name;
}
}
source-nat {
(interface | pool pool-name | pool-set pool-set-name);
}
tunnel {
ipsec-vpn vpn-name;
pair-policy policy-name;
}
}
log {
session-close;
session-init;
}
}
}
}
}
screen {
ids-option screen-name {
alarm-without-drop;
icmp {
flood <threshold packets-per-second>;
fragment;
ip-sweep <threshold packets-per-microsecond>;
large;
ping-death;
}
ip {
bad-options;
block-frag;
loose-source-route-option;
record-route-option;
security-option;
source-route-option;
spoofing;
stream-option;
strict-source-route-option;
tear-drop;
timestamp-option;
unknown-protocol;
}
limit-session {
destination-ip-based number-of-sessions;
source-ip-based number-of-sessions;
}
tcp {
fin-no-ack;
land;
port-scan <threshold packets-per-microsecond>;
syn-ack-ack-proxy <threshold number-of-connections>;
syn-fin;
syn-flood {
alarm-threshold requests-per-second;
attack-threshold requests-per-second;
destination-threshold packets-per-second;
source-threshold packets-per-second;
timeout seconds;
}
syn-frag;
tcp-no-flag;
winnuke;
}
udp {
flood <threshold packets-per-second>;
}
}
traceoptions {
file <filename> <files number> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>;
flag flag;
no-remote-trace;
}
}
ssh-known-hosts {
fetch-from-server (hostname | address);
host (hostname | address) {
dsa-key key;
rsa-key key:
rsa1-key key;
}
load-key-file filename;
}
traceoptions {
file <filename> <files number> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>;
flag flag;
no-remote-trace;
rate-limit rate;
}
zones {
functional-zone management {
host-inbound-traffic {
protocols {
protocol-name <except>;
}
system-services {
service-name <except>;
}
}
interfaces {
interface-name {
host-inbound-traffic {
protocols {
protocol-name <except>;
}
system-services {
service-name <except>;
}
}
}
}
screen screen-name;
}
security-zone zone-name {
address-book {
address address-name (ip-prefix</prefix-length> | dns-name dns-address-name);
address-set set-name {
address address-name;
}
}
host-inbound-traffic {
protocols {
protocol-name <except>;
}
system-services {
service-name <except>;
}
}
interfaces {
interface-name {
host-inbound-traffic {
protocols {
protocol-name <except>;
}
system-services {
service-name <except>;
}
}
}
}
screen object-name;
tcp-rst;
}
}
}
[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.