Configuring Firewall Screen Options (J-Web Procedure)

You can use J-Web to quickly configure firewall screen options.

To configure screen options using the J-Web configuration editor:

1. Select Configure>Security>Zones. The Zones/Screens Configuration screen appears.
2. In the Screens list section, click Add to define screen objects. The screen objects page appears.
3. Fill in the screen options as shown in Table 198.
4. Click one of the following buttons:
   • To apply the configuration and return to the main Configuration page, click OK.
   • To cancel your entries and return to the main page, click Cancel.

     Table 200: Firewall Screen Configuration Options

     Field	Function	Action
     Screen
     Screen name	Name of the screen object.	Specify a unique name for the screen object you are defining.
     Generate alarms without dropping packet	Generates alarms without dropping packets.	Select this check box to enable alarm generation without dropping packets.
     Scan/Spoof/Sweep Defense
     IP spoofing	Enables scanning for IP address spoofing. IP spoofing is when a false source address is inserted in the packet header to make the packet appear to come from a trusted source.	Select this check box to enable scanning for IP address spoofing.
     IP sweep	Number of ICMP address sweeps. An IP address sweep can occur with the intent of triggering responses from active hosts.	Select this check box to enable IP address sweep. Configure a threshold time interval (in microseconds). If a remote host sends ICMP traffic to 10 addresses within this interval, an address sweep attack is flagged and further ICMP packets from the remote host are rejected. Valid values are between 1000 and 1,000,000 microseconds. The default value is 5000 microseconds.
     Port scan	Number of TCP port scans. The purpose of this attack is to scan the available services in the hopes that at least one port will respond, thus identifying a service to target.	Select this check box to enable port scanning. Configure a threshold time interval (in microseconds). If a remote host scans 10 ports within this interval, a port scan attack is flagged and further packets from the remote host are rejected. Valid values are between 1000 and 1,000,000 microseconds. The default value is 5000 microseconds.
     MS-Windows Defense
     WinNuke attack protection	Number of Transport Control Protocol (TCP) WinNuke attacks. WinNuke is a DoS attack targeting any computer on the Internet running Windows.	Select this check box to enable the WinNuke attack protection option.
     Denial of Service Defense
     Land attack protection	Number of land attacks. Land attacks occur when an attacker sends spoofed SYN packets containing the IP address of the victim as both the destination and source IP address.	Select this check box to enable the land attack protection option.
     Teardrop attack protection	Number of teardrop attacks. Teardrop attacks exploit the reassembly of fragmented IP packets.	Select this check box to enable the teardrop protection option.
     ICMP fragment protection	Number of ICMP fragments. Because ICMP packets contain very short messages, there is no legitimate reason for ICMP packets to be fragmented. If an ICMP packet is so large that it must be fragmented, something is amiss.	Select this check box to enable the ICMP fragment protection option.
     Ping of death attack protection	ICMP ping of death counter. Ping of death occurs when IP packets are sent that exceed the maximum legal length (65,535 bytes).	Select this check box to enable the ping of death attack protection option.
     Large size ICMP packet protection	Number of large ICMP packets.	Select this check box to enable large (size >1024) ICMP packet protection option.
     Block fragment traffic	Number of IP block fragments.	Select this check box to enable IP fragment blocking.
     SYN-ACK-ACK proxy protection	Number of TCP flags enabled with SYN-ACK-ACK. This is designed to prevent flooding with SYN-ACK-ACK sessions. After the number of connections from the same IP address reaches the SYN-ACK-ACK proxy threshold, JUNOS Software rejects further connection requests from that IP address.	Select this check box to enable the SYN-ACK-ACK proxy protection screen option. Configure the threshold value between 1 and 250000 unauthenticated connections. The default value is 512.
     Anomalies: IP
     Bad option	Number of bad options counter.	Select this check box to enable the IP with bad option IDs screen option.
     Timestamp	Records the time (in Universal Time) when each network device receives the packet during its trip from the point of origin to its destination.	Select this check box to enable the IP with timestamp option.
     Security	Provides a way for hosts to send security.	Select this check box to enable the IP with security option.
     Stream	Provides a way for the 16-bit SATNET stream identifier to be carried through networks that did not support the stream concept.	Select this check box to enable the IP with stream option.
     Unknown protocol	Number of internet protocols (IP) that are unknown.	Select this check box to enable the Unknown Protocol Protection option.
     Loose Source Route Option	Specifies a partial route list for a packet to take on its journey from source to destination.	Select this check box to enable IP with loose source route option.
     Strict source route	Specifies the complete route list for a packet to take on its journey from source to destination.	Select this check box to enable the IP with strict source route option.
     Record Route Option	Records the IP addresses of the network devices along the path that the IP packet travels.	Select this check box to enable the IP with record route option.
     Source route	Number of IP addresses of the devices set at the source that an IP transmission is allowed to take along the path on its way to its destination.	Select this check box to enable the IP with source route option.
     Anomalies: TCP
     SYN Fragment Protection	Number of TCP SYN fragments.	Select this check box to enable the SYN Fragment option.
     SYN and FIN Flags Set Protection	Number of TCP SYN and FIN flags. When you enable this option, JUNOS Software checks if the SYN and FIN flags are set in TCP headers. If it discovers such a header, it drops the packet.	Select this check box to enable the SYN and FIN flags Set option.
     FIN Flag without ACK Flag Set Protection	Number of TCP FIN flags without the acknowledge (ACK) flag. When you enable this option, JUNOS Software checks if the FIN flag is set without the ACK flag being set in TCP headers. If JUNOS Software discovers a packet with such a header, it drops the packet.	Select this check box to enable the FIN flag without ACK option and FIN Flag Set option.
     TCP Packet without Flag Set Protection	Number of TCP headers without flags set. A normal TCP segment header has at least one flag control set.	Select this check box to enable the TCP Packet without Flag Set option.
     Flood Defense: Limit Sessions
     Limit sessions from the same source	Limits sessions from the same source IP.	Select this check box to enable the source IP-based session limit. Configure the threshold value between 1 and 50,000 sessions. The default value is 128 sessions. Note: For SRX Series devices, the applicable range is 1 through 8,000,000 sessions per second.
     Limit sessions from the same destination	Limits sessions to the same destination IP.	Select this check box to enable destination IP-based session limit. Configure the threshold value between 1 and 50,000 sessions. The default value is 128 sessions. Note: For SRX Series devices, the applicable range is 1 through 8,000,000 sessions per second.
     Flood Defense: ICMP/UDP Protection
     ICMP flood protection	Internet Control Message Protocol (ICMP) flood counter. An ICMP flood typically occurs when ICMP echo requests use all resources in responding, such that valid network traffic can no longer be processed.	Select this check box to enable the ICMP Flood Protection option. Configure the threshold value for ICMP flood between 1 and 100,000 ICMP packets per second (pps). The default value is 1000 pps. Note: For SRX Series devices, the applicable range is 1 through 4,000,000 ICMP Packets per second.
     UDP flood protection	User Datagram Protocol (UDP) flood counter. UDP flooding occurs when an attacker sends IP packets containing UDP datagrams with the purpose of slowing down the resources, such that valid connections can no longer be handled.	Select this check box to enable the UDP Flood Protection option. Configure the threshold value for UDP flood between 1 and 100,000 UDP packets with the same destination address per second (pps). The default value is 1000 pps. Note: For SRX Series devices, the applicable range is 1 through 4,000,000 UDP packets per second.
     Flood Defense: SYN Flood Protection
     SYN flood protection	Attack threshold—Number of SYN packets per second required to trigger the SYN proxy mechanism.	Attack threshold—Configure a value between 1 and 100,000 proxied requests per second. The default value is 200. Note: For SRX Series devices, the applicable range is 1 through 1,000,000 proxied requests per second.
     	Alarm threshold—Define the number of half-complete proxy connections per second at which the device makes entries in the event alarm log.	Alarm threshold—Configure a value between 1 and 100,000 segments received per second for SYN flood alarm. The default value is 1024. Note: For SRX Series devices, the applicable range is 1 through 1,000,000 segments per second.
     	Source threshold—Number of SYN segments received per second from a single source IP address (regardless of the destination IP address and port number) before the device begins dropping connection requests from that source.	Source threshold—Configure a value for SYN flood from the same source between 4 and 100,000 segments received per second. The default value is 1024. Note: For SRX Series devices, the applicable range is 4 through 1,000,000 segments per second.
     	Destination threshold—Number of SYN segments received per second for a single destination IP address before the device begins dropping connection requests to that destination. If a protected host runs multiple services, you might want to set a threshold based only on destination IP address, regardless of the destination port number.	Destination threshold—Configure a value for SYN flood to the same destination between 4 and 100,000. The default value is 2048. Note: For SRX Series devices, the applicable range is 4 through 1,000,000 segments per second.
     	Ager timeout—Maximum length of time before a half-completed connection is dropped from the queue. You can decrease the timeout value until you no longer see any connections dropped during normal traffic conditions.	Ager timeout—Configure a value for SYN attack protection between 1 and 50 seconds. The default value is 20 seconds. Note: The queue-size is deprecated.
     Apply to Zones
     Apply to zones	Zones that have already been defined and can be bound to the screens.	Highlight the zones in the Available column and then use the right arrow to move them to the Selected column. If no zones have been defined, you can add zones in the Zones list section of this page.

    

Copyright © 2010, Juniper Networks, Inc. All rights reserved. Trademark Notice.