[Prev][Next][Report an Error]

Configuring Flow (J-Web Procedure)

A flow is a stream of related packets that meet the same matching criteria and share the same characteristics. JUNOS Software treats packets belonging to the same flow in the same manner. Configuration settings that determine the fate of a packet—such as the security policy that applies to it, if it requires an Application Layer Gateway (ALG), if Network Address Translation (NAT) is applied to translate the packet’s source and/or destination IP address—are assessed for the first packet of a flow.

Packet-based, or stateless, packet processing treats packets discretely. Each packet is assessed individually for treatment. For more information on flow, see the Junos OS Security Configuration Guide.

Note: Default mode is Flow. To change to packet-based processing, see Table 186.

To configure flow using the J-Web configuration editor:

  1. Select Configure>Security>Policy. The Security Policy page appears. On the Security Policy page, click Global Options in the toolbar. The Global Options page appears.
  2. Fill in the options as shown in Table 186.
  3. Click one of the following buttons:

Table 186: Flow Configuration Options

Field

Function

Action

Policy Options

Default policy action

Sets the action that needs to take place on the traffic as it passes through the firewall:

  • Permit all—Allows the packets to pass through the firewall.
  • Deny all—Blocks and drops the packet from traversing the firewall, but does not send notification back to the source.

Next to Default Policy Action, select one of the following: Permit-All or Deny-All.

Policy rematch

A packet is matched against policies to determine how it is to be treated.

Select the check box to enable packet rematch against policies.

Flow - Main

Early Ageout

Defines the ageout value before the device aggressively ages out a session from its session table.

Specify a value between 1 and 65,535 seconds. The default value is 20 seconds.

High Watermark

Sets percentage of session table capacity at which the aggressive aging-out process begins.

Specify a value between 0 and 100 percent. The default value is 100 percent.

Low Watermark

Sets percentage of session-table capacity at which aggressive aging-out ends.

Specify a value between 0 and 100 percent. The default value is 100 percent.

Allow DNS reply

Allows an incoming DNS reply packet without a matched request. By default, if the query request does not match, the device drops the packet, does not create a session, and increments the illegal packet flow counter for the interface. Enabling the Allow DNS reply option directs the device to skip the check.

Select this check box to enable DNS replies.

Route change to nonexistent route timeout

Applies the session timeout value on a route change to a nonexistent route. By default, this feature is disabled. If the timeout is not defined, sessions discovered to have no route are aged out using their current session timeout values.

Specify a value between 6 and 1800 seconds.

Enable SYN cookie protection

Enables SYN cookie defenses against SYN attacks. Sets the flow from traditional SYN proxy mode to SYN cookie mode. SYN cookie is enabled globally on the security device and is activated when the configured “SYN flood attack threshold” is exceeded.

Select to enable SYN cookie protection.

Enable SYN proxy protection

Enables SYN proxy defense against SYN attacks.

Select to enable SYN proxy protection.

Flow - TCP MSS

Enable MSS override for all packets

Enables TCP-maximum segment size (TCP-MSS) override for all TCP packets for network traffic.

Select the check box to enable all TCP packets and then specify an MSS value between 64 and 65,535.

Enable MSS override for all GRE packets coming out of an IPsec tunnel

Enables MSS override for all Generic Routing Encapsulation (GRE) packets exiting an IPsec tunnel.

Select the check box to enable MSS override for all GRE packets coming out of an IPsec tunnel and then specify an MSS value between 64 and 65,535.

Enable MSS override for all GRE packets entering an IPsec tunnel

Enables MSS override for all GRE packets entering an IPsec tunnel.

Select the check box to enable MSS override for all GRE packets entering an IPsec tunnel and then specify an MSS value between 64 and 65,535.

Enable MSS override for all packets entering an IPsec tunnel

Enables MSS override for all packets entering an IPsec tunnel.

Select the check box to enable MSS override for all packets entering an IPsec tunnel and then specify an MSS value between 64 and 65,535

Flow - TCP Session

Disable sequence-number checking

Disables the checking of sequence numbers in TCP segments during stateful inspection. By default, the Juniper Networks device monitors the sequence numbers in TCP segments.

Select the check box to disable sequence number checking.

Strict SYN-flag check

Enables the strict three-way handshake check for the TCP session. This check enhances security by dropping data packets before the three-way handshake is done. By default this check is disabled.

Select this check box to enable strict SYN checking.

Disable SYN-flag check

Disables the checking of the TCP SYN bit before creating a session. By default, the device checks that the SYN bit is set in the first packet of a session. If it is not set, the device drops it.

Select the check box to disable creation time SYN flag check.

Disable SYN-flag check (tunnel packets)

Disables the checking TCP SYN bit before creating a session for tunneled packets. By default, the device checks that the SYN bit is set in the first packet of a VPN session. If it is not set, the device drops it.

Select the check box to disable creation time SYN flag check for tunnel packets.

RST invalidate session

Marks a session for immediate termination when it receives a TCP reset (RST) segment. By default, this statement is unset. When unset, the device applies the normal session timeout interval—for TCP, session timeout is 30 minutes; for HTTP, it is 5 minutes; and for UDP, it is 1 minute.

Select this checkbox to immediately end the session on receipt of the reset (RST) segment.

RST sequence check

Checks that the TCP sequence number in a TCP segment with the RST bit enabled matches the previous sequence number for a packet in that session or is the next higher number incrementally. By default, this check is disabled.

Select this check box to enable checking of sequence numbers in a RST statement.

TCP initial timeout

Defines the length of time (in seconds) that the device keeps an initial TCP session in the session table before dropping it, or until the device receives a FIN or RST packet.

Specify a value between 20 and 300 seconds. The default value is 20 seconds.


[Prev][Next][Report an Error]