Zones and Screens Configuration Page Options

  1. Select Configure>Security>Zones/Screens.

    The Zones/Screens configuration page appears. Table 38 explains the contents of this page.

  2. Click one:
    • Add—Adds a new or duplicate zone configuration. Enter information as specified in Table 39.
    • Edit—Edits the selected zone configuration.
    • Delete—Deletes the selected zone configuration.
  3. Click one:
    • Add—Adds a new or duplicate screen configuration. Enter information as specified in Table 40.
    • Edit—Edits the selected screen configuration.
    • Delete—Deletes the selected screen configuration.
  4. Click one:
    • OK—Saves the configuration and returns to the main configuration page.
    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.
    • Cancel—Cancels your entries and returns to the main configuration page.

Table 38: Zones/Screens Configuration Page

Field

Function

Zones list

Zone name

Displays the name of the zone.

Type

Displays the type of zone.

Services

Displays the type of service.

Protocols

Displays the protocol type of incoming traffic.

Interfaces

Displays the interfaces that are part of this zone.

Screen

Displays name of the option objects applied to the zone.

Screen list

Screen name

Displays the name of the screen object.

Type

Displays the type of screen.

Table 39: Add Zone Configuration Details

Field FunctionAction
Main

Zone name

Specifies the name of the zone.

Enter a name for the zone.

Zone type

Specifies the type of the zone.

Select either security or functional. Only one functional zone can be configured.

Send RST for non matching session

Specifies that when the reset feature is enabled, the system sends a TCP segment with the RESET flag set when traffic arrives. This does not match an existing session and does not have the Synchronize flag set.

Select the Send RST for non matching session check box to enable this feature.

Binding screen

Specifies that you can assign screens to a zone.

Note: If you have already configured screens, the list shows the screen names and allows you to select or delete a screen.

Select a binding screen from the list.

Interfaces in this zone

Specifies the available interfaces that you can select for the security zone.

Select or deselect the interfaces that you want to include in the security zone using either the left or the right arrow.

Note: The selected interfaces are displayed in the Selected grid.

Host inbound traffic - Zone

Protocols

Specifies the protocols that permit inbound traffic of the selected type to be transmitted to hosts within the zone.

Select the protocols in the Available column and then use the right arrow to move them to the Selected column. Select all to permit all protocols.

Note: To deselect protocols, select the protocols in the Selected column and then use the left arrow to move them to the Available column.

Services

Specifies the interface services that permit inbound traffic of the selected type to be transmitted to hosts within the zone.

Select the services in the Available column and then use the right arrow to move them to the Selected column. Select all to permit all services.

Note: To deselect services, select the services in the Selected column and then use the left arrow to move them to the Available column.

Host inbound traffic - Interface

Interface services

Specifies the interfaced services that permit inbound traffic from the selected interface to be transmitted to hosts within the zone.

Select the interface services in the Available column and then use the right arrow to move them to the Selected column. Select all to permit all interface services.

To deselect services, select the services in the Selected column and then use the left arrow to move them to the Available column.

Note: If you select multiple interfaces, the existing interface services and protocols are cleared and are applied to the selected interfaces.

Interface protocols

Specifies the interface protocols that permit inbound traffic from the selected interface to be transmitted to hosts within the zone.

Select the interface protocols in the Available column and then use the right arrow to move them to the Selected column. Select all to permit all interface protocols.

To deselect protocols, select the protocols in the Selected column and then use the left arrow to move them to the Available column.

Table 40: Add Screen Configuration Details

FieldFunctionAction
Main

Screen name

Specifies the name of the screen object.

Enter a name for the screen object.

Generate alarms without dropping packet

Specifies that alarms are generated without dropping packets.

Select the Generate alarms without dropping packet check box to enable this feature.

IP spoofing

Specifies that you can enable IP address spoofing. IP spoofing is when a false source address is inserted in the packet header to make the packet appear to come from a trusted source.

Select the IP spoofing check box to enable this feature.

IP sweep

Specifies the number of ICMP address sweeps. An IP address sweep can occur with the intent of triggering responses from active hosts.

Select the IP sweep check box to enable this feature.

Threshold

Specifies the threshold value of the IP sweep.

Enter the time interval for an IP sweep.

Note: If a remote host sends ICMP traffic to 10 addresses within this interval, an IP address sweep attack is flagged and further ICMP packets from the remote host are rejected. The range is from 1000 through 1000000 microseconds. The default value is 5000 microseconds.

Port scan

Specifies the number of TCP port scans. The purpose of this attack is to scan the available services in the hopes that at least one port will respond, thus identifying a service to target.

Select the Port scan check box to enable this feature.

Threshold

Specifies the threshold value of the TCP port scan.

Enter the time interval for a port scan.

Note: If a remote host scans 10 ports within this interval, a port scan attack is flagged and further packets from the remote host are rejected. The range is from 1000 through 1000000 microseconds. The default value is 5000 microseconds.

WinNuke attack protection

Specifies the number of TCP WinNuke attacks.

Note: WinNuke is a DoS attack targeting any computer on the Internet running Windows operating system.

Select the WinNuke attack protection check box to enable this feature.

Denial of Service

Land attack protection

Specifies the number of land attacks.

Note: Land attacks occur when an attacker sends spoofed SYN packets containing the IP address of the victim as both the destination and source IP address.

Select the Land attack protection check box to enable this feature.

Teardrop attack protection

Specifies the number of teardrop attacks.

Note: Teardrop attacks exploit the reassembly of fragmented IP packets.

Select the Teardrop attack protection check box to enable this feature.

ICMP fragment protection

Specifies the number of ICMP fragments.

Note: ICMP packets contain very short messages. There is no legitimate reason for ICMP packets to be fragmented.

Select the ICMP fragment protection check box to enable this feature.

Ping of death attack protection

Specifies the ICMP ping of death counter.

Note: A ping of death occurs when IP packets are sent that exceed the maximum legal length (65,535 bytes).

Select the Ping of death attack protection check box to enable this feature.

Large size ICMP packet protection

Specifies the number of large ICMP packets.

Select the Large size ICMP packet protection check box to enable this feature.

Block fragment traffic

Specifies the number of IP block fragments.

Select the Block fragment traffic check box to enable this feature.

SYN-ACK-ACK proxy protection

Specifies the number of TCP flags enabled with SYN-ACK-ACK.

Note: This is designed to prevent flooding with SYN-ACK-ACK sessions. After the number of connections from the same IP address reaches the SYN-ACK-ACK proxy threshold, Junos OS rejects further connection requests from that IP address.

Select the SYN-ACK-ACK proxy protection check box to enable this feature.

Threshold

Specifies the threshold value for SYN-ACK-ACK proxy protection.

Enter the threshold value for SYN-ACK-ACK proxy protection.

Note: The range is from 1 through 250000 sessions. The default value is 512 sessions.

Anomalies

Bad option

Specifies the number of bad options counter.

Select the Bad option check box to enable this feature.

Security

Specifies the method for hosts to send security.

Select the Security check box to enable this feature.

Unknown protocol

Specifies that the IP address with security option can be enabled.

Select the Unknown protocol check box to enable this feature.

Strict source route

Specifies the complete route list for a packet to take on its journey from source to destination.

Select the Strict source route check box to enable this feature.

Source route

Specifies the number of IP addresses of the devices set at the source that an IP transmission is allowed to take on its way to its destination.

Select the Source route check box to enable this feature.

Timestamp

Specifies the time recorded (in UTC) when each network device receives the packet during its trip from the point of origin to its destination.

Select the Timestamp check box to enable this feature.

Stream

Specifies a method for the 16-bit SATNET stream identifier to be carried through networks that do not support streaming.

Select the Stream check box to enable this feature.

Loose source route

Specifies a partial route list for a packet to take on its journey from source to destination.

Select the Loose source route check box to enable this feature.

Record route

Specifies that IP addresses of network devices along the path that the IP packet travels can be recorded.

Select the Record route check box to enable this feature.

SYN Fragment Protection

Specifies the number of TCP SYN fragments.

Select the SYN Fragment Protection check box to enable this feature.

SYN and FIN Flags Set Protection

Specifies the number of TCP SYN and FIN flags.

Note: When you enable this option, Junos OS checks if the SYN and FIN flags are set in TCP headers. If it discovers such a header, it drops the packet.

Select the SYN and FIN Flags Set Protection check box to enable this feature.

FIN Flag Without ACK Flag Set Protection

Specifies the number of TCP FIN flags set without an ACK flag set.

Select FIN Flag Without ACK Flag Set Protection check box to enable this feature.

TCP Packet Without Flag Set Protection

Specifies the number of TCP headers without flags set.

Note: A normal TCP segment header has at least one flag control set.

Select TCP Packet Without Flag Set Protection check box to enable this feature.

Flood Defense

Limit sessions from the same source

Specifies that sessions are limited from the same source IP.

Enter the range within which the sessions are limited from the same source IP.

Note: The range is from 1 through 50000 sessions.

Limit sessions from the same destination

Specifies that sessions are limited from the same destination IP.

Enter the range within which the sessions are limited from the same destination IP. The range is from 1 through 50000 sessions.

Note: The default value is 128 sessions. For SRX Series Services Gateways, the range is from 1 through 8000000 sessions per second.

ICMP flood protection

Specifies the Internet Control Message Protocol (ICMP) flood counter.

Note: An ICMP flood typically occurs when ICMP echo requests use all resources in responding, such that valid network traffic can no longer be processed.

Select the ICMP flood protection check box to enable this feature.

Threshold

Specifies the threshold value for ICMP flood protection.

Enter the threshold value for ICMP flood protection.

Note: The range is from 1 through 100000 ICMP packets per second (pps). For SRX Series Services Gateways, the range is from 1 through 4000000 ICMP pps.

UDP flood protection

Specifies the User Datagram Protocol (UDP) flood counter.

Note: UDP flooding occurs when an attacker sends IP packets containing UDP datagrams to slow system resources, such that valid connections can no longer be handled.

Select the UDP flood protection check box to enable this feature.

Threshold

Specifies the threshold value for UDP flood protection.

Enter the threshold value for UDP flood protection.

Note: The range is from 1 through 100000 session. The default value is 1000 sessions.

SYN flood protection

Specifies that SYN flooding occurs when a host becomes so overwhelmed by SYN segments initiating incomplete connection requests that it can no longer process legitimate connection requests.

Select the SYN flood protection check box to enable all the threshold and ager timeout options.

Attack threshold

Specifies the number of SYN packets per second required to trigger the SYN proxy mechanism.

Enter a value from 1 through 100000 proxied requests per second. The default value is 200.

Note: For SRX Series Services Gateways, the range is from 1 through 1000000 proxied requests per second. The default attack threshold value is 625 pps.

Alarm threshold

Specifies the number of half-complete proxy connections per second at which the device makes entries in the event alarm log.

Enter a value from 1 through 100000 segments received per second for SYN flood alarm. The default value is 512.

Note: For SRX Series Services Gateways, the range is from 1 through 1000000 segments per second. The default alarm threshold value is 250 pps.

Source threshold

Specifies the number of SYN segments received per second from a single source IP address (regardless of the destination IP address and port number), before the device begins dropping connection requests from that source.

Enter a value for SYN flood from the same source from 4 through 100000 segments received per second. The default value is 4000.

Note: For SRX Series Services Gateways, the range is from 4 through 1000000 segments per second. The default source threshold value is 25 pps.

Destination threshold

Specifies the number of SYN segments received per second for a single destination IP address before the device begins dropping connection requests to that destination. If a protected host runs multiple services, you might want to set a threshold based only on destination IP address, regardless of the destination port number.

Enter a value for SYN flood to the same destination from 4 through 100000. The default value is 4000.

Note: For SRX Series Services Gateways, the range is from 4 through 1000000 segments per second. The default destination threshold value is 0 pps.

Ager timeout

Specifies the maximum length of time before a half-completed connection is dropped from the queue. You can decrease the timeout value until you see any connections dropped during normal traffic conditions.

Enter a value for SYN attack protection from 1 through 50 seconds. The default value is 20 seconds.

Note: 20 seconds is a reasonable length of time to hold incomplete connection requests.

Apply to Zones

Apply to Zones

Specifies that you can apply values to zones from the Available column to the Selected column.

Select zones in the Available column and then use the right arrow to move them to the Selected column.

Note: To remove zones from the Selected column, select the zones in the Selected column and then use the left arrow to move them to the Available column.

Related Documentation