Configuring drop-flow to disable CREATE and CLOSE sessions
Starting in Junos OS Release 23.4R1, we support a new featue drop-flow to prevent security
attack. You can control and limit the number of max-session for the drop-flow. The 12
session in the drop-flow is valid for 4 seconds by default. During a drop-flow, the
session state displays as Drop, but in the flow, the state remains as
Valid.
The drop-flow feature is enabled by default. To disable the feature, use the set
security flow drop-flow max-sessions 0 command. To delete only the
drop-flow featue, use the run clear security flow session drop-flow
command.
To view the current drop-flow configuration, use the show security flow
drop-flow command, and the view all the available drop-flow, use the
show security flow session drop-flow command. For more information,
see Flow-Based Sessions.
The following procedure describes drop-flow behaviour when in FIPS mode.
With default policy, deny-all configured drop-flow session too will be created.
-By default drop-flow feature is enabled and RT log will populate only
RT_FLOW_SESSION_CREATE entries for dropped session, but max
sessions will be 10.
-To disable drop-flow feature which includes session and RT log, use the following command:
host@srx#set security flow drop-flow max-sessions 0
-To enable drop-flow feature which includes session and RT log having both
RT_FLOW_SESSION_CREATE and RT_FLOW_SESSION_CLOSE
entries, use the following command:
host@srx# set security flow drop-flow max-sessions Possible completions: <max-sessions> Maximum Drop-flow Sessions (default 10%) (0..30 percent) [edit] host@srx#