Screen Options for User Logical Systems
Learn about screen options and how to configure screen options for user logical systems.
Screen options on security devices help prevent the following attacks:
IP address sweeps
Port scans
Denial of service (DOS) attacks
Internet Control Message Protocol (ICMP)
User Datagram Protocol (UDP)
Synchronize (SYN) floods.
For more information, see the following topics:
Logical Systems Screen Options
Junos OS screen options secure a zone by inspecting, then allowing or denying, all connection attempts that require crossing an interface bound to that zone. Junos OS applies firewall policies, including content filtering and IDP components, to traffic passing through screen filters.
Screen options are available in every logical system on the device. Each user logical system administrator configures screen options for their system. The primary administrator manages screen options for both the primary system and all user systems.
The user logical system administrator can configure and view all screen options in a user logical system. These options are also visible to the primary administrator.
Example: Configure Screen Options for a User Logical Systems
This example shows how to configure screen options for a user logical system.
Requirements
Before you begin:
Log in to the user logical system as the user logical system administrator. See User Logical Systems Configuration Overview.
Configure zones for the user logical system. See Example: Configuring Security Zones for a User Logical Systems.
Overview
This example configures the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.
You can limit concurrent sessions to the same destination IP address in a user logical system. Setting a destination-based session limit ensures Junos OS allows only an acceptable number of concurrent connection requests to reach any host. Junos OS blocks further attempts when requests surpass the limit. This example creates the screen options described in Table 1.
Name |
Configuration Parameters |
|---|---|
limit-destination-sessions |
|
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security screen ids-option limit-destination-sessions limit-session destination-ip-based 80 set security zones security-zone ls-product-design-untrust screen limit-destination-sessions
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure destination-based session limits in a user logical system:
Log in to the user logical system as the logical system administrator and enter configuration mode.
lsdesignadmin1@host:ls-product-design> configure lsdesignadmin1@host:ls-product-design#
Configure a screen option for a destination-based session limit.
[edit security] lsdesignadmin1@host:ls-product-design# set screen ids-option limit-destination-sessions limit-session destination-ip-based 80
Set the security zone for the screen option.
[edit security] lsdesignadmin1@host:ls-product-design# set zones security-zone ls-product-design-untrust screen limit-destination-sessions
Results
From configuration mode, confirm your configuration
by entering the show security screen and show security
zone commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
For brevity, this show command output includes only
the configuration that is relevant to this example. Any other configuration
on the system has been replaced with ellipses (...).
lsdesignadmin1@host:ls-product-design# show security screen
ids-option limit-destination-sessions {
limit-session {
destination-ip-based 80;
}
}
lsdesignadmin1@host:ls-product-design# show security zones
security-zone ls-product-design-trust {
...
}
security-zone ls-product-design-untrust {
screen limit-destination-sessions;
...
}
If you are done configuring the device, enter commit from configuration mode.