Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Screen Options for User Logical Systems

Learn about screen options and how to configure screen options for user logical systems.

Screen options on security devices help prevent the following attacks:

  • IP address sweeps

  • Port scans

  • Denial of service (DOS) attacks

  • Internet Control Message Protocol (ICMP)

  • User Datagram Protocol (UDP)

  • Synchronize (SYN) floods.

For more information, see the following topics:

Logical Systems Screen Options

Junos OS screen options secure a zone by inspecting, then allowing or denying, all connection attempts that require crossing an interface bound to that zone. Junos OS applies firewall policies, including content filtering and IDP components, to traffic passing through screen filters.

Screen options are available in every logical system on the device. Each user logical system administrator configures screen options for their system. The primary administrator manages screen options for both the primary system and all user systems.

The user logical system administrator can configure and view all screen options in a user logical system. These options are also visible to the primary administrator.

Example: Configure Screen Options for a User Logical Systems

This example shows how to configure screen options for a user logical system.

Requirements

Before you begin:

Overview

This example configures the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.

You can limit concurrent sessions to the same destination IP address in a user logical system. Setting a destination-based session limit ensures Junos OS allows only an acceptable number of concurrent connection requests to reach any host. Junos OS blocks further attempts when requests surpass the limit. This example creates the screen options described in Table 1.

Table 1: User Logical System Screen Options Configuration

Name

Configuration Parameters

limit-destination-sessions

  • Limits concurrent connection requests to destination IPs to 80.

  • Applied to ls-product-design-untrust zone.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure destination-based session limits in a user logical system:

  1. Log in to the user logical system as the logical system administrator and enter configuration mode.

  2. Configure a screen option for a destination-based session limit.

  3. Set the security zone for the screen option.

Results

From configuration mode, confirm your configuration by entering the show security screen and show security zone commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

If you are done configuring the device, enter commit from configuration mode.