Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Global Options

You are here: Security Policies & Objects > Security Policies.

To add global options:

  1. Click Global Options available on the upper-right corner of the Security Policies page.

    The Global Options page appears.

  2. Complete the configuration according to the guidelines provided in Table 1.
  3. Click OK to save the changes. If you want to discard your changes, click Cancel.

Table 1 describes the fields on the Global Options page.

Table 1: Fields on the Global Options Page

Field

Action

Pre-id Default Policy

Session Timeout

ICMP

Enter the timeout value for ICMP sessions ranging from 4 through 86400 seconds.

ICMP6

Enter the timeout value for ICMP6 sessions ranging from 4 through 86400 seconds.

OSPF

Enter the timeout value for OSPF sessions ranging from 4 through 86400 seconds.

TCP

Enter the timeout value for TCP sessions ranging from 4 through 86400 seconds.

UDP

Enter the timeout value for UDP sessions ranging from 4 through 86400 seconds.

Others

Enter the timeout value for other sessions ranging from 4 through 86400 seconds.

Logging

Session Initiate

Enable this option to start logging at the beginning of a session.

Warning:

Configuring session-init logging for the pre-id-default-policy can generate a large number of logs.

Session Close

Enable this option to start logging at the closure of a session.

Note:

Configuring session-close logging ensures that the SRX Series Firewall generates the security logs if a flow is unable to leave the pre-id-default-policy.

Flow
Aggressive Session Aging
Note:

This option is not supported for logical systems and tenants.

Early Ageout

Enter a value from 1 through 65,535 seconds. The default value is 20 seconds.

Specifies the amount of time before the device aggressively ages out a session from its session table.

Low watermark

Enter a value from 0 through 100 percent. The default value is 100 percent.

Specifies the percentage of session table capacity at which the aggressive aging-out process ends.

High watermark

Enter a value from 0 through 100 percent. The default value is 100 percent.

Specifies the percentage of session table capacity at which the aggressive aging-out process begins.

SYN Flood Protection

SYN Flood Protection

Enable this option to defend against SYN attacks.

Mode

Select one of the following options:

  • Cookie—Uses a cryptographic hash to generate a unique Initial Sequence Number (ISN). This is enabled by default.

  • Proxy—Uses a proxy to handle the SYN attack.

TCP MSS

All TCP Packets

Enter a maximum segment size value from 64 through 65,535 to override all TCP packets for network traffic.

Packets entering IPsec Tunnel

Enter a maximum segment size value from 64 through 65,535 bytes to override all packets entering an IPsec tunnel. The default value is 1320 bytes.

GRE Packets entering IPsec Tunnel

Enter a maximum segment size value from 64 through 65,535 bytes to override all generic routing encapsulation packets entering an IPsec tunnel. The default value is 1320 bytes.

GRE Packets exiting IPsec Tunnel

Enter a maximum segment size value from 64 through 65,535 bytes to override all generic routing encapsulation packets exiting an IPsec tunnel. The default value is 1320 bytes.

TCP Session

Sequence number check

By default, this option is enabled to check sequence numbers in TCP segments during stateful inspections. The device monitors the sequence numbers in TCP segments.

SYN flag check

By default, this option is enabled to check the TCP SYN bit before creating a session. The device checks that the SYN bit is set in the first packet of a session. If it is not set, the device drops the packet.