SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Screen whitelist/exceptions

  • 1.  Screen whitelist/exceptions

    Posted 05-06-2021 14:46

    Hi all,
    We're trying to deploy the screen feature on one of our firewalls that hasn't used this before with the following configuration:

    alarm-without-drop;
    tcp {
        port-scan threshold 1000;
        syn-ack-ack-proxy threshold 1000;
        syn-flood {
            attack-threshold 250;
            source-threshold 500;
            destination-threshold 1250;
        }
        tcp-sweep threshold 1000;
    }

    The testing run has shown a lot of alerts on the port scan and TCP sweep screen for our load balancer IPs even at the threshold setting of 1000 which is the minimum possible. Yes, the load balancers are in the same zone as the Internet; due to the amount of work required to move them to a separate zone and go through all the policies to check them if they need the new zone I don't think such a change would be possible for us in the foreseeable future.

    My question would be, is there an alternative if I don't want to turn port scan and TCP sweep screens off? Such as a whitelist/exception list that would ensure the LB IPs are not checked by screen even if they'd trigger an alert otherwise? I didn't find anything in the CLI explorer I thought would be usable but I might have missed something.

    Any advice will be much appreciated.

    Best regards,

    Matej



  • 2.  RE: Screen whitelist/exceptions

     
    Posted 05-11-2021 09:50
    There is an option to add white lists to screens.

    https://www.juniper.net/documentation/us/en/software/junos/denial-of-service/topics/ref/statement/security-edit-white-list.html

    I've not used it so I'm not sure if you can add this to the default screens or need to create your own custom ones.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------