There is an option to add white lists to screens.
https://www.juniper.net/documentation/us/en/software/junos/denial-of-service/topics/ref/statement/security-edit-white-list.htmlI've not used it so I'm not sure if you can add this to the default screens or need to create your own custom ones.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home------------------------------
Original Message:
Sent: 01-13-2021 11:58
From: Unknown User
Subject: Screen whitelist/exceptions
Hi all,
We're trying to deploy the screen feature on one of our firewalls that hasn't used this before with the following configuration:
alarm-without-drop;
tcp {
port-scan threshold 1000;
syn-ack-ack-proxy threshold 1000;
syn-flood {
attack-threshold 250;
source-threshold 500;
destination-threshold 1250;
}
tcp-sweep threshold 1000;
}
The testing run has shown a lot of alerts on the port scan and TCP sweep screen for our load balancer IPs even at the threshold setting of 1000 which is the minimum possible. Yes, the load balancers are in the same zone as the Internet; due to the amount of work required to move them to a separate zone and go through all the policies to check them if they need the new zone I don't think such a change would be possible for us in the foreseeable future.
My question would be, is there an alternative if I don't want to turn port scan and TCP sweep screens off? Such as a whitelist/exception list that would ensure the LB IPs are not checked by screen even if they'd trigger an alert otherwise? I didn't find anything in the CLI explorer I thought would be usable but I might have missed something.
Any advice will be much appreciated.
Best regards,
Matej