Junos OS

last person joined: yesterday 

Ask questions and share experiences about Junos OS.

  • 1.  Port Scan SRX series

    Posted 08-10-2015 20:38

    hello guys, just want to check is port scan enabled by default on any SRX firewall?

     

    What I mean is there a default policy to thwart remote users from doing port scan on the firewall.

     

    Thanks.



  • 2.  RE: Port Scan SRX series

     
    Posted 08-10-2015 20:54

    Hi,

     

    You are referring to screens, in the default configuration some of the screens are configured and applied to the untrust zone. However you should review the screens and tune them according to your network traffic profile.

     

    Specifically for port scan;

    https://www.juniper.net/techpubs/en_US/junos12.1x46/topics/example/reconnaissance-deterrence-port-scan-blocking-cli.html

     

    For information on all the screen options;

    https://www.juniper.net/techpubs/en_US/junos12.1x46/information-products/pathway-pages/security/security-adp-index.html

     

    Tim



  • 3.  RE: Port Scan SRX series
    Best Answer

    Posted 08-11-2015 03:17

    On the branch SRX firewalls there is a basic screen on the untrust zone port in the default configuration (below).

     

    You can see what screens exist by using these commands.  The screen has to be created, and then assigned to a zone.

     

     

    Spoiler

    root# show security screen

    ids-option untrust-screen {

        icmp {

            ping-death;

        }

        ip {

            source-route-option;

            tear-drop;

        }

        tcp {

            syn-flood {

                alarm-threshold 1024;

                attack-threshold 200;

                source-threshold 1024;

                destination-threshold 2048;

                timeout 20;

            }

            land;

        }

    }

    root# show security zones

    security-zone trust {

        host-inbound-traffic {

            system-services {

                all;

            }

            protocols {

                all;

            }

        }

        interfaces {

            vlan.0;

        }

    }

    security-zone untrust {

        screen untrust-screen;

        interfaces {

            fe-0/0/0.0 {

                host-inbound-traffic {

                    system-services {

                        dhcp;

                        tftp;

                    }

                }

            }

        }

    }