hey,
you need to do the follow -
delete security policies
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services any-service
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces all
set security zones security-zone untrust screen untrust-screen
set security alg dns disable
set security alg ftp disable
set security alg h323 disable
set security alg mgcp disable
set security alg msrpc disable
set security alg sunrpc disable
set security alg real disable
set security alg rsh disable
set security alg rtsp disable
set security alg sccp disable
set security alg sip disable
set security alg sql disable
set security alg talk disable
set security alg tftp disable
set security alg pptp disable
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
set security forwarding-options family iso mode packet-based
set security flow allow-dns-reply
set security flow tcp-session no-syn-check
set security flow tcp-session no-syn-check-in-tunnel
set security flow tcp-session no-sequence-check
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services any-service
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces all
set security zones security-zone untrust screen untrust-screen
set security alg dns disableset security alg ftp disable
set security alg h323 disable
set security alg mgcp disable
set security alg msrpc disable
set security alg sunrpc disable
set security alg real disable
set security alg rsh disable
set security alg rtsp disable
set security alg sccp disable
set security alg sip disable
set security alg sql disable
set security alg talk disable
set security alg tftp disable
set security alg pptp disable
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
set security forwarding-options family iso mode packet-based
set security flow allow-dns-reply
set security flow tcp-session no-syn-check
set security flow tcp-session no-syn-check-in-tunnel
set security flow tcp-session no-sequence-check
than you should make a firewall filter -
set firewall filter Packet-Mode term 1 then packet-mode
now you have to apply it on the interfaces.
after the change check that there is no sessions on the router -
show security flow session summary
good luck
Aharon Prat
aharonprat@gmail.com