Screen configuration

01.15.10   |  
‎01-15-2010 07:11 AM



I try to configure screen options on my j2350 device.

My configuration of screen is:


user@device> show security screen ids-option inet-screen 
Screen object status:

Name Value
ICMP flood threshold 128
UDP flood threshold 1000
TCP winnuke enabled
TCP port scan threshold 5000
ICMP address sweep threshold 5000
IP tear drop enabled
TCP SYN flood attack threshold 200
TCP SYN flood alarm threshold 512
TCP SYN flood source threshold 4000
TCP SYN flood destination threshold 4000
TCP SYN flood timeout 20
IP spoofing enabled
ICMP ping of death enabled
IP source route option enabled
TCP land attack enabled
TCP SYN fragment enabled
TCP no flag enabled
IP unknown protocol enabled
IP bad options enabled
IP record route option enabled
IP timestamp option enabled
IP security option enabled
IP loose source route option enabled
IP strict source route option enabled
IP stream option enabled
ICMP fragmentation enabled
ICMP large packet enabled
TCP SYN FIN enabled
TCP FIN no ACK enabled
TCP SYN-ACK-ACK proxy threshold 512
Session source limit threshold 128
Session destination limit threshold 128



my security zone is:



user@device> show configuration security zones security-zone bgp-network 
screen inet-screen;
host-inbound-traffic {
system-services {
protocols {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
protocols {



but when I try to flood my test server on interface ge-0/0/1.0 with "hping" I send 3mil packets, generate ~ 25mbit/s traffic and can not access my test server from any IP. In firewall logs I see:



Name of protocol: TCP, Packet Length: 46, Source address:, Destination address:
Time of Log: 2010-01-15 16:47:04 EET, Filter: pfe, Filter action: accept, Name of interface: ge-0/0/0.0



what is wrong in my configuration?





Re: Screen configuration

01.20.10   |  
‎01-20-2010 05:31 AM



I tried the same flood to ssg-550 and this device stops all flood without any problem.

what should I change in configuration?