Ensure XNM-SSL Connection Limit is Set


If the XNM-SSL service is configured, connection limits should be set.


JUNOScript can be configured to use SSL transport to prevent the exposure of sensitive data and authentication details on the network. If configured the XNM-SSL service will provide services on port TCP/3220.

An attacker may attempt to open a large number of sessions to the XNM-SSL service to exhaust the routers resources or an authorized user may do so accidently, especially given that the service is designed to allow a scripting and automation interface to JUNOS. To limit the impact of any such incident, the number of concurrent connections to the XNM-SSL service should explicitly limited.

A relatively low value of 10 is recommended, but may not be appropriate for all environments so it is left to the administrator's discretion.


If the connection limit has been reached, additional JUNOScript sessions will be rejected until an existing session has ended.


The XNM-SSL Connection Limit can be configured by issuing the following command from the [edit system services xnm-ssl] hierarchy;

[edit system services xnm-ssl]
[email protected]#set connection-limit <limit>

Where <limit> is the permitted number of concurrent connections required.

Default Value:

The XNM-SSL Service is disabled by default.

When it is first configured the default Connection Limit is 75.

See Also


Item Details


References: 800-53|AC-6(10), 800-53|IA-2(1), CSCv7|4.7, CSCv7|11.5

Plugin: Juniper

Control ID: 2752225ad4f7dff337a46349455b502e973ef61f86229ff8653350f4d81c319f