Information
Idle JWeb sessions should be timed out after 15 minutes.
Rationale:
If JWeb Management sessions are left unattended it may be possible for an attacker to use the session to take control of the JUNOS device.
To prevent this, or at least limit the scope of such an attack, an idle timeout should be set to end sessions where no activity has occurred for a defined period of time.
The Payment Card Industry Data Security Standard (PCI DSS) recommends that administrative sessions should be timed out if left idle for 15 minutes.
Solution
To enable Idle Timeouts for JWeb issue the following command from the [edit system services web-management] hierarchy:
[edit system services web-management]
user@host#set session idle-timeout <Time in Minutes>
Default Value:
Depends on platform, JWEB is installed on J-Series by default and optional on all other platforms. No idle timeout is set by default.