Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

TCP-RST for Layer 2 Zones

0

0

Article ID: KB14329 KB Last Updated: 18 Jun 2009Version: 1.0
Summary:
The ability to set TCP-RST for Layer 3 zones exists.  Is this option available for Layer 2 zones?
Symptoms:
If a non-sync packet arrives on an interface in a Layer 3 zone which has the TCP-RST option set, the firewall will send back a reset (RST) packet.  Can this same option be set for Layer 2 zones?
Solution:
Starting with ScreenON 6.2.0, Layer 2 zones can now be configured with the TCP-RST option.  This function instructs the device to send a reset (RST) packet back to a host if the initial packet for a TCP session is a non-sync packet.  Previous versions of ScreenOS did not allow this to be configured for Layer 2 zones.

Output from ScreenOS 5.4.0:
nsisg2000-> get zone v1-trust
Zone name: V1-Trust, id: 12, type: Security(L2), vsys: Root, vrouter:trust-vr
Intra-zone block: Off, attrib: Shared, flag:0x6241

TCP non SYN send reset: Off
nsisg2000-> set zone v1-untrust ?
ip-classification           configure IP classification
manage                        interface manageability
reassembly-for-alg     IP/TCP reassembly for ALG on traffic from/to this zone
screen                           configure attack screen
webauth                        webauth for this zone

Ouput from ScreenOS 6.2.0:
nsisg2000-> get zone v1-trust
Zone name: V1-Trust, id: 12, type: Security(L2), vsys: Root, vrouter:trust-vr
Intra-zone block: Off, attrib: Shared, flag:0x6241
TCP non SYN send reset: Off
nsisg2000-> set zone v1-trust ?
g-arp                             setting if l2 zone will update arp entry upon gratuitous arp packet
manage                        interface manageability
no-dhcp-relay              enable/disable DHCP relay at this zone
reassembly-for-alg     IP/TCP reassembly for ALG on traffic from/to this zone
screen                           configure attack screen
tcp-rst                            tcp non syn send reset back
webauth                        webauth for this zone
nsisg2000->

nsisg2000->set zone v1-trust tcp-rst

nsisg2000->get zone v1-trust
Zone name: V1-Trust, id: 12, type: Security(L2), vsys: Root, vrouter:trust-vr
Intra-zone block: Off, attrib: Shared, flag:0x6241
TCP non SYN send reset: On


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search