Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Example: Configuring TCP SYN Check options on a per-policy basis

0

0

Article ID: KB21266 KB Last Updated: 28 Sep 2021Version: 4.0
Summary:

This article explains how to control TCP SYN behavior on a per-policy basis.

Symptoms:

A stateful firewall in SRX Series devices keeps track of the state of network connections, distinguishing legitimate packets for different types of connections and allowing only packets that match a known active connection.

Sessions are created when a TCP SYN packet is received and permitted by the security policy. This means that the firewall needs to see both directions of a flow (client-server and server-client); otherwise, these checks will block legitimate packets.

So whenever possible, it is best to ensure that asymmetric flows do not occur. However, this is not always possible. Therefore, you can disable these checks globally on the SRX device by using the following commands:

set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check

Note: Disabling these checks involves a security compromise. Because it is a global option, each command applies to all traffic flowing through the device.

Solution:

You can define how each security policy treats TCP SYN behavior by using tcp-options within each policy. However, you will need to disable both tcp syn-check and tcp sequence-check globally to allow tcp-option to take effect on each policy.

The per-policy options available include:

[edit]
root@test# set security policies from-zone trust to-zone untrust policy web then permit tcp-options ?               
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  sequence-check-required  Enable per policy sequence-number checking
  syn-check-required   Enable per policy SYN-flag check

To use this feature, perform either one of the two procedures below:

  • Disable TCP SYN check and apply the tcp-options in the policy as shown in example 1.

OR

  • Disable TCP SYN or sequence checking on one policy while enabling it on all other policies by using an apply-group, as in example 2.

Example 1:  Disabling TCP SYN check and applying tcp-options in the policy

Disable TCP SYN check:

security {
    . 
    .
    .
    flow {
        tcp-session {                   
            no-syn-check;               
            no-sequence-check;          
        }                               
    }  
}

Apply tcp-options in the policy:

security {
    . 
    .
    . 
    policies {
        from-zone trust to-zone untrust {
            policy http-out {
                match {
                    source-address any;
                    destination-address any;
                    application junos-http;
                }
                then {
                    permit {
                        tcp-options {
                            syn-check-required;
                            sequence-check-required;
                        }
                    }
                    log {
                        session-close;
                    }
                }
            }
        } 
    }
}
Commit

Example 2:  Disabling TCP SYN or sequence checking on one policy while enabling it on all other policies by using an apply-group

This procedure involves the following:

  • Globally disabling syn and sequence checking

  • Using an apply-group to set syn-check-required and sequence-check-required on ALL security policies

  • Using apply-groups-except to disable this apply-group on the few policies where syn or sequence checking is not desired

groups {
    test {
        security {
            policies {
                from-zone <*> to-zone <*> {
                    policy <*> {
                        then {
                            permit {
                                tcp-options {
                                    syn-check-required;
                                    sequence-check-required;
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
 
security {
    policies {
        apply-groups test;
    }
}
 
security {
    policies {
	    from-zone 1 to-zone 2 {
		    policy one {
			    apply-groups-except test;
                ...
			}
		}
	}
}

With this configuration change, TCP syn-check and sequence check will be performed on a per-policy basis.

Modification History:
  • 2021-09-28: Removed the old Junos version reference in solution section

  • 2020-03-27: Article reviewed for accuracy. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search