Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Example: Configuring TCP SYN Check options on a per policy basis

0

0

Article ID: KB21266 KB Last Updated: 27 Mar 2020Version: 3.0
Summary:

How to control TCP SYN behavior on a per policy basis

Symptoms:

A stateful firewall, SRX keeps track of the state of network connections, distinguishing legitimate packets for different types of connections and allowing only packets matching a known active connection.

Sessions are created when a TCP SYN packet is received and permitted by the security policy. This means that the firewall needs to see both directions of a flow (client-server and server-client); otherwise, these checks will block legitimate packets.

Whenever possible, it is best to ensure that asymmetric flows do not occur. This is not always possible. Therefore, you can disable these checks globally on the SRX, using the following commands:

set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check

Disabling these checks involves security compromise. Because it is a global option, each command applies to all traffic flowing through the device.

Solution:

Beginning with Junos OS 10.4R2.7 and above, you can define how each security policy treats TCP SYN behavior by using the tcp-options within each policy. However, you will need to disable both tcp syn-check and tcp sequence-check globally to allow the tcp-option to take effect on each policy.

The per policy options available include:

[edit]
root@test# set security policies from-zone trust to-zone untrust policy web then permit tcp-options ?               
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  sequence-check-required  Enable per policy sequence-number checking
  syn-check-required   Enable per policy SYN-flag check

To use this feature, perform either one of the two procedures below.

  • Disable TCP SYN check and apply the TCP options in the policy, as shown in example 1, or
  • Disable TCP SYN or sequence checking on one policy while enabling it on all other policies, using an apply-group, as in example 2.

Example 1:  Disable TCP SYN check and apply the TCP options in the policy.

Disable TCP SYN check:

security {
    . 
    .
    .
    flow {
        tcp-session {                   
            no-syn-check;               
            no-sequence-check;          
        }                               
    }  
}

Apply the TCP options in the policy:

security {
    . 
    .
    . 
    policies {
        from-zone trust to-zone untrust {
            policy http-out {
                match {
                    source-address any;
                    destination-address any;
                    application junos-http;
                }
                then {
                    permit {
                        tcp-options {
                            syn-check-required;
                            sequence-check-required;
                        }
                    }
                    log {
                        session-close;
                    }
                }
            }
        } 
    }
}
Commit

Example 2:  Disable TCP SYN or sequence checking on one policy while enabling it on all other policies, using an apply-group.

This procedure involves the following:

  • Globally disabling syn and sequence checking.
  • Using an apply-group to set syn-check-required and sequence-check-required on ALL security policies.
  • Using apply-groups-except to disable this apply-group on the few policies where syn or sequence checking is not desired.

 

groups {
    test {
        security {
            policies {
                from-zone <*> to-zone <*> {
                    policy <*> {
                        then {
                            permit {
                                tcp-options {
                                    syn-check-required;
                                    sequence-check-required;
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
 
security {
    policies {
        apply-groups test;
    }
}
 
security {
    policies {
	    from-zone 1 to-zone 2 {
		    policy one {
			    apply-groups-except test;
                ...
			}
		}
	}
}

With this configuration change, TCP syn-check and sequence check will be performed on a per-policy basis.

Modification History:

2020-03-27: Article reviewed for accuracy.  Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search