[J-Series/SRX] Example: Configuring TCP SYN Check options on a per policy basis

  [KB21266] Show Article Properties


Summary:

How to control TCP SYN behavior on a per policy basis

Symptoms:

A stateful firewall, SRX keeps track of the state of network connections, distinguishing legitimate packets for different types of connections and allowing only packets matching a known active connection.

Sessions are created when a TCP SYN packet is received and permitted by the security policy. This means that the firewall needs to see both directions of a flow (client-server and server-client); otherwise, these checks will block legitimate packets.

Whenever possible, it is best to ensure that asymmetric flows do not occur. This is not always possible. Therefore, you can disable these checks globally on the SRX, using the following commands:

set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check

Disabling these checks involves security compromise. Because it is a global option, each command applies to all traffic flowing through the device.

 

	
	
Cause:

Solution:

Beginning with Junos OS 10.4R2.7 and above, you can define how each security policy treats TCP SYN behavior by using the tcp-options within each policy. However, you will need to disable both tcp syn-check and tcp sequence-check globally to allow the tcp-option to take effect on each policy.

The per policy options available include:

[edit]
root@test# ...ne untrust policy web then permit tcp-options ?               
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  sequence-check-required  Enable per policy sequence-number checking
  syn-check-required   Enable per policy SYN-flag check
[edit]
root@test#

To use this feature, perform either one of the two procedures below.

  • Disable TCP SYN check and apply the TCP options in the policy, as shown in example 1, or
  • Disable TCP SYN or sequence checking on one policy while enabling it on all other policies, using an apply-group, as in example 2.

Example 1:  Disable TCP SYN check and apply the TCP options in the policy.

Disable TCP SYN check:

security {
    . 
    .
    .
    flow {
        tcp-session {                   
            no-syn-check;               
            no-sequence-check;          
        }                               
    }  
}

Apply the TCP options in the policy:

security {
    . 
    .
    . 
    policies {
        from-zone trust to-zone untrust {
            policy http-out {
                match {
                    source-address any;
                    destination-address any;
                    application junos-http;
                }
                then {
                    permit {
                        tcp-options {
                            syn-check-required;
                            sequence-check-required;
                        }
                    }
                    log {
                        session-close;
                    }
                }
            }
        } 
    }
}
Commit

Example 2:  Disable TCP SYN or sequence checking on one policy while enabling it on all other policies, using an apply-group.

This procedure involves the following:

  • Globally disabling syn and sequence checking.
  • Using an apply-group to set syn-check-required and sequence-check-required on ALL security policies.
  • Using apply-groups-except to disable this apply-group on the few policies where syn or sequence checking is not desired.

groups {
    test {
        security {
            policies {
                from-zone <*> to-zone <*> {
                    policy <*> {
                        then {
                            permit {
                                tcp-options {
                                    syn-check-required;
                                    sequence-check-required;
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
 
security {
    policies {
        apply-groups test;
    }
}
 
security {
    policies {
	    from-zone 1 to-zone 2 {
		    policy one {
			    apply-groups-except test;
                ...
			}
		}
	}
}
 

With this configuration change, TCP syn-check and sequence check will be performed on a per policy basis.

Related Links: