[SRX] How to selectively disable ‘syn’ and ‘sequence’ checking

  [KB24566] Show Article Properties


Summary:
This article provides information on how to selectively disable syn and sequence checking.
Symptoms:
Recent Junos versions have the feature to selectively enable syn and sequence checking:

policy Zone1-to-Zone2 {
     match {
         source-address any;
         destination-address any;
         application any;
     }
then {
    permit {
        tcp-options {
            syn-check-required;
            sequence-check-required;
        }
    }
}
}

It is best, whenever possible, to ensure that asymmetric flows do not occur; but this is not always possible. So, you can disable these checks globally on the SRX device:
set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check
Configuring this has a security impact and as it is a global option, it  is applied to all traffic flowing through the device. So, to enable these two options, include the following configuration.

Cause:

Solution:
To disable TCP SYN or sequence checking on one policy and enable them on all other policies, an apply-group can be used. To do so, perform the following procedure:

  1. Globally disable SYN and sequence checking.

  2. Use an apply-group to set syn-check-required and sequence-check-required on all security policies.

  3. Use apply-groups-except to disable the required apply-group on a few policies, for which syn or sequence checking is not required.
    groups {
        require_syn_seq_checking {
            security {
                policies {
                    from-zone <*> to-zone <*> {
                        policy <*> {
                            then {
                                permit {
                                    tcp-options {
                                        syn-check-required;
                                        sequence-check-required;
                                    }
                                }
                            }
                        }
                    }
                }
            }
      }
    }

    security {
         policies {
             apply-groups require_syn_seq_checking;
         }
    }

    security {
        policies {
            from-zone Zone1 to-zone Zone2 {
                policy one {
                    apply-groups-except require_syn_seq_checking;
    ...
                }
            }
        }
    }
Related Links: