Knowledge Search


×
 

[ SRX ] : How to selectively disable TCP SYN or Sequence checking

  [KB25094] Show Article Properties


Summary:
This article provides information as to how to allow tcp syn and sequence check enabled for selected security polices in the configuration.
Symptoms:
SRX is a stateful firewall and allows traffic which matches an existing session. Sessions are created when a TCP SYN packet is received and it is permitted by the security policy. This of course means that the firewall needs to see both directions of a flow (client-server and server-client), otherwise these checks will block legitimate packets.

Whenever possible its best to ensure that asymmetric flows can't occur, but this is not always possible. Therefor you can disable these checks globally on the SRX:


set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check


This has a security compromise and because it is a global option, it applies to all traffic flowing through the device. Recent JunOS releases allow these checks to be enabled on a per-policy basis, like this :
policy trust-to-untrust {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit {
            tcp-options {
                syn-check-required;
                sequence-check-required;
            }
        }
    }
}

To disable TCP SYN or sequence checking on one policy while enabling it on all other policies, 
an apply-group can be used. 

This can be conceptualized as follows: 
1.Globally disable syn and sequence checking
2.Using an apply-group to set "syn-check-required" and "sequence-check-required" on ALL security policies
3.Using apply-groups-except to disable this apply-group on the few policies where syn or sequence checking is not desired


The following is the implementation on
groups {
    test {
        security {
            policies {
                from-zone <*> to-zone <*> {
                    policy <*> {
                        then {
                            permit {
                                tcp-options {
                                    syn-check-required;
                                    sequence-check-required;
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
 
security {
    policies {
        apply-groups test;
    }
}
 
security {
    policies {
	    from-zone 1 to-zone 2 {
		    policy one {
			    apply-groups-except test;
                ...
			}
		}
	}
}





Cause:

Solution:

Related Links: