Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ SRX ] : How to selectively disable TCP SYN or Sequence checking

0

0

Article ID: KB25094 KB Last Updated: 29 Jun 2012Version: 1.0
Summary:
This article provides information as to how to allow tcp syn and sequence check enabled for selected security polices in the configuration.
Symptoms:
SRX is a stateful firewall and allows traffic which matches an existing session. Sessions are created when a TCP SYN packet is received and it is permitted by the security policy. This of course means that the firewall needs to see both directions of a flow (client-server and server-client), otherwise these checks will block legitimate packets.

Whenever possible its best to ensure that asymmetric flows can't occur, but this is not always possible. Therefor you can disable these checks globally on the SRX:


set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check


This has a security compromise and because it is a global option, it applies to all traffic flowing through the device. Recent JunOS releases allow these checks to be enabled on a per-policy basis, like this :
policy trust-to-untrust {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit {
            tcp-options {
                syn-check-required;
                sequence-check-required;
            }
        }
    }
}

To disable TCP SYN or sequence checking on one policy while enabling it on all other policies, 
an apply-group can be used. 

This can be conceptualized as follows: 
1.Globally disable syn and sequence checking
2.Using an apply-group to set "syn-check-required" and "sequence-check-required" on ALL security policies
3.Using apply-groups-except to disable this apply-group on the few policies where syn or sequence checking is not desired


The following is the implementation on
groups {
    test {
        security {
            policies {
                from-zone <*> to-zone <*> {
                    policy <*> {
                        then {
                            permit {
                                tcp-options {
                                    syn-check-required;
                                    sequence-check-required;
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
 
security {
    policies {
        apply-groups test;
    }
}
 
security {
    policies {
	    from-zone 1 to-zone 2 {
		    policy one {
			    apply-groups-except test;
                ...
			}
		}
	}
}





Cause:

Solution:

Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search