Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Can tcp-syn-check be disabled on a per-policy basis?

0

0

Article ID: KB29390 KB Last Updated: 08 Aug 2014Version: 1.0
Summary:

This article answers the question, "Can the 'tcp-syn-check' security feature be disabled on the firewall on a per-policy basis?"

Symptoms:

Provide information on disabling the "tcp-syn-check" security feature on a per-policy level on ScreenOS devices.

Cause:

Solution:

As per the design of ScreenOS firewalls, "tcp-syn-check" cannot be disabled on a per-policy or per-interface basis.

The "tcp-syn-check" feature can be disabled globally only, by issuing the command below:

unset flow tcp-syn-check

Note:

  • Care should be taken when using this command to disable "tcp-sync-check" and allow "tcp non-sync packets".
  • A baseline should be taken to determine if "tcp non-sync packets" are part of the normal traffic flow in the customer's network environment.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search