Knowledge Search


[ScreenOS] Can tcp-syn-check be disabled on a per-policy basis?

  [KB29390] Show Article Properties


This article answers the question, "Can the 'tcp-syn-check' security feature be disabled on the firewall on a per-policy basis?"


Provide information on disabling the "tcp-syn-check" security feature on a per-policy level on ScreenOS devices.



As per the design of ScreenOS firewalls, "tcp-syn-check" cannot be disabled on a per-policy or per-interface basis.

The "tcp-syn-check" feature can be disabled globally only, by issuing the command below:

unset flow tcp-syn-check


  • Care should be taken when using this command to disable "tcp-sync-check" and allow "tcp non-sync packets".
  • A baseline should be taken to determine if "tcp non-sync packets" are part of the normal traffic flow in the customer's network environment.
Related Links: