Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Can 'tcp-syn-check' be disabled on a per-policy basis?

0

0

Article ID: KB29390 KB Last Updated: 28 Aug 2020Version: 2.0
Summary:

This article provides information on disabling the 'tcp-syn-check' security feature on a per-policy level on ScreenOS devices.

Solution:

As per the design of ScreenOS firewalls, 'tcp-syn-check' cannot be disabled on a per-policy or per-interface basis.

The 'tcp-syn-check' feature can only be disabled globally by issuing the command below:

unset flow tcp-syn-check

Notes:

  • Care should be taken when using this command to disable 'tcp-sync-check' and allow 'tcp non-sync packets'.
  • A baseline should be taken to determine if 'tcp non-sync packets' are part of the normal traffic flow in the customer's network environment.
Modification History:
2020-08-27: Minor, non-technical edits.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search