How Does the Juniper Networks Netscreen Device Initially Check for Valid TCP Traffic?

The NetScreen OS checks for valid TCP traffic via the initial inspection of the SYN packet during the TCP three-way handshake. Based on the SYN packet received, the Screen OS parameters for firewall settings and for packet flow during the stateful inspection process will determine if the initiated TCP traffic is an attack or valid TCP traffic. Basically, this is to prevent a high number of SYN packets (DOS) that try to create sessions through the firewall by dropping them if either one of these thresholds are met. Also, another way we can control session creation via SYN packet inspection is using the following CLI command: set flow tcp-syn-check. This command checks the TCP SYN bit before creating a session through the firewall.

For example, for the firewall settings, when syn flood protection is enabled, it is a form of SYN check. It is used to prevent DOS attacks (SYN attacks) on customer network environments that the firewall is protecting.

Default firewall settings for syn-attack or syn-flood protection are as follows:

SYN Flood Protection (200): on
Alarm Threshold: 1024
Queue Size: 1024
Timeout Value: 20
Source Threshold: 512
Destination Threshold: 1024
Drop unknown MAC (xparent mode only): off

Basically, this is to prevent a high number of SYN packets (DOS) that try to create sessions through the firewall by dropping them if either one of these thresholds are met.

Also, another way we can control session creation via SYN packet inspection is using the following CLI command:

set flow tcp-syn-check

 This command checks the TCP SYN bit before creating a session through the firewall.