This article addresses how to check, set, and disable TCP-SYN-CHECK .
In ScreenOS 5.x and 6.x, the command 'set flow tcp-syn-check' is configured by default for most devices. However, starting with ScreenOS 6.0, the command 'set flow tcp-syn-check' is disabled by default on the NS-5200 and NS-5400 devices, and a new command 'set flow tcp-syn-bit-check' is enabled by default.
Refer to the Release Notes for these changes in behavior:
It also should be noted that when upgrading the ScreenOS on a firewall, the tcp-syn-check setting in the configuration is retained. Therefore, it is best to check what your firewall is set to as follows:
To check what the 'tcp-syn-check' feature is set to, run the following from the Command Line Interface (CLI):
ssg-> get config | inc syn-check (and in the following line, check whether it is set or unset) set flow tcp-syn-check ssg->
ssg-> get flow (and look for one of the following lines) ScreenOS 6.x: Check TCP SYN bit before create session & refresh session only after tcp 3 way handshake : YES ScreenOS 5.x: Check TCP SYN bit before create session : YES
To enable the set flow tcp-syn-check feature, run the command:
set flow tcp-syn-check
With the command 'set flow tcp-syn-check' enabled, the firewall checks the TCP SYN bit before creating a session. If the TCP packet is not a 'syn' packet, the firewall will drop it. If will also return a TCP-RST back to the originating host, if the 'tcp-rst' setting is configured on the zone. Sessions will not be created for 'tcp non-syn packets'.
To disable the set flow tcp-syn-check feature, enter the command:
unset flow tcp-syn-check
If the command 'set flow tcp-syn-check' is disabled, 'tcp non-syn packets' may use-up more sessions in the session table. In the long run, if there is an unusually high number of these 'tcp non-syn packets' being generated, overall-throughput through the firewall can be affected. Another issue is that the Firewall device may reach its maximum session limit more frequently.
Care should be taken when using this command to disable tcp-syn-check and allow 'tcp non-syn packets'. A baseline should be performed to determine if 'tcp non-syn packets' are part of the normal traffic flow in the customer's network environment.
NOTE: For more information on these commands, refer to the ScreenOS CLI Reference Guide:
Click the CLI Reference Guide: Command Descriptions
Search on the text 'tcp-syn-check' and 'tcp-syn-bit-check'. The Guide describes the commands and shows a table of behavior when the commands are set.
tcp-syn-check (description for ScreenOS 6.0 and above) Checks the TCP SYN bit before creating a session, and refreshes the session after the TCP three-way handshake. If the SYN bit is not set, the security device drops the packet. The tcp-syn-check feature is a superset of tcp-syn-bit-check; therefore enabling tcp-syn-check enables tcp-syn-bit-check as well. If you want to enable just tcp-syn-bit-check, you must disable tcp-syn-check.