Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

What is the default setting for 'set flow tcp-syn-check' and how do you check

0

0

Article ID: KB4444 KB Last Updated: 07 Dec 2011Version: 7.0
Summary:
This article addresses how to check, set, and disable TCP-SYN-CHECK .
Symptoms:

Solution:

In ScreenOS 5.x and 6.x, the command 'set flow tcp-syn-check' is configured by default for most devices. 
However, starting with ScreenOS 6.0, the command 'set flow tcp-syn-check' is disabled by default on the NS-5200 and NS-5400 devices, and a new command 'set flow tcp-syn-bit-check' is enabled by default.

Refer to the Release Notes for these changes in behavior:

  1. Go to the ScreenOS Documentation link
  2. Click your Release version
  3. Click the Release Notes
  4. Search for the text:  syn-check
It also should be noted that when upgrading the ScreenOS on a firewall, the tcp-syn-check setting in the configuration is retained.  Therefore, it is best to check what your firewall is set to as follows:

To check what the 'tcp-syn-check' feature is set to, run the following from the Command Line Interface (CLI):

ssg-> get config | inc syn-check   (and in the following line, check whether it is set or unset)
set flow tcp-syn-check
ssg->


OR

ssg-> get flow  (and look for one of the following lines)
ScreenOS 6.x:  Check TCP SYN bit before create session & refresh session only after tcp 3 way handshake : YES
ScreenOS 5.x:  Check TCP SYN bit before create session : YES


To enable the set flow tcp-syn-check feature, run the command:

set flow tcp-syn-check

With the command 'set flow tcp-syn-check' enabled, the firewall checks the TCP SYN bit before creating a session. If the TCP packet is not a 'syn' packet, the firewall will drop it. If will also return a TCP-RST back to the originating host, if the 'tcp-rst' setting is configured on the zone. Sessions will not be created for 'tcp non-syn packets'.



To disable the set flow tcp-syn-check feature, enter the command:

unset flow tcp-syn-check

If the command 'set flow tcp-syn-check' is disabled, 'tcp non-syn packets' may use-up more sessions in the session table. In the long run, if there is an unusually high number of these 'tcp non-syn packets' being generated, overall-throughput through the firewall can be affected. Another issue is that the Firewall device may reach its maximum session limit more frequently.

note  Care should be taken when using this command to disable tcp-syn-check and allow 'tcp non-syn packets'.  A baseline should be performed to determine if 'tcp non-syn packets' are part of the normal traffic flow in the customer's network environment.




NOTE:  For more information on these commands, refer to the ScreenOS CLI Reference Guide:
  1. Go to the ScreenOS Documentation link
  2. Click your Release version
  3. Click the CLI Reference Guide: Command Descriptions
  4. Search on the text 'tcp-syn-check' and 'tcp-syn-bit-check'.  The Guide describes the commands and shows a table of behavior when the commands are set.

  5. tcp-syn-check  (description for ScreenOS 6.0 and above)
    Checks the TCP SYN bit before creating a session, and refreshes the session after the TCP three-way handshake. If the SYN bit is not set, the security device drops the packet. The tcp-syn-check feature is a superset of tcp-syn-bit-check; therefore enabling tcp-syn-check enables tcp-syn-bit-check as well. If you want to enable just tcp-syn-bit-check, you must disable tcp-syn-check.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search