Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] What happens when I get a TCP packet without flag?



Article ID: KB4738 KB Last Updated: 03 Sep 2020Version: 4.0

A normal TCP segment header has at least one flag control set. A TCP segment with no control flags set is an anomalous event. Because different operating systems respond differently to such anomalies, the response (or lack of response) from the targeted device an provide a clue as to the type of OS it is running.


Note: This article applies to ScreenOS 4.0 and higher.

The TCP Packet without Flag is a new firewall setting enhancement that looks for any TCP packets without a proper flag set (SYN, ACK or RST) or a malformed flag set. Basically, any TCP connection that is open or is closed should have a SYN or RST flag set respectively. Any other valid TCP packet should have an ACK flag set. This firewall protection (when enabled) will identify TCP packets without a proper TCP flag set and drop them. If disabled, TCP packets without any of these flags set will be processed through the firewall and end up as illegal packets in the flow counter.

When you enable the security device to detect TCP segment headers with no flags set, the device drops all TCP packets with a missing or malformed flags field.

To block packets with no flags set, do either of the following, where the specified security zone is the one from which the packets originate:


Screening > Screen (Zone: select a zone name): Select TCP Packet without Flag Protection, then click Apply.


set zone <zone-name> screen tcp-no-flag
Modification History:
2020-09-03: Removed EOL devices and updated the Summary and Solution.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search