>From my understanding this will only impact your stateful packet filtering >options. If you disable syn checking, the firewall portion will no longer >check if there was an associated syn packet before creating a session in its >state table.
Here's the description from Screenos which for all intents and purposes is the same application in Junos: tcp-syn-check (description for ScreenOS 6.0 and above) Checks the TCP SYN bit before creating a session, and refreshes the session after the TCP three-way handshake. If the SYN bit is not set, the security device drops the packet. If I recall correctly it could allow someone malicious to send packets to/or through the security device without properly establishing a session via the 3 way handshake. I think I ran into this a while back because I had some asymmetric routing, which was causing packets to be sent back to my security device that did not have an established session. You could also alternatively see if you increase the session durations on a certain policy and see if that will fix the issue without disabling the syn checking altogether. Hope that helps, Sven -----Original Message----- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Paul Stewart Sent: Tuesday, August 10, 2010 10:46 PM To: 'William Jackson'; 'Scott T. Cameron'; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Default SRX Behaviour I just wanted to respond back on-list about this .. thank you to everyone who made suggestions on this issue. The "set security flow tcp-session no-syn-check" resolved our issue as suggested below. My last question is to understand the "risk" associated to disabling the syn-check. Does this effect any screen options, intrusion or firewall filters? Thanks, Paul -----Original Message----- From: William Jackson [mailto:wjack...@sapphire.gi] Sent: Friday, August 06, 2010 12:20 AM To: Paul Stewart; Scott T. Cameron; juniper-nsp@puck.nether.net Subject: RE: [j-nsp] Default SRX Behaviour I am suffering exactly the same symptoms for nearly exactly the same reasons, I have a JTAC case open and they have told me to implement: >Set security flow tcp-session no-syn-check But it doesn't seem to have made a difference :-( We are running srx240s in a cluster with 10.0R3.10 code. Best Regards William Jackson _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
