Re: [j-nsp] Netscreen Firewalls and TCP States/Bypass

2011-09-20 Thread Stefan Fouant
On 9/20/2011 7:25 AM, Phil Mayers wrote: On 20/09/11 11:07, Stephan Tesch wrote: On Tue, 20 Sep 2011 08:31:33 +0100, Phil Mayers wrote: 'unset flow tcp-syn-check' is what you want but unfortunately it is a global setting, so all or nothing... Are you sure? I don't think that's what he wants;

Re: [j-nsp] Netscreen Firewalls and TCP States/Bypass

2011-09-20 Thread Phil Mayers
On 20/09/11 11:07, Stephan Tesch wrote: On Tue, 20 Sep 2011 08:31:33 +0100, Phil Mayers wrote: 'unset flow tcp-syn-check' is what you want but unfortunately it is a global setting, so all or nothing... Are you sure? I don't think that's what he wants; as suggested by the name, this relaxes th

Re: [j-nsp] Netscreen Firewalls and TCP States/Bypass

2011-09-20 Thread Phil Mayers
On 20/09/11 11:27, Josh Farrelly wrote: Hi there. Removing this option seems to have solved our issue. In which case I'm happy to be wrong! Glad you solved it. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/

Re: [j-nsp] Netscreen Firewalls and TCP States/Bypass

2011-09-20 Thread Josh Farrelly
: Re: [j-nsp] Netscreen Firewalls and TCP States/Bypass On 09/20/2011 04:06 AM, Stefan Fouant wrote: > 'unset flow tcp-syn-check' is what you want but unfortunately it is a global setting, so all or nothing... Are you sure? I don't think that's what he wants; as suggested by

Re: [j-nsp] Netscreen Firewalls and TCP States/Bypass

2011-09-20 Thread Stephan Tesch
On Tue, 20 Sep 2011 08:31:33 +0100, Phil Mayers wrote: 'unset flow tcp-syn-check' is what you want but unfortunately it is a global setting, so all or nothing... Are you sure? I don't think that's what he wants; as suggested by the name, this relaxes the requirement for the 1st packet to be a

Re: [j-nsp] Netscreen Firewalls and TCP States/Bypass

2011-09-20 Thread Phil Mayers
On 09/20/2011 04:06 AM, Stefan Fouant wrote: 'unset flow tcp-syn-check' is what you want but unfortunately it is a global setting, so all or nothing... Are you sure? I don't think that's what he wants; as suggested by the name, this relaxes the requirement for the 1st packet to be a syn/syn+

Re: [j-nsp] Netscreen Firewalls and TCP States/Bypass

2011-09-19 Thread Stefan Fouant
'unset flow tcp-syn-check' is what you want but unfortunately it is a global setting, so all or nothing... You can issue a 'get flow' after the configuration change to verify the behavior. Stefan Fouant JNCIE-M, JNCIE-ER, JNCIE-SEC, JNCI Technical Trainer, Juniper Networks Follow us on Twitter

[j-nsp] Netscreen Firewalls and TCP States/Bypass

2011-09-19 Thread Josh Farrelly
Hi all Does anyone know whether the Juniper Netscreen SSG20, running: Hardware Version: 710(0) Firmware Version: 6.1.0r2.0 (Firewall+VPN) Has any ability to bypass the checking of TCP states for certain interfaces/hosts? I have a situation where we have one configured in a topology