[j-nsp] Netscreen Firewalls and TCP States/Bypass

Josh Farrelly josh at base-2.co.nz
Mon Sep 19 22:03:56 EDT 2011


Hi all

 

Does anyone know whether the Juniper Netscreen SSG20, running:

 

Hardware Version: 710(0)

Firmware Version: 6.1.0r2.0 (Firewall+VPN)

 

Has any ability to bypass the checking of TCP states for certain
interfaces/hosts?

 

I have a situation where we have one configured in a topology using
asymmetric routing. This will cause initial connections to go to the
SSG20 then be hairpinned and routed to a second gateway on the LAN.

 

Doing this will obviously leave the device confused about the TCP state
considering the second default gateway is going to deliver direct to the
host. The SSG20 will see lots of out-of-order packets and SYNs/ACKs
where it shouldn't.

 

On the Cisco ASA I can configure TCP state bypass, which essentially
lets the device treat TCP in a similar way it does UDP. Does anyone know
of any similar feature on the Juniper SSG20 that can allow it to work in
this situation?

 

I know this isn't the best situation nor the best thing to be doing, but
it's only a stop-gap measure during our migration to new infrastructure.

 

Regards,

 

Josh Farrelly.



More information about the juniper-nsp mailing list