[j-nsp] Netscreen Firewalls and TCP States/Bypass
Stefan Fouant
sfouant at shortestpathfirst.net
Mon Sep 19 23:06:22 EDT 2011
'unset flow tcp-syn-check' is what you want but unfortunately it is a global setting, so all or nothing...
You can issue a 'get flow' after the configuration change to verify the behavior.
Stefan Fouant
JNCIE-M, JNCIE-ER, JNCIE-SEC, JNCI
Technical Trainer, Juniper Networks
Follow us on Twitter @JuniperEducate
Sent from my iPad
On Sep 19, 2011, at 10:03 PM, "Josh Farrelly" <josh at base-2.co.nz> wrote:
> Hi all
>
>
>
> Does anyone know whether the Juniper Netscreen SSG20, running:
>
>
>
> Hardware Version: 710(0)
>
> Firmware Version: 6.1.0r2.0 (Firewall+VPN)
>
>
>
> Has any ability to bypass the checking of TCP states for certain
> interfaces/hosts?
>
>
>
> I have a situation where we have one configured in a topology using
> asymmetric routing. This will cause initial connections to go to the
> SSG20 then be hairpinned and routed to a second gateway on the LAN.
>
>
>
> Doing this will obviously leave the device confused about the TCP state
> considering the second default gateway is going to deliver direct to the
> host. The SSG20 will see lots of out-of-order packets and SYNs/ACKs
> where it shouldn't.
>
>
>
> On the Cisco ASA I can configure TCP state bypass, which essentially
> lets the device treat TCP in a similar way it does UDP. Does anyone know
> of any similar feature on the Juniper SSG20 that can allow it to work in
> this situation?
>
>
>
> I know this isn't the best situation nor the best thing to be doing, but
> it's only a stop-gap measure during our migration to new infrastructure.
>
>
>
> Regards,
>
>
>
> Josh Farrelly.
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list