[j-nsp] Netscreen Firewalls and TCP States/Bypass
Stefan Fouant
sfouant at shortestpathfirst.net
Tue Sep 20 08:27:45 EDT 2011
On 9/20/2011 7:25 AM, Phil Mayers wrote:
> On 20/09/11 11:07, Stephan Tesch wrote:
>> On Tue, 20 Sep 2011 08:31:33 +0100, Phil Mayers wrote:
>>
>>>> 'unset flow tcp-syn-check' is what you want but unfortunately it is a
>>>> global setting, so all or nothing...
>>>
>>> Are you sure? I don't think that's what he wants; as suggested by the
>>> name, this relaxes the requirement for the 1st packet to be a
>>> syn/syn+ack pair, but the firewall will still expect to see both sides
>>> of the flow IIRC; in a previous iteration of our network, we were
>>> prone to asymmetric routing causing our firewalls problems, and we've
>>> run with "unset flow tcp-syn-" from day one.
>>
>> We had this (unset flow typ-syn-check) running on a large cluster the
>> other day and once we turned the flow feature on, some dual-homed hosts
>> stopped working due to incorrect routing tables. Up to that point our
>> cluster only saw one side of the connection, without any problems. That
>> has been ScreenOS 5.4 (back in the days). Don't know if this has changed
>> in the 6.x line, we haven't turned it off since :)
>
> Sounds like I'm wrong and Stefan (and Stephan) are right!
Don't feel bad... the behavior has changed somewhat over the years...
it's hard to keep track of it all :)
Doubly so in this case as we all push the ScreenOS stuff out of our
minds to make room for SRX.
Stefan Fouant
JNCIE-ER, JNCIE-M, JNCIE-SEC, JNCI
Technical Trainer, Juniper Networks
Follow us on Twitter @JuniperEducate
More information about the juniper-nsp
mailing list