ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Posts: 62
Registered: ‎10-09-2009
0 Kudos
Accepted Solution

How to break stateful behavior of ISG2000?



How to break the stateful nature of ISG2000 for specific traffic?


Due to dynamic behavior in remote PoPs inbound traffic does not follow the same path always. It is most likely that outbound & inbound packets might not appear to the same ISG2000 nodes.


So, need to know the recommended way to accept such traffic which is not complying with stateful nature of the firewall.



Distinguished Expert
Posts: 4,119
Registered: ‎03-30-2009
0 Kudos

Re: How to break stateful behavior of ISG2000?

ScreenOS really does not like asymetrical routing.  You can turn off tcp syn checking which will allow most asymetrical routing issues to work, provided there are policies that allow the traffic.  The issue with doing this is that it does disable syn checking for the entire firewall and not just the policy level.  so you are turning off a security feature.


unset flow tcp-syn-check


Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
Distinguished Expert
Posts: 979
Registered: ‎09-10-2009

Re: How to break stateful behavior of ISG2000?

Maybe just put a router in front of your firewall(s) to aggregate the traffic so it follows a single path into / out of your ISG?


I favor simple solutions to problems rather than something complicated, and defeating a big part of what makes a firewall a firewall seems to be unnecessary, when there is probably a simpler way to solve the problem.


If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Posts: 62
Registered: ‎10-09-2009
0 Kudos

Re: How to break stateful behavior of ISG2000?



Sometimes we may not have any choice but to compromise security feature for particular zone (probably we should not call it 'security zone' then).


And I strongly believe most of the time customers' demand & business cases drive the technology (the only question is who has better foresight, producer/customer ? )   |-Smiley Happy


Anyway, to conclude this topic there is no such feature in existing ISG to compromise such critical security feature zone basis.