ScreenOS Firewalls (NOT SRX)
Reply
Contributor
asmash
Posts: 62
Registered: ‎10-09-2009
0
Accepted Solution

How to break stateful behavior of ISG2000?

Hello,

 

How to break the stateful nature of ISG2000 for specific traffic?

 

Due to dynamic behavior in remote PoPs inbound traffic does not follow the same path always. It is most likely that outbound & inbound packets might not appear to the same ISG2000 nodes.

 

So, need to know the recommended way to accept such traffic which is not complying with stateful nature of the firewall.

 

//asmash

Distinguished Expert
spuluka
Posts: 2,763
Registered: ‎03-30-2009
0

Re: How to break stateful behavior of ISG2000?

ScreenOS really does not like asymetrical routing.  You can turn off tcp syn checking which will allow most asymetrical routing issues to work, provided there are policies that allow the traffic.  The issue with doing this is that it does disable syn checking for the entire firewall and not just the policy level.  so you are turning off a security feature.

 

unset flow tcp-syn-check

 

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009

Re: How to break stateful behavior of ISG2000?

Maybe just put a router in front of your firewall(s) to aggregate the traffic so it follows a single path into / out of your ISG?

 

I favor simple solutions to problems rather than something complicated, and defeating a big part of what makes a firewall a firewall seems to be unnecessary, when there is probably a simpler way to solve the problem.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Contributor
asmash
Posts: 62
Registered: ‎10-09-2009
0

Re: How to break stateful behavior of ISG2000?

Hi,

 

Sometimes we may not have any choice but to compromise security feature for particular zone (probably we should not call it 'security zone' then).

 

And I strongly believe most of the time customers' demand & business cases drive the technology (the only question is who has better foresight, producer/customer ? )   |-:smileyhappy:

 

Anyway, to conclude this topic there is no such feature in existing ISG to compromise such critical security feature zone basis.

 

 

BR,

asmash

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.