12-19-2011 07:53 PM
How to break the stateful nature of ISG2000 for specific traffic?
Due to dynamic behavior in remote PoPs inbound traffic does not follow the same path always. It is most likely that outbound & inbound packets might not appear to the same ISG2000 nodes.
So, need to know the recommended way to accept such traffic which is not complying with stateful nature of the firewall.
Solved! Go to Solution.
12-20-2011 03:44 AM
ScreenOS really does not like asymetrical routing. You can turn off tcp syn checking which will allow most asymetrical routing issues to work, provided there are policies that allow the traffic. The issue with doing this is that it does disable syn checking for the entire firewall and not just the policy level. so you are turning off a security feature.
unset flow tcp-syn-check
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCDA JNCDS-DC JNCDS-SEC
ACE PanOS 6
12-20-2011 01:27 PM
Maybe just put a router in front of your firewall(s) to aggregate the traffic so it follows a single path into / out of your ISG?
I favor simple solutions to problems rather than something complicated, and defeating a big part of what makes a firewall a firewall seems to be unnecessary, when there is probably a simpler way to solve the problem.
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
06-17-2012 01:20 AM
Sometimes we may not have any choice but to compromise security feature for particular zone (probably we should not call it 'security zone' then).
And I strongly believe most of the time customers' demand & business cases drive the technology (the only question is who has better foresight, producer/customer ? ) |-
Anyway, to conclude this topic there is no such feature in existing ISG to compromise such critical security feature zone basis.