Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  how do you set this on Screen-OS

    Posted 06-24-2009 14:15

    How can I set the below on SCREEN-OS for ISG1000

     

    Maybe a good solution is to place outgoing interfaces in the same zone and then disable the syn-ack checking. You'll get the best of both then.

     

    under set security flow:

     

    tcp-session { no-sequence-check; no-syn-check; no-syn-check-in-tunnel; rst-invalidate-session; rst-sequence-check; tcp-initial-timeout seconds ;

    }

     

     

    I think (didn't try !) when you disable syn-check you can route asymetric. It's certainly worth a try. Works this way in ScreenOS.  Of course: you're reducing security this way.

     


     

    best regards,

    Screenie.

    JNCIA IDP EX AC DX (expired (:-)
    JNCIS FW SSL ER ES
    JNCI



  • 2.  RE: how do you set this on Screen-OS
    Best Answer

    Posted 06-25-2009 09:16

    You can do it if you have asymetric routing. Not sure what you are asking? Did you mean can this be configured in screen os or are you asking for the syntax?

     

    It would be:

     

    set flow tcp-syn-check

     

    eg:

    C(M)-> set flow tcp-syn
    tcp-syn-bit-check    check tcp syn bit before create session
    tcp-syn-check        check tcp syn bit before create session & refresh session only after tcp 3 way handshake
    tcp-syn-check-in-tunnel check tcp syn bit before create session for tunneled packets

    Message Edited by WL on 06-25-2009 09:16 AM