SRX

Hi guys

As we all know the firewall needs to see both directions of a flow (client-server and server-client), otherwise these checks will block legitimate packets.

In my network  there is a real requirement that  one of the both directions of a flow （server-client）through the firewall.

I want to permit the traffic half-completed connection,how i go ahead ?

Thanks !

Hi ,

You can try disabling "syn-check" and "seq-check"

set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check

Thanks,

Suraj

Thanks 

I have tried them, but did not work.

I think that those good for the asymmetric flows,but not halt-completed connection

Hi Nicolash-q,

I dont think ,half opened connections can be kept on the SRX.it will drop it within few seconds.

But as a work around , you can use selective packet mode for that traffic using firewall filter:

Using this technique, you can use both packet mode for this stream  and flow mode for rest.

set firewall filter PACKET-MODE term 1 from source-address X.X.X.X/32

set firewall filter PACKET-MODE term 1 from destination-address y.y.y.y/32

set firewall filter PACKET-MODE term 1 then packet-mode

set firewall filter PACKET-MODE term 2 then accept

Now apply the filter PACKET-MODE in required interface in inbound or outbound direction.

So traffic coming from particular source address of X.X.X.X/32 will only be processed as packet mode by SRX, rest will be processed as flow mode.

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Yeah, It is the only solution.

Thank you!