As we all know the firewall needs to see both directions of a flow (client-server and server-client), otherwise these checks will block legitimate packets.
In my network there is a real requirement that one of the both directions of a flow （server-client）through the firewall.
I want to permit the traffic half-completed connection,how i go ahead ?
Go to Solution.
You can try disabling "syn-check" and "seq-check"
set security flow tcp-session no-syn-checkset security flow tcp-session no-sequence-check
I have tried them, but did not work.
I think that those good for the asymmetric flows,but not halt-completed connection
I dont think ,half opened connections can be kept on the SRX.it will drop it within few seconds.
But as a work around , you can use selective packet mode for that traffic using firewall filter:
Using this technique, you can use both packet mode for this stream and flow mode for rest.
set firewall filter PACKET-MODE term 1 from source-address X.X.X.X/32
set firewall filter PACKET-MODE term 1 from destination-address y.y.y.y/32
set firewall filter PACKET-MODE term 1 then packet-mode
set firewall filter PACKET-MODE term 2 then accept
Now apply the filter PACKET-MODE in required interface in inbound or outbound direction.
So traffic coming from particular source address of X.X.X.X/32 will only be processed as packet mode by SRX, rest will be processed as flow mode.
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
Yeah, It is the only solution.