Screen OS

Hello,

How to break the stateful nature of ISG2000 for specific traffic?

Due to dynamic behavior in remote PoPs inbound traffic does not follow the same path always. It is most likely that outbound & inbound packets might not appear to the same ISG2000 nodes.

So, need to know the recommended way to accept such traffic which is not complying with stateful nature of the firewall.

//asmash

ScreenOS really does not like asymetrical routing.  You can turn off tcp syn checking which will allow most asymetrical routing issues to work, provided there are policies that allow the traffic.  The issue with doing this is that it does disable syn checking for the entire firewall and not just the policy level.  so you are turning off a security feature.

unset flow tcp-syn-check

Maybe just put a router in front of your firewall(s) to aggregate the traffic so it follows a single path into / out of your ISG?

I favor simple solutions to problems rather than something complicated, and defeating a big part of what makes a firewall a firewall seems to be unnecessary, when there is probably a simpler way to solve the problem.

Hi,

Sometimes we may not have any choice but to compromise security feature for particular zone (probably we should not call it 'security zone' then).

And I strongly believe most of the time customers' demand & business cases drive the technology (the only question is who has better foresight, producer/customer ? )   |-:)

Anyway, to conclude this topic there is no such feature in existing ISG to compromise such critical security feature zone basis.

BR,

asmash