Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Enabling TCP Proxy Session to Increase the Network Transmit Speed

    This example shows how to enable the scaled TCP proxy session to enlarge the maximum window size.

    Requirements

    Security zones should be defined before configuring this feature.

    Overview

    In this example, you enable the TCP WS option and then set the maximum window size value to 1 M.

    Configuration

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

    set security policies from-zone trust to-zone untrust policy policy-name then permit tcp-options window-scale
    set security flow tcp-session maximum-window <maximum-window>

    Step-by-Step Procedure

    To enable TCP WS support to increase the throughput:

    1. Enable the TCP WS option.
      [edit]
      user@host# set security policies from-zone trust to-zone untrust policy policy-name then permit tcp-options
    2. Set the maximum window size.
      [edit]
      user@host# set security flow tcp-session maximum-window 1M

    Results

    From configuration mode, confirm your configuration by entering the show security policies and show security flow commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]
    user@host# show security policies
    from-zone policy to-zone untrust {
    policy-name {
    then {
    permit {
    tcp-options {
    window-scale;
    }
    }
    }
    }
    }
    from-zone trust to-zone policy {
    policy-name {
    then {
    permit {
    tcp-options {
    window-scale;
    }
    }
    }
    }
    }
    [edit]
    user@host# show security flow
    tcp-session {
    maximum-window 1M;
    }
    }

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    Verifying the TCP Proxy session

    Purpose

    Verify the window-scale and tcp-proxy session maximum window.

    Action

    Enter the show security policies policy-name <policy-name> detail from operational mode, and enter show security flow tcp-session maximum-window commands from configuration mode.

    user@host> show security policies policy-name p1 detail
    Policy: p1, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
      Policy Type: Configured
      Sequence number: 1
      From zone: trust, To zone: untrust
      Source addresses:
        any-ipv4(global): 0.0.0.0/0
        any-ipv6(global): ::/0
      Destination addresses:
        any-ipv4(global): 0.0.0.0/0
        any-ipv6(global): ::/0
      Application: any
        IP protocol: 0, ALG: 0, Inactivity timeout: 0
          Source port range: [0-0]
          Destination port range: [0-0]
      Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: Yes
    
    user@host# show security flow tcp-session ?
      <[Enter]>            Execute this command
    + apply-groups         Groups from which to inherit configuration data
    + apply-groups-except  Don't inherit configuration data from these 
    + groups
      fin-invalidate-session  Immediately end session on receipt of fin (FIN) segment
      maximum-window       Maximum TCP proxy scaled receive window, default 256K bytes
      no-sequence-check    Disable sequence-number checking
      no-syn-check         Disable creation-time SYN-flag check
      no-syn-check-in-tunnel  Disable creation-time SYN-flag check for tunnel packets
      rst-invalidate-session  Immediately end session on receipt of reset (RST) segment
      rst-sequence-check   Check sequence number in reset (RST) segment
      strict-syn-check     Enable strict syn check
      tcp-initial-timeout  Timeout for TCP session when initialization fails (4..300 seconds)
    |                    Pipe through a commands
    
    user@host# show security flow tcp-session maximum-window
      <[Enter]>            Execute this command
    		maximum-window 1M;
    

    Meaning

    The sample output shows that TCP proxy is enabled with the TCP WS option.

    Modified: 2018-03-16