Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Using Packet Flow Options

 

Use the packet flow options to configure the security device to regulate packet flow.

The following sections detail each packet flow option:

ICMP Path MTU Discovery

The ICMP Path MTU Discovery option controls how the security device handles a packet that meets the following conditions: the Don’t Fragment (DF) bit is set in the IP header, the packet is intended for IPsec encapsulation, and the size of the packet after encapsulation exceeds the maximum transfer unit (MTU) of the egress interface, which is 1500 bytes:

  • When this option is enabled, the security device sends the source host an ICMP message indicating the packet size is too large (ICMP type 3, code 4 “Fragmentation needed and DF set” ).

  • When this option is disabled, the security device ignores the DF bit, encapsulates the packet, fragments the packet so that none of the fragmented packets exceeds the MTU of the egress interface, and forwards them through the appropriate VPN tunnel.

By default, this option is disabled.

Allow DNS Reply Without Matched Request

Use the Allow DNS Reply Without Matched Request option to control how the security device handles DNS reply packets that do not have a matching DNS request:

  • When this option is enabled, the security device does not verify that a DNS reply packet has a matching request.

  • When this option is disabled and the security device receives an incoming UDP first-packet that has a destination port of 53, the device checks the DNS message packet header to verify that the query (QR) bit is 0 (0 = query message). If the QR bit is 1 (1= response message) the device drops the packet, does not create a session, and increments the illegal packet flow counter for the receiving interface.

By default, this option is disabled.

Allow MAC Cache for Management Traffic

Use the Allow Mac Cache for Management Traffic option to control how the security device handles a source MAC address for administrative traffic:

  • When this option is enabled, the security device caches the source MAC address from incoming administrative traffic, and then uses that address when replying. You might need to enable this option for managed devices that use source-based routing.

  • When disabled, the security device does not cache the source MAC address from incoming administrative traffic.

By default, this option is disabled.

Allow Unknown MAC Flooding

Use the Allow Unknown MAC Flooding option to control how the security device handles a packet that has a destination MAC address that is not in the MAC learning table:

  • When this option is enabled, the security device permits the packet to cross the firewall.

  • When this option is disabled, the security device drops the packet and does not permit it to cross the firewall.

By default, this option is enabled.

Skip TCP Sequence Number Check

Use the Skip TCP Sequence Number Check to control how the security device handles TCP packets with an out-of-sequence TCP number:

  • When this option is enabled, the security device does not monitor the TCP sequence number in TCP segments during stateful inspection.

  • When this option is disabled, the security device detects the window scale specified by both hosts in a session and adjusts a window for an acceptable range of sequence numbers according to their specified parameters. The device monitors the sequence numbers in packets sent between these hosts; if the device detects a sequence number outside this range, it drops the packet.

By default, this option is enabled.

TCP RST Invalid Session

Use the TCP RST Invalid Session to control how the security device handles a TCP reset packet (a TCP packet with the RST flag set):

  • When this option is enabled and the security device receives a TCP reset packet, the device marks the session for immediate termination.

  • When this option is disabled, the security device marks the session to termination after the normal session timeout interval. Normal session timeout intervals for common protocols:

    • The TCP session timeout is 30 minutes.

    • The UDP session timeout is 1 minute.

    • The HTTP session timeout is 5 minutes.

By default, this option is disabled.

Check TCP SYN Bit Before Create Session

Use the TCP SYN Bit Before Create Session option to control how the security device handles a set SYN bit in the first packet of a session:

  • When this option is enabled, the security device checks that the SYN bit is set in the first packet of a session. If the SYN bit is not set, the device drops the packet and does not create the session.

  • When this option is disabled, the security device does not enforce SYN checking before creating a session.

By default, security devices running ScreenOS 5.1 and later have this option enabled. However, in previous versions of ScreenOS, this option was disabled. If you upgraded from a ScreenOS release prior to ScreenOS 5.1 and did not change the default setting for this option, SYN checking remains disabled.

The security devices running ScreenOS 6.3 send a TCP session close notification acknowledgement (ACK) to both the client and the server when a session is being closed. To enable a policy to send a TCP session close notification, complete the following prerequisites:

  • Enable the TCP SYN checking and the TCP reset options in both the client and the server zones.

  • Enable the TCP sequence check only for ISG1000 or ISG2000 and NetScreen–5200 or NetScreen–5400.

Check TCP SYN Bit Before Create Session for Tunneled Packets

Use the TCP SYN Bit Before Create Session for Tunneled Packets option to control how the security device handles a set SYN bit in the first packet of a VPN session:

  • When this option is enabled, the security device checks that the SYN bit is set in the first packet arriving in a VPN tunnel. If the SYN bit is not set, the device drops the packet and does not create the session.

  • When this option is disabled, the security device does not enforce SYN checking before creating a session in a VPN tunnel.

By default, this option is enabled.

Use SYN-Cookie for SYN Flood Protection

Use the SYN-Cookie for SYN Flood Protection option as an alternative to traditional SYN proxying mechanisms to help reduce CPU and memory usage:

  • When this option is enabled on the security device, SYN-cookie becomes the TCP-negotiating proxy for the destination server, and replies to each incoming SYN segment with a SYN/ACK containing an encrypted cookie as its initial sequence number (ISN). The cookie is a MD5 hash of the original source address and port number, destination address and port number, and ISN from the original SYN packet. After sending the cookie, the security device drops the original SYN packet and deletes the calculated cookie from memory.

  • When this option is disabled, traditional SYN-proxy becomes the TCP-negotiating proxy for the destination server.

By default, this option is disabled.

Note

This option is only available on devices running ScreenOS 5.2 and later.

Enforce TCP Sequence Number Check on TCP RST Packet

Use the Check TCP Sequence Number Check on TCP RST Packet option to control how the security device handles TCP reset (RST) packets with an out-of-sequence TCP number:

  • When this option is enabled, the security device monitors the TCP sequence number in a TCP segment with the RST bit enabled. If the sequence number matches the previous sequence number for a packet in that session or is the next higher number incrementally, the device permits the packet to cross the firewall. If the sequence number does not match either of these expected numbers, the device drops the packet and sends the host a TCP ACK segment with the correct sequence number.

  • When this option is disabled, the security device does not monitor the TCP sequence number in TCP segments that have an RST bit enabled.

By default, this option is disabled.

Note

The NetScreen 5000 line does not support this option.

Use Hub-and-Spoke Policies for Untrust MIP Traffic

Use this option to control how the security device handles the forwarding of packets arriving in a VPN tunnel to and from a mapped IP (MIP) address:

  • When this option is enabled, the security device forwards traffic arriving through a VPN tunnel to a MIP address on one tunnel interface to the MIP host at the end of another VPN tunnel. The two tunnels form a hub-and-spoke configuration, with the traffic looping back on the same outgoing interface.

  • When this option is disabled, the security device does not forward VPN traffic arriving at a MIP to a MIP at the other end of the VPN tunnel.

By default, this option is enabled.

Note

This option affects traffic forwarding only when the outgoing interface is bound to the Untrust zone.

Max Fragmented Packet Size

Use the Max Fragmented Packet Size option to control the maximum size of a packet fragment generated by the security device. You can set the number value between 1024 and 1500 bytes inclusive. For example, if a received packet is 1500 bytes and this option is set to 1460 bytes, the device generates two fragment packets: The first is 1460 bytes and the second is 40 bytes. If you reset this option to 1024, the first fragment packet is 1024 bytes and the second is 476 bytes.

By default, this option is set to none.

Flow Initial Session Timeout (Seconds)

Use the Flow Initial Session Timeout to control the number of seconds the security device keeps an initial TCP session in the session table before dropping it or receiving a FIN or RST packet. You can set the number of seconds from 20 seconds to 300 seconds.

By default, this option is set to 20 seconds.

Multicast Flow Configuration

In earlier versions, all TCP, UDP, and ICMP traffic was supported by setting policy rules. Use this option to inspect IDP multicast traffic for devices running ScreenOS 6.3.

TCP MSS

Use the TCP MSS option to control how the security device handles the TCP-MSS value for TCP SYN packets in an IPsec VPN tunnel:

  • When this option is set to Packet Size, the security device modifies the MSS value in a TCP packet to avoid fragmentation caused by the IPsec operation. The default MSS for this option is 1400.

  • When this option is disabled, the security device does not modify the MSS value in a TCP packet.

By default, this option is disabled.

Note

When you configure a value for the All TCP MSS option, that value overrides the settings defined for this option.

All TCP MSS

Use the All TCP-MSS to control how the security device handles the TCP MSS value for TCP SYN packets in all network traffic:

  • When this option is set to Packet Size, the security device modifies the MSS value in a TCP packet to avoid fragmentation by other network components. You can set the TCP MSS range from 0 to 65,535 bytes; the default MSS for this option is set to none.

    Additionally, this option overrides the configuration for TCP MSS (described earlier):

    • If the TCP MSS option for IPsec VPN traffic is not set, the security device applies the value specified in this option for TCP packets in an IPSec VPN tunnel.

    • If the TCP MSS option for IPsec VPN traffic is set, the security device overrides that value with the value from the All TCP MSS option.

  • When this option is disabled, the security device does not modify the MSS value of a TCP packet in network traffic.

By default, this option is disabled.

GRE In TCP MSS

Use the GRE in TCP MSS option to control how the security device handles the TCP MSS value for generic routing encapsulation (GRE) packets destined for an IPsec VPN tunnel.

  • When this option is set to Packet Size, the security device modifies the MSS value in a GRE packet to avoid fragmentation caused by the IPsec operation. The TCP MSS range is 64 to 1420 bytes inclusive; the default MSS for this option is 1320.

  • When this option is disabled, the security device does not modify the MSS value in a GRE packet entering an IPsec VPN tunnel.

By default, this option is disabled.

GRE Out TCP MSS

Use the GRE Out TCP MSS option to control how the security device handles the TCP MSS value for GRE packets leaving an IPsec VPN tunnel.

  • When this option is set to Packet Size, the security device modifies the MSS value in a GRE packet to avoid fragmentation caused by the IPsec operation. The TCP MSS range is 64 to 1420 bytes inclusive; the default MSS for this option is 1320.

  • When this option is disabled, the security device does not modify the MSS value in a GRE packet leaving an IPsec VPN tunnel.

By default, this option is disabled.

Aging

Use the Aging options to control how the security device uses aggressive aging to affect session timeout. Aggressive aging begins when the number of entries in the session table exceeds the high-watermark setting, and ends when the number of sessions falls below the low-watermark setting. When aggressive aging is in effect, the security device ages out sessions—beginning with the oldest sessions first—at the rate you specify.

When the session table is in any other state, the normal session timeout value is applied. Normal session timeout intervals for common protocols:

  • The TCP session timeout is 30 minutes.

  • The UDP session timeout is 1 minute.

  • The HTTP session timeout is 5 minutes.

Early Ageout Time Before the Session’s Normal Ageout

Use this aging option to control how the security device uses aggressive aging to age out a session from its session table. The value range is 2 to 10 units, where each unit is 10 seconds; by default, the early-ageout value is 2 or 20 seconds.

Percentage of Used Sessions Before Early Aging Begins

Use this aging option to control when the security device begins aggressive aging. The value range is 1 to 100, which indicates percent of the session table capacity. By default, this option is set to 100% (used sessions must account for 100% of the session table capacity before aggressive aging begins).

Percentage of Used Sessions Before Early Aging Stops

Use this aging option to control when the security device ends aggressive aging. The value range is 1 to 100, which indicates percent of the session table capacity. By default, this option is set to 100% (used sessions must account for 100% of the session table capacity before aggressive aging ends).