Example: Disabling TCP Packet Security Checks for SRX Series Services Gateways

This example shows how to disable TCP packet security checks in the device.

Requirements

Before you begin, understand the circumstances for disabling TCP packet security checks. See Understanding Session Characteristics for SRX Series Services Gateways.

Overview

Junos OS provides a mechanism for disabling security checks on TCP packets to ensure interoperability with hosts and devices with faulty TCP implementations. During no-SYN-check the Junos OS does not look for the TCP SYN packet for session creation. No-sequence check disables TCP sequence checking validation. Also, increases throughput. SYN check and sequence check are enabled by default. The set security flow command disables TCP SYN checks and TCP sequence checks on all TCP sessions thus reduces security. This may be required in scenarios with customers like big transfer files, or with applications that do not correctly work with standards.

Configuration

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To disable TCP packet security checks:

Disable the checking of the TCP SYN bit before creating a session.
[edit security flow]user@host# set tcp-session no-syn-check
Disable the checking of sequence numbers in TCP segments during stateful inspection.
[edit security flow]user@host# set tcp-session no-sequence-check
If you are done configuring the device, commit the configuration.
[edit ]user@host# commit

Verification

To verify the configuration is working properly, enter the show security flow command.