Thwarting a FIN Scan (CLI Procedure)

To thwart FIN scans, take either or both of the following actions:

• Enable the screen option that specifically blocks TCP segments with the FIN flag set but not the ACK flag, which is anomalous for a TCP segment:
  user@host#set security screen fin-no-ack tcp fin-no-ack user@host#set security zones security-zone name screen fin-no-ack

  where name is the name of the zone to which you want to apply this screen option .

• Change the packet processing behavior to reject all non-SYN packets that do not belong to an existing session. The SYN check flag is set as the default.

  Note: Changing the packet flow to check that the SYN flag is set for packets that do not belong to existing sessions also thwarts other types of non-SYN scans, such as a null scan (when no TCP flags are set).