tech note

インフラ技術や車についてつぶやいていくブログ

SRX syn chek をPolicy単位で無効化する

f:id:tea_cat:20180913015253j:plain

setコマンド

個別にSynCheckを有効化するためのGroup設定
set groups SYN_CHECK security policies from-zone <*> to-zone <*> policy <*> then permit tcp-options syn-check-required
set groups SYN_CHECK security policies from-zone <*> to-zone <*> policy <*> then permit tcp-options sequence-check-required
Globalで無効化
set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check
Groupを使いGlobalで有効化
set security policies apply-groups SYN_CHECK
Groupを使い個別に無効化例
set security policies from-zone trust to-zone trust policy trust-to-trust apply-groups-except SYN_CHECK