I am wondering how the SRX handles a scenario where you have asymmetric routing between two interfaces in the same security zone.
Imagine you have an SRX with connections to two different ISPs, both of which are in the 'untrust' zone. If a client in the 'trust' zone initiates a TCP connection to something out on the internet and the SYN packet exits via the interface connected to ISP1, but the SYN,ACK returns via the interface connected to ISP2, will this connection be allowed or blocked? In other words, is the TCP syn check based on egress/ingress interface or egress/ingress zone?
I can't see anything in the official docs that specifically addresses this.
I have read those documents but I don't think either of them really address my question. The first link talks about scenarios in which all the interfaces are in different security zones.
The second link talks about how to disable syn checking on a per policy basis, which is useful but again doesn't really address the question: if a syn is sent on one interface and the syn/ack is received on a different interface in the same security zone, would that be allowed or blocked?
If a syn is sent on one interface and the syn/ack is received on a different interface in the same security zone, would that be allowed or blocked?
I have just edited my answer because I said the traffic will be blocked, but it isn't. I made some testing and even for TCP traffic if the SYN is sent on one interface and SYN+ACK is received on a different interface with both the interfaces being in the same security zone, the TCP traffic will be allowed by the SRX.
The logical reason behind this behaviour is the session creation is performed based on 6 tuples(source ip, destination ip, source port, destination port, protocol, a unique token for zone or virtual router) when we send the TCP SYN. When the return traffic comes, the same tuples will be matched, thereby matching the session in the session table.
I hope this answers your query.
Thanks, π00bm@$t€®. Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!