SRX Services Gateway
Highlighted
SRX Services Gateway

TCP Syn check on zone based firewall

4 weeks ago

I am wondering how the SRX handles a scenario where you have asymmetric routing between two interfaces in the same security zone.

 

Imagine you have an SRX with connections to two different ISPs, both of which are in the 'untrust' zone. If a client in the 'trust' zone initiates a TCP connection to something out on the internet and the SYN packet exits via the interface connected to ISP1, but the SYN,ACK returns via the interface connected to ISP2, will this connection be allowed or blocked? In other words, is the TCP syn check based on egress/ingress interface or egress/ingress zone?

 

I can't see anything in the official docs that specifically addresses this.

 

 

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: TCP Syn check on zone based firewall

[ Edited ]
4 weeks ago

Hi Paul,

 

There is an excellent KB article explaining the behaviour of asymmetric traffic in SRX series devices. Please find the same below:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21983&actp=METADATA

 

For the query relating to "Is the TCP syn check based on egress/ingress interface or egress/ingress zone?", It is actually performed under security policy. Please check the following KB article for more information - https://kb.juniper.net/InfoCenter/index?page=content&id=KB25094

 

Please do let me know if your query isn't addressed in those KB articles.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: TCP Syn check on zone based firewall

4 weeks ago

Hi, thanks for replying.

 

I have read those documents but I don't think either of them really address my question. The first link talks about scenarios in which all the interfaces are in different security zones.

 

The second link talks about how to disable syn checking on a per policy basis, which is useful but again doesn't really address the question: if a syn is sent on one interface and the syn/ack is received on a different interface in the same security zone, would that be allowed or blocked?

 

Thanks

 

Paul

Highlighted
SRX Services Gateway

Re: TCP Syn check on zone based firewall

[ Edited ]
4 weeks ago

Hi Paul,

 

Please find the answer to your query below:

 

If a syn is sent on one interface and the syn/ack is received on a different interface in the same security zone, would that be allowed or blocked?

I have just edited my answer because I said the traffic will be blocked, but it isn't. I made some testing and even for TCP traffic if the SYN is sent on one interface and SYN+ACK is received on a different interface with both the interfaces being in the same security zone, the TCP traffic will be allowed by the SRX.

 

The logical reason behind this behaviour is the session creation is performed based on 6 tuples(source ip, destination ip, source port, destination port, protocol, a unique token for zone or virtual router) when we send the TCP SYN. When the return traffic comes, the same tuples will be matched, thereby matching the session in the session table.

 

I hope this answers your query.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Feedback