•
TFTP on page 1016
•
UNIX Remote-Shell Services on page 1018
Basic TCP
This ALG performs basic sanity checking on TCP packets. If it finds errors, it generates
the following anomaly events and system log messages:
•
TCP source or destination port zero
•
TCP header length check failed
•
TCP sequence number zero and no flags are set
•
TCP sequence number zero and FIN/PSH/RST flags are set
•
TCP FIN/RST or SYN(URG|FIN|RST) flags are set
The TCP ALG performs the following steps:
1. When the router receives a SYN packet, the ALG creates TCP forward and reverse
flows and groups them in a conversation. It tracks the TCP three-way handshake.
2. The SYN-defense mechanism tracks the TCP connection establishment state. It
expects the TCP session to be established within a small time interval (currently
4 seconds). If the TCP three-way handshake is not established in that period, the
session is terminated.
3. A keepalive mechanism detects TCP sessions with nonresponsive endpoints.
4. ICMP errors are allowed only when a flow matches the selector information specified
in the ICMP data.
Basic UDP
This ALG performs basic sanity checking on UDP headers. If it finds errors, it generates
the following anomaly events and system log messages:
•
UDP source or destination port 0
•
UDP header length check failed
The UDP ALG performs the following steps:
1. When it receives the first packet, the ALG creates bidirectional flows to accept forward
and reverse UDP session traffic.
2. If the session is idle for more than the maximum allowed idle time (the default is
30 seconds), the flows are deleted.
3. ICMP errors are allowed only when a flow matches the selector information specified
in the ICMP data.
1011Copyright © 2017, Juniper Networks, Inc.
Chapter 31: Configuring Network Address Translation (NAT) and Stateful Firewall Services
To Next Page
Loading...
Need help?
General
