Related Documentation
- EX, J, M, MX, PTX, SRX, T Series
- Understanding How to Use Standard Firewall Filters
- Example: Configuring a Stateless Firewall Filter to Handle Fragments
Firewall Filters That Handle Fragmented Packets Overview
You can create stateless firewall filters that handle fragmented packets destined for the Routing Engine. By applying these policies to the Routing Engine, you protect against the use of IP fragmentation as a means to disguise TCP packets from a firewall filter.
For example, consider an IP packet that is fragmented into the smallest allowable fragment size of 8 bytes (a 20-byte IP header plus an 8-byte payload). If this IP packet carries a TCP packet, the first fragment (fragment offset of 0) that arrives at the device contains only the TCP source and destination ports (first 4 bytes), and the sequence number (next 4 bytes). The TCP flags, which are contained in the next 8 bytes of the TCP header, arrive in the second fragment (fragment offset of 1).
On all SRX Series and J Series devices, fragmented packets are not sampled correctly by the firewall filter. When file sampling, port-mirroring and CFLOW is applied on an interface in output direction, packets are sampled before fragmenting the packet and packet-capture captures packet after fragmentation.
See RFC 1858, Security Considerations for IP Fragment Filtering.
Related Documentation
- EX, J, M, MX, PTX, SRX, T Series
- Understanding How to Use Standard Firewall Filters
- Example: Configuring a Stateless Firewall Filter to Handle Fragments
Published: 2013-04-10
Related Documentation
- EX, J, M, MX, PTX, SRX, T Series
- Understanding How to Use Standard Firewall Filters
- Example: Configuring a Stateless Firewall Filter to Handle Fragments
