[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Blocking Packets with No Flags Set

A TCP segment with no control flags set is an anomalous event, causing various responses from the recipient, depending on the OS. Blocking packets with no flags set helps prevent OS system probes. When you enable the device to detect TCP segment headers with no flags set, the device drops all TCP packets with a missing or malformed flags field.

Before You Begin

For background information, read Understanding Operating System Probes.

You can use either J-Web or the CLI configuration editor to block packets with no flags set.

This topic covers:

J-Web Configuration

To configure screens:

  1. Select CLI Tools>Point and Click CLI.
  2. Next to Security, click Configure or Edit.
  3. Next to Screen, click Configure.
  4. Next to Ids option, click Add new entry.
  5. In the Name box, type tcp-no-flag.
  6. Next to Tcp, click Configure.
  7. Next to tcp no flag, select the check box and click OK.
  8. To save and commit the configuration, click Commit.

To configure zones:

  1. Select CLI Tools>Point and Click CLI.
  2. Next to Security, click Configure or Edit.
  3. Next to Zones, click Configure.
  4. Next to Security zone, click Add new entry.
  5. In the Name box, type zone.
  6. In the Screen box, type tcp-no-flag and click OK.
  7. To save and commit the configuration, click Commit.

CLI Configuration

user@host# set security screen ids-option tcp-no-flag tcp tcp-no-flag
user@host# set security zones security-zone zone screen tcp-no-flag

Related Topics


[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]