A fragmented SYN packet is anomalous, and as such it is suspect. To be cautious, block such unknown elements from entering your protected network.
Before You Begin |
---|
For background information, read Understanding SYN Fragment Protection. |
You can use either J-Web or the CLI configuration editor to drop IP packets containing SYN fragments. The specified security zone is the one from which the packets originated.
This topic covers:
To configure screens:
To configure zones:
- user@host# set security screen ids-option
syn-frag tcp syn-frag
- user@host# set security zones security-zone
zone screen syn-frag