Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

tcp-options (Security Policies)

Syntax

Hierarchy Level

Hierarchy Level

Description

Specify the TCP options for each policy. You can configure sync and sequence checks for each policy based on your requirements, and, because each policy has two directions, you can configure a TCP MSS value for both directions or for just one direction. To configure per-policy TCP options, you must turn off the respective global options. Otherwise, the commit check will fail.

Note:

TCP maximum segment size (MSS) does not have a default value. The value is determined either from policy configuration or from flow configuration.

Example:

[set security flow tcp-mss all-tcp mss mss-value]

The priority for setting the MSS is given to the policy-level configuration. If there are no configurations at both the policy and flow levels, then the MSS indicated by the respective endpoint will remain as it is.

See tcp-mss (Security Flow) for details.

Note:

TCP maximum segment size (MSS) does not have a default value. The value is determined either from policy configuration or from flow configuration.

Example:

[set security flow tcp-mss all-tcp mss <mss-value>]

The priority for setting the MSS is given to the policy-level configuration. If there are no configurations at both the policy and flow levels, then the MSS indicated by the respective endpoint will remain as it is.

See tcp-mss (Security Flow) for details.

Options

initial-tcp-mss

Configure the TCP maximum segment size (MSS) for packets that arrive at the ingress interface (initial direction), match a specific policy, and for which a session is created. The value you configure overrides the TCP MSS value in the incoming packet when the value in the packet is higher than the one you specify.

The initial-tcp-mss value per policy takes precedence over a global tcp-mss value (all-tcp, ipsec-vpn, gre-in, gre-out), if one is configured. However, when the syn-flood-protection-mode syn-proxy statement at the [edit security flow] hierarchy level is used to enable SYN proxy defenses against SYN attacks, the TCP MSS value is not overriden.

Because each policy has two directions, you can configure a value for both directions or for just one direction. To configure a TCP MSS value for the reverse session, use the reverse-tcp-mss option.

  • Range: 64 through 65535
reverse-tcp-mss

Configure the TCP maximum segment size (MSS) for packets that match a specific policy and travel in the reverse direction of a session. The value you configure replaces the TCP MSS value when the value in the packet is higher than the one you specify.

The reverse-tcp-mss value per policy takes precedence over a global tcp-mss value (all-tcp, ipsec-vpn, gre-in, gre-out), if one is configured. However, when the syn-flood-protection-mode syn-proxy statement at the [edit security flow] hierarchy level is used to enable SYN proxy defenses against SYN attacks, the TCP MSS value is not overridden.

Because each policy has two directions, you can configure a value for both directions or for just one direction. To configure the TCP MSS value for the initial session, use the initial-tcp-mss option.

  • Range: 64 through 65535
sequence-check-required

Enable sequence check per policy. The sequence-check-required value overrides the global value no-sequence-check.
syn-check-required

Enable sync check per policy. The syn-check-required value overrides the global value no-syn-check.
window-scale

Enable window-scale per policy.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

The tcp-options, sequence-check-required, and syn-check-required statements are introduced in Junos OS Release 10.4.

The initial-tcp-mss and reverse-tcp-mss statements are introduced in Junos OS Release 12.3X48-D20.

The window-scale statement is introduced in Junos OS Release 15.1X49-D70.

Related Documentation