Using Packet Flow Options - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide
Related
Documentation

Using Packet Flow Options

122
SCTP — The Stream Control Transmission Protocol (SCTP) is an IP transport protocol
that exists at the same level as UDP and TCP. SCTP currently provides Transport Layer
functions to Internet applications. It provides a reliable transport service that supports
data transfer across the network, in sequence and without errors. You can configure
the security device to perform stateful inspection on all SCTP traffic without performing
deep inspection. If you enable stateful inspection of SCTP traffic, the SCTP ALG drops
any anomalous SCTP packets.
Apple-iChat Settings — The Apple iChat ALG provides support for iChat applications
by opening pinholes that allow the text, audio, and video calls to pass through devices
running ScreenOS 6.1 or later. When you enable the AppleiChat ALG functionality, the
device opens pinholes for the configured call-answer-time to establish the iChat
audio/video session. The call-answer-time is the duration of time for which the device
opens the pinholes for establishing the iChat audio/video session. The default value
for call-answer-time is 32 seconds. When this timer expires, the device closes the
pinholes. The range for configuring the call-answer-time is 20 to 90 seconds. The iChat
application fragments the packets it sends to the receiver based on the maximum
segment size (MSS) of the receiver. The MSS value depends on the network
configuration of the receiver. The fragmented packet is reassembled at the ALG for
address translation. By default, the reassembly option is disabled.
IPsec-NAT Settings — You can set the IPsec-NAT timeout to run ESP with a DIP pool.
The default value is 30.
Configuring H.323 Settings on page 119
Using Packet Flow Options on page 122
Allocating Network Bandwidth Using Traffic Shaping Options on page 119
Use the packet flow options to configure the security device to regulate packet flow.
The following sections detail each packet flow option:
ICMP Path MTU Discovery on page 123
Allow DNS Reply Without Matched Request on page 123
Allow MAC Cache for Management Traffic on page 123
Allow Unknown MAC Flooding on page 124
Skip TCP Sequence Number Check on page 124
TCP RST Invalid Session on page 124
Check TCP SYN Bit Before Create Session on page 125
Check TCP SYN Bit Before Create Session for Tunneled Packets on page 125
Use SYN-Cookie for SYN Flood Protection on page 125
Enforce TCP Sequence Number Check on TCP RST Packet on page 126
Use Hub-and-Spoke Policies for Untrust MIP Traffic on page 126
Copyright © 2010, Juniper Networks, Inc.