TCP Syn Checking per Policy?
We have a ShoreTel phone system that passes traffic through our XTM515. I've been hunting down the cause of some lag in the system, and discovered multiple TCP Syn failures between the ShoreTel devices. Simple fix is to turn TCP Syn Checking off Globally, which I've done, and it seems to eliminate the lag. However, I'd rather have it enabled Globally, but DISABLE it on the 'local traffic' policy that the WatchGuard uses to pass traffic between local interfaces. Is this possible? I can't seem to find reference to it anywhere, though it was mentioned for a Juniper device...
0
Sign In to comment.
Comments
Sorry, it is an all or nothing option.
Disabling it does not incur a significant security risk.
Here is info from a 2007 post related to this option. the info came from Watchguard Tech support
"TCP SYN checking checks the Half Close connections. There is a timeout value fixed for the packets to be recieved by sequence to the firebox. If the packet hits after the timeout value the firebox RESETS the connection. When we DISABLE this option it still works on 3-way handshake protocol but it doesn't set the timeout value so it doesn't reset the connection frequently or doesn't wait for the packet to reach in sequence. So, disabling that option doesn't create a security hole on the firebox because it will still block half close connections."