Disable TCP Sequence Randomization

Each TCP connection has two initial sequence numbers (ISN): one generated by the client and one generated by the server. The threat defense device randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions.

Randomizing the ISN of the protected host prevents an attacker from predicting the next ISN for a new connection and potentially hijacking the new session. However, TCP sequence randomization effectively breaks TCP SACK (Selective Acknowledgement), as the sequence numbers the client sees are different from what the server sees.

You can disable TCP initial sequence number randomization if necessary, for example, because data is getting scrambled. Following are some situations where you might want to disable randomization.

  • If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both firewalls to be performing this action, even though this action does not affect the traffic.

  • If you use eBGP multi-hop through the device, and the eBGP peers are using MD5. Randomization breaks the MD5 checksum.

  • If you use a WAAS device that requires the threat defense device not to randomize the sequence numbers of connections.

  • If you enable hardware bypass for the ISA 3000, and TCP connections are dropped when the ISA 3000 is no longer part of the data path.

Procedure

Step 1

Create the extended ACL that defines the traffic class.

For example, to define a traffic class for TCP traffic from any host to 10.2.2.2, do the following:

  1. Choose Objects > Object Management.

  2. Choose Access List > Extended from the table of contents.

  3. Click Add Extended Access List.

  4. Enter a Name for the object, for example, preserve-sq-no.

  5. Click Add to add a rule.

  6. Keep Allow for the action.

  7. Leave the Source list empty, enter 10.2.2.2 beneath the Destination list, and click Add.

  8. Click Port, select TCP (6) beneath the Selected Source Ports list, and click Add. Do not enter a port number, simply add TCP as the protocol, which will cover all ports.

  9. Click Add on the Extended Access List Entry dialog box to add the rule to the ACL.

  10. Click Save on the Extended Access List Object dialog box to save the ACL object.

Step 2

Configure the service policy rule that disables TCP sequence number randomization.

For example, to disable randomization for this traffic class globally, do the following:

  1. Choose Policies > Access Control, and edit the policy assigned to the devices that require this service.

  2. Click Advanced Settings from the More drop-down arrow at the end of the packet flow line, and click Edit (edit icon) for the Threat Defense Service Policy.

  3. Click Add Rule.

  4. Select Apply Globally > Next.

  5. Select the extended ACL object you created for this rule and click Next.

  6. Deselect Randomize TCP Sequence Number.

  7. (Optional.) Adjust the other connection options as needed.

  8. Click Finish to add the rule. If necessary, drag and drop the rule to the desired position in the service policy.

  9. Click OK to save the changes to the service policy.

  10. Click Save on Advanced to save the changes to the access control policy.

    You can now deploy the changes to the affected devices.