Guidelines and Limitations for TCP State Bypass
TCP State Bypass Unsupported Features
The following features are not supported when you use TCP state bypass:
-
Application inspection—Inspection requires both inbound and outbound traffic to go through the same threat defense, so inspection is not applied to TCP state bypass traffic.
-
Snort inspection—Inspection requires both inbound and outbound traffic to go through the same device. However, Snort inspection is not automatically bypassed for TCP state bypass traffic. You must also configure a prefilter fastpath rule for the same traffic class for which you configure TCP state bypass.
-
TCP Intercept, maximum embryonic connection limit, TCP sequence number randomization—The threat defense does not keep track of the state of the connection, so these features are not applied.
-
TCP normalization—The TCP normalizer is disabled.
-
Stateful failover.
TCP State Bypass NAT Guidelines
Because the translation session is established separately for each threat defense, be sure to configure static NAT on both devices for TCP state bypass traffic. If you use dynamic NAT, the address chosen for the session on Device 1 will differ from the address chosen for the session on Device 2.