Guidelines and Limitations for TCP State Bypass

TCP State Bypass Unsupported Features

The following features are not supported when you use TCP state bypass:

• Application inspection—Inspection requires both inbound and outbound traffic to go through the same Firewall Threat Defense, so inspection is not applied to TCP state bypass traffic.

• TCP Intercept, maximum embryonic connection limit, TCP sequence number randomization—The Firewall Threat Defense does not keep track of the state of the connection, so these features are not applied.

• TCP normalization—The TCP normalizer is disabled.

• Stateful failover.

• TLS server identity discovery cannot be used with TCP state bypass on an inline or inline tap interface.

TCP State Bypass NAT Guidelines

Because the translation session is established separately for each Firewall Threat Defense, be sure to configure static NAT on both devices for TCP state bypass traffic. If you use dynamic NAT, the address chosen for the session on Device 1 will differ from the address chosen for the session on Device 2.