Configure TCP State Bypass

To bypass TCP state checking in asymetrical routing environments, carefully define a traffic class that applies to the affected hosts or networks only, then enable TCP State Bypass on the traffic class using a service policy. You must also configure a corresponding prefilter fastpath policy for the same traffic to ensure the traffic also bypasses inspection.

Because bypass reduces the security of the network, limit its application as much as possible.

Procedure

Step 1

Create the extended ACL that defines the traffic class.

For example, to define a traffic class for TCP traffic from 10.1.1.1 to 10.2.2.2, do the following:

  1. Choose Objects > Object Management.

  2. Choose Access List > Extended from the table of contents.

  3. Click Add Extended Access List.

  4. Enter a Name for the object, for example, bypass.

  5. Click Add to add a rule.

  6. Keep Allow for the action.

  7. Enter 10.1.1.1 beneath the Source list and click Add, and 10.2.2.2 beneath the Destination list, and click Add.

  8. Click Port, select TCP (6) beneath the Selected Source Ports list, and click Add. Do not enter a port number, simply add TCP as the protocol, which will cover all ports.

  9. Click Add on the Extended Access List Entry dialog box to add the rule to the ACL.

  10. Click Save on the Extended Access List Object dialog box to save the ACL object.

Step 2

Configure the TCP state bypass service policy rule.

For example, to configure TCP state bypass for this traffic class globally, do the following:

  1. Choose Policies > Access Control, and edit the policy assigned to the devices that require this service.

  2. Click Advanced Settings from the More drop-down arrow at the end of the packet flow line, and click Edit (edit icon) for the Threat Defense Service Policy.

  3. Click Add Rule.

  4. Select Apply Globally > Next.

  5. Select the extended ACL object you created for this rule and click Next.

  6. Select Enable TCP State Bypass.

  7. (Optional.) Adjust the Idle timeout for bypassed connections. The default is 2 minutes.

  8. Click Finish to add the rule. If necessary, drag and drop the rule to the desired position in the service policy.

  9. Click OK to save the changes to the service policy.

  10. Click Save on Advanced to save the changes to the access control policy.

Step 3

Configure a prefilter fastpath rule for the traffic class.

You cannot use the ACL object in the prefilter rule, so you need to recreate the traffic class either directly in the prefilter rule, or by first creating network objects that define the class.

The following procedure assumes that you already have a prefilter policy attached to the access control policy. If you have not created a prefilter policy yet, go to Policies > Prefilter and first create the policy. You can then follow this procedure to attach it to the access control policy and create the rule.

Keeping with our example, this procedure creates a fastpath rule for TCP traffic from 10.1.1.1 to 10.2.2.2.

  1. Choose Policies > Access Control, and edit the policy that has the TCP bypass service policy rule.

  2. Click the link for the Prefilter Policy, which is to the left immediately under the policy description.

  3. In the Prefilter Policy dialog box, select the policy to assign to the device if the correct one is not already selected. Do not click OK yet.

    Because you cannot add rules to the default prefilter policy, you must choose a custom policy.

  4. In the Prefilter Policy dialog box, click the Edit (edit icon). This action opens a new browser window where you can edit the policy.

  5. Click Add Prefilter Rule and configure a rule with the following properties.

    • Name—Any name that you fined meaningful will do, such as TCPBypass.

    • Action—Select Fastpath.

    • Interface Objects—If you configured TCP state bypass as a global rule, leave the default, any, for both source and destination. If you created an interface-based rule, select the same interface objects you used for rule in the Source Interface Objects list, and keep any as the destination.

    • Networks—Add 10.1.1.1 to the Source Networks list, and 10.2.2.2 to the Destination Networks list. You can either use network objects or manually add the addresses.

    • Ports—Under Selected Source Ports, select TCP(6), do not enter a port, and click Add. This will apply the rule to all (and only) TCP traffic, regardless of TCP port number.

  6. Click Add to add the rule to the prefilter policy.

  7. Click Save to save your changes to the prefilter policy.

    You can now close the prefilter edit window and return to the access control policy edit window.

  8. In the access control policy edit window, the Prefilter Policy dialog box should still be open. Click OK to save your changes to the prefilter policy assignment.

  9. Click Save on the access control policy to save the changed prefilter policy assignment, if you changed it.

    You can now deploy the changes to the affected devices.