How to Determine the Number of Rejected Non-SYN TCP Packets

Printer Friendly Page

To check the current setting (default value=true)

> show session info | match non-SYN

  TCP - reject non-SYN first packet:             True

To enable the rejection of Non-SYN TCP packets, run the following CLI command:

> set session tcp-reject-non-syn yes

Note: The above command will not be permanent unless issued from the configuration mode. To configure permanently, see the configuration command below:

To make the change permanent, issue the following command in configuration mode:

# set deviceconfig setting session tcp-reject-non-syn yes

To monitor the packet drops, run the following commands:
> show counter global filter delta yes packet-filter yes | match syn

> show counter global filter delta yes packet-filter yes | match drop

owner: panagent

Tags (7)
Comments

set session is not a command available in configuration mode. so what is the correct syntax for this to be persistent?

Looks like 'set deviceconfig setting' is where it's hidden at:

# set deviceconfig setting session tcp-reject-non-syn [ no | yes ]

(don't forget to commit too!)

Shouldn't the command to enable the rejection of non-SYN TCP packets be

> set session tcp-reject-non-syn yes

?

Thanks for the comments. The document has been updated.