SRX are stateful firewalls and will only allow traffic which matches an existing session. Sessions are created when a TCP SYN packet is received and it is permitted by the security policy. This of course means that the firewall needs to see both directions of a flow (client-server and server-client), otherwise these checks will block legitimate packets.
Whenever possible its best to ensure that asymmetric flows can't occur, but this is not always possible. Therefor you can disable these checks globally on the SRX:
Obviously configuring this has a security impact and because it is a global option, it applies to all traffic flowing through the device. That's unfortunate as these checks typically only need to be enabled for a few policies. Luckily recent JunOS releases allow these checks to be enabled on a per-policy basis, like this:
The problem here is that Juniper implemented "syn-check-required" and "sequence-check-required" options instead of "no-syn-check-required" and "no-sequence-check-required" which would be a lot more usable in the real word. But because this is JunOS, there are ways around this of course. To disable TCP SYN or sequence checking on one policy while enabling it on all other policies, an apply-group can be used. The idea here is the following:
- Globally disable syn and sequence checking
- Using an apply-group to set "syn-check-required" and "sequence-check-required" on ALL security policies
- Using apply-groups-except to disable this apply-group on the few policies where syn or sequence checking is not desired
In JunOS code it looks like this:
Hopefully Juniper will some day implement the "no-sequence-check" option at a per-policy level, but until then, this workaround can be used.