Strict TCP session handling

If you turn on strict TCP session handling on Network Protection > Firewall > Advanced, the UTM only allows TCP connections that completed the three-way handshake. This means, all TCP traffic of a connection must pass the UTM. Connections that don’t meet these criteria are dropped.

With strict TCP session handling turned on, you can’t have asymmetrical routing where either inbound or outbound traffic doesn’t pass the UTM because then the UTM doesn’t see all parts of the traffic and therefore misses specific segments in the TCP header required for the handshake to complete.

If you turn off strict TCP session handling, the UTM can pick up existing TCP connections that aren’t currently handled in the connection tracking table, for example, due to a network facility reset. This means that interactive sessions such as SSHSecure Shell and Telnet won’t quit when a network interface is temporarily unavailable.