why do i need to enable this feature ???? will it protect me from attack or something ????
First packet of any TCP communication is always TCP SYN.
If firewall receives packet for which it does not have any session, then it has to be a TCP SYN packet with which firewall can decide whether to create new session or drop.
But if that packet is not TCP SYN, firewall ideally should drop it as it could be an attack or result of assymmetric routing.
Either firewall can drop it silently or it can send TCP RST to the sender of that packet.With tcp-rst on zone, it sends TCP RST packet back.
This feature is not to protect you against an attack. When the FW receives traffic for a non-existent session or a TCP first packet without the SYN FLAG set, the FW will silently discard the packet. The source will never know this traffic has been dropped on the FW. With this feature enabled we are forcing the FW to send a reset flag and notify the source that the traffic has been dropped.
Please Mark My Solution as Accepted if it Helped, Kudos are Appreciated too .....