One of the types of attacks against which the Edge protects by the Firewall's Network and Flood Protection mechanisms is the 'Invalid TCP Flags' feature. Invalid TCP flags attack occurs when a TCP packet has a bad or invalid flag combination.

It is expected behavior for the Edge to drop the TCP traffic when the Invalid TCP Flags feature is enabled and if, at least, one of the below criteria is met:

1. The packet does not have any of the TCP flags set
2. SYN packet with any or all of FIN, URG, PSH, RST set
3. RST packet with any or all of SYN, FIN, URG set
4. PSH packet before TCP handshake is complete

An example of a communication that will be blocked, would be if on the third step of a TCP 3-way handshake, the initiator completes the handshake (ACK) and starts data transmission (PSH) on the same packet. For the communication to work, the third packet would need to only have the ACK flag set, thus completing the TCP 3-way handshake and initiate the data transmission with the next packet.