Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-15-2015 02:43 PM
Hello
What really is the purpose of using that checkbox in policy action with drop or reset ? What are benefits ? Thanks
Regards
08-24-2015 01:21 AM - edited 09-15-2015 07:05 AM
Hi PanIst
Please take a look at DotW: Send ICMP Unreachable PAN-OS 7.0 where I tried to demonstrate more clearly what the icmp option does.
regards
Tom
08-16-2015 04:19 AM
Using reset and icmp unreachable is primarily aimed at traffic you expect you normal end user community to generate. This gives a user a cleaner experience of the connection failure. Their application gets an immediate response and stops the communication attempt. And the application has an opportunity to give a failure message then to the user.
Drop on the other hand is a silent activity where we basically ignore the traffic and the attempting application has no idea why the failure occurs. This is the preferred response when the invalid traffic is expected from malicious sources, scanners, penetrators or other "bad actors". An affirmative quick response lets them know a firewall is in the path and also shortens the time of their recon activities.
Both options apply only when we are preventing a connection, so in either case there is no session created.
08-20-2015 11:52 PM
Thanks for answer.I already know differences between drop and reset.I just wonder what extra gives icmp option ?
08-24-2015 01:21 AM - edited 09-15-2015 07:05 AM
Hi PanIst
Please take a look at DotW: Send ICMP Unreachable PAN-OS 7.0 where I tried to demonstrate more clearly what the icmp option does.
regards
Tom
04-13-2016 04:02 PM
Hello Tom,
In the topic you have mentioned that the "Drop" action will silently discard all packets. My question is what will the user see at the backend. So for example if I have a policy to block a url using a custom url category and the action is set to "Deny"
Will the user still see the reset page or it will keep loading ? When will it time out ? Can we change it ?
Also I wanted to make correction. Pre 7.0 the only action available was Deny and not Drop.
04-13-2016 05:32 PM
@Farman WTR URL policy you're going to want to "Allow" the traffic in security policy and control the L7 / Web action via URL Profile; with an allow / alert / deny / continue / overide options.
Setting the URL profile with a deny action for a custom category or a default one will present the user matching the overall security policy with the URL response page.
This response page can be of the default formatting from Palo or you can customize it to your company's own preference.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
