Tips & Tricks: TCP Split Handshake Drop
Resolution
Most network engineers are familiar with the TCP 3-way handshake as described by US-CERT and illustrated below:
| 3-way handshake |
|
1. A --> B SYN 2. A <-- B SYN/ACK 3. A --> B ACK |
In short: a TCP session typically begins with a client sending a synchronization packet (SYN), to a server. In response, the server sends back a SYN/ACK to the client. The third and final step to complete the 3-way handshake is the client sending a final ACK to the server.
That being said, fewer people know about other valid ways to build TCP connections, called the split handshake and simultaneous open handshake. The table below illustrates how they behave:
| 4-way split handshake | 4-way split handshake | Simultaneous open | 5-way split handshake |
|
1. A --> B SYN 2. A <-- B ACK 3. A <-- B SYN 4. A --> B ACK |
1. A --> B SYN 2. A <-- B SYN 3. A --> B SYN/ACK 4. A <-- B ACK |
1. A --> B SYN 2. A <-- B SYN 3. A --> B SYN/ACK 4. A <-- B SYN/ACK |
1. A --> B SYN 2. A <-- B ACK 3. A <-- B SYN 4. A --> B SYN/ACK 5. A <-- B ACK |
While being valid TCP handshakes, they can confuse some network security devices into not properly processing a TCP flow.
Just to make things clear: Note that the Palo Alto Networks next-gen firewall correctly handles split handshakes and simultaneous open sessions and all Layer 7 processes using this kind of handshake!
By adding this feature, we added the possibility to simply drop TCP Split Handshake (server SYN) in the zone protection profile. If you enable this setting on a zone, any SYN packet from the server is dropped. This will prevent a complete handshake using any of the 4 or 5-way handshakes shown above.
Note that this setting is not enabled by default!
Customers wanting to prevent non-3-way TCP handshake behaviour can enable this setting in a zone protection profile and assign it to the desired zones.
This feature was added with PAN-OS 7.0. If you upgrade from a lower PAN-OS version, the setting will not be enabled by default. If you downgrade from PAN-OS 7.0, then the option is simply removed.
Enabling this feature is easy enough. Simply check the 'Split Handshake' checkbox under Network > Network Profiles > Zone Protection > Packet Based Attack Protection and select the TCP Drop tab:
Split Handshake
Don't forget to assign this zone protection profile to the desired zone or this configuration won't do anything.
For Panorama, the option is available in device templates as seen in the screenshot below. Also note that, if pushed to an earlier PAN-OS version, the option is dropped.
Panorama Device Templates
There are 2 global counters you can verify to troubleshoot TCP Split Handshake:
- tcp_split_handshake: this counter will detect a split handshake. Note that this counter was also available in older PAN-OS versions. It only detects a TCP Split Handshake.
- flow_dos_pf_tcpsplithandshake: this is an actual DROP counter which was added in PAN-OS 7.0. So you need to enable the feature first before you can see this one.
You can read the following articles on global counters if you don't know how to use them:
How-to-Troubleshoot-Using-Counters-via-the-CLI
What-is-the-Significance-of-Global-Counters
Also, the following CLI command will show you if you have enabled the feature, configured it to your zone, and if packets were dropped using this feature:
> show zone-protection zone lab-200
---------------------------------------------------------
Number of zones with protection profile: 1
---------------------------------------------------------
Zone lan-200, vsys vsys1, profile Protected-A
---------------------------------------------------------
IPv(4/6) Filter:
tcp-reject-non-syn: enabled: yes, (global), packet dropped: 0
IPv4 packet filter:
discard-tcp-split-handshake: enabled: yes, packet dropped: 0
IPv6 packet filter:
Cheers!
-Kim