Difference Between Drop and Drop-all-packets Action in Threat Security Profiles

Difference Between Drop and Drop-all-packets Action in Threat Security Profiles

29319
Created On 09/26/18 13:44 PM - Last Modified 06/07/23 06:05 AM


Resolution


Overview

When configuring a security policy, two drop actions are available:

  • Drop
  • Drop-all-packets

If the drop action is configured, the firewall will drop the first packet only.

If the drop-all-packets action is configured, the firewall will drop every subsequent packet for that session. The session will be set to DISCARD and packets will be dropped until the TCP or UDP Timeout for the session is reached and the session is removed from the session table.

The tracker stage firewall will list: "mitigation tdb drop all" and the reason will be "threat."

Screen Shot 2015-01-13 at 11.48.59 AM.png

For a UDP connection, there is no retransmit mechanism. Setting the option to drop will cause the firewall to discard the faulty packet but transmit the rest of the communication. If the firewall is set to drop-all-packets the faulty packet, as well as any subsequent packets, will be discarded.

In the case of a TCP connection, the behavior will be the same. The first packet will be dropped and the workstation will send a retransmit, which will also be dropped.

The GUI screenshot below illustrates where the option is found.

Screen Shot 2015-01-13 at 11.31.55 AM.png

owner: panagent
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cln9CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language