https://live.paloaltonetworks.com/t5/advanced-threat-prevention/tcp-syn-with-data-threat-logs/m-p/206022#M280 <P>If the firewall detects a TCP packet with data and your Zone Protection profile is set to drop these, then I wouldn't think it is a false positive. It triggers the protection because the firewall sees these.</P> <P>&nbsp;</P> <P>More information available at:</P> <P><A href="https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/networking-features/zone-protection-for-syn-data-payloads" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/networking-features/zone-protection-for-syn-data-payloads</A></P> <P>&nbsp;</P> <P>There is currently no way to inhibit these protections from writing to the Threat Logs, however, if you receive the alerts through a Log Forwarding profile, you can edit the profile so that these are not forwarded out using a Filter in PAN-OS 8.0:</P> <P>&nbsp;</P> <P>(severity eq informational) and (threatid neq 8723)</P> <P>&nbsp;</P> <P>Selective Log Forwarding</P> <P><A href="https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/management-features/selective-log-forwarding-based-on-log-attributes" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/management-features/selective-log-forwarding-based-on-log-attributes</A></P> <P>&nbsp;</P> <P>Video Tutorial</P> <P><A href="https://live.paloaltonetworks.com/t5/Tutorials/Tutorial-Filtered-Log-Forwarding/ta-p/145950" target="_blank">https://live.paloaltonetworks.com/t5/Tutorials/Tutorial-Filtered-Log-Forwarding/ta-p/145950</A></P> Fri, 16 Mar 2018 17:02:02 GMT mivaldi 2018-03-16T17:02:02Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/tcp-syn-with-data-threat-logs/m-p/205959#M279 <P>Hi Guys,</P><P>&nbsp;</P><P>I receive hundreds of <STRONG>TCP SYN with data</STRONG> Threat Alerts from my BYOD zone every day. I was learning more about it and I understood that it is a TCP syn packet with data in its payload. However, as almost all of them seems to come from non-malicious sources, I am not sure if I should worry about it or just consider it as a false positive and tweak my firewall.<BR /><BR /></P><P>Any advice would be much appreciated.</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>Leandro Ramos</P> Fri, 16 Mar 2018 15:01:33 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/tcp-syn-with-data-threat-logs/m-p/205959#M279 leandro.ramos 2018-03-16T15:01:33Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/tcp-syn-with-data-threat-logs/m-p/206022#M280 <P>If the firewall detects a TCP packet with data and your Zone Protection profile is set to drop these, then I wouldn't think it is a false positive. It triggers the protection because the firewall sees these.</P> <P>&nbsp;</P> <P>More information available at:</P> <P><A href="https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/networking-features/zone-protection-for-syn-data-payloads" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/networking-features/zone-protection-for-syn-data-payloads</A></P> <P>&nbsp;</P> <P>There is currently no way to inhibit these protections from writing to the Threat Logs, however, if you receive the alerts through a Log Forwarding profile, you can edit the profile so that these are not forwarded out using a Filter in PAN-OS 8.0:</P> <P>&nbsp;</P> <P>(severity eq informational) and (threatid neq 8723)</P> <P>&nbsp;</P> <P>Selective Log Forwarding</P> <P><A href="https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/management-features/selective-log-forwarding-based-on-log-attributes" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/management-features/selective-log-forwarding-based-on-log-attributes</A></P> <P>&nbsp;</P> <P>Video Tutorial</P> <P><A href="https://live.paloaltonetworks.com/t5/Tutorials/Tutorial-Filtered-Log-Forwarding/ta-p/145950" target="_blank">https://live.paloaltonetworks.com/t5/Tutorials/Tutorial-Filtered-Log-Forwarding/ta-p/145950</A></P> Fri, 16 Mar 2018 17:02:02 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/tcp-syn-with-data-threat-logs/m-p/206022#M280 mivaldi 2018-03-16T17:02:02Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/tcp-syn-with-data-threat-logs/m-p/206254#M283 <P>Hi Mivaldi,</P><P>&nbsp;</P><P>Thank you very much for all the information provided.</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>Leandro Ramos</P> Mon, 19 Mar 2018 08:13:46 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/tcp-syn-with-data-threat-logs/m-p/206254#M283 leandro.ramos 2018-03-19T08:13:46Z