https://live.paloaltonetworks.com/t5/general-topics/tcp-syn-with-data-attack-block-by-the-firewall-but-increase-the/m-p/565776#M114385 <P>Hi Support,</P> <P>&nbsp;</P> <P>We recently notice have latency in our network , when we investigate found a lot threat logs from TCP SYN with data has been block by firewall as we have DDOS protection.</P> <P>&nbsp;</P> <P>My question is below:</P> <P>1. does this attack affect the performance of the firewall resources?&nbsp;</P> <P>2. Do we have a setting that can drop the threat without consume the resource of firewall?</P> <P>3.&nbsp;In addition, is there a best case recommendation for securing untrust zones?</P> <P>&nbsp;</P> <P>Thank you</P> Wed, 15 Nov 2023 07:58:40 GMT Fariq_Zaidi 2023-11-15T07:58:40Z https://live.paloaltonetworks.com/t5/general-topics/tcp-syn-with-data-attack-block-by-the-firewall-but-increase-the/m-p/565776#M114385 <P>Hi Support,</P> <P>&nbsp;</P> <P>We recently notice have latency in our network , when we investigate found a lot threat logs from TCP SYN with data has been block by firewall as we have DDOS protection.</P> <P>&nbsp;</P> <P>My question is below:</P> <P>1. does this attack affect the performance of the firewall resources?&nbsp;</P> <P>2. Do we have a setting that can drop the threat without consume the resource of firewall?</P> <P>3.&nbsp;In addition, is there a best case recommendation for securing untrust zones?</P> <P>&nbsp;</P> <P>Thank you</P> Wed, 15 Nov 2023 07:58:40 GMT https://live.paloaltonetworks.com/t5/general-topics/tcp-syn-with-data-attack-block-by-the-firewall-but-increase-the/m-p/565776#M114385 Fariq_Zaidi 2023-11-15T07:58:40Z https://live.paloaltonetworks.com/t5/general-topics/tcp-syn-with-data-attack-block-by-the-firewall-but-increase-the/m-p/565799#M114389 <P>1. It should not in and by itself, unless you are receiving so many of these packets it could constitute a DoS attack. in your case there doesn't seem to be an enormous amount</P> <P>2. Only if you are somehow able to isolate the source IP (or country, subnet, network,....) and block these sources directly. in your case, it all seems to originate from one source, so go ahead and block that if you don't know who or what this source is</P> <P>3. yes, take a look here:&nbsp;<A href="https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection-best-practices" target="_blank">https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection-best-practices</A></P> <P>&nbsp;</P> <P>in the ICMP screenshot, what does the start and end arrow indicate? just the start/end of latency or some other event?</P> <P>what does your '<SPAN class="s1"><FONT face="terminal,monaco">&gt; show running resource-monitor</FONT>' and '<FONT face="terminal,monaco">&gt; show session info</FONT>' look like during that period?</SPAN></P> <P><SPAN class="s1">do you have packet buffer protection enabled on your zones?</SPAN></P> Wed, 15 Nov 2023 11:06:50 GMT https://live.paloaltonetworks.com/t5/general-topics/tcp-syn-with-data-attack-block-by-the-firewall-but-increase-the/m-p/565799#M114389 reaper 2023-11-15T11:06:50Z https://live.paloaltonetworks.com/t5/general-topics/tcp-syn-with-data-attack-block-by-the-firewall-but-increase-the/m-p/565806#M114390 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/225107">@Fariq_Zaidi</a> ,</P> <P>&nbsp;</P> <P>Just to clarify - the "TCP Syn with data" thread logs you see are not caused by the flood protection.</P> <P>Those logs indicate dropped TCP SYN packets that contain data, meaning source is trying to send some data before TCP-3way-handshake is completed. This setting is again controlled by Zone Protection profile, but not as flood protection, but TCP drop - <A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/network/network-network-profiles/network-network-profiles-zone-protection/packet-based-attack-protection/tcp-drop" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/network/network-network-profiles/network-network-profiles-zone-protection/packet-based-attack-protection/tcp-drop</A></P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClT5CAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClT5CAK</A></P> <P>Having in mind that this is inbound traffic (from public source) it could be expected to see alot of such attempts.</P> <P>&nbsp;</P> <P>You can check the count of dropped packets per zone with following command:</P> <PRE class="ckeditor_codeblock">&gt; show zone-protection zone untrust </PRE> <P>&nbsp;</P> <P><LI-WRAPPER></LI-WRAPPER></P> Wed, 15 Nov 2023 11:16:57 GMT https://live.paloaltonetworks.com/t5/general-topics/tcp-syn-with-data-attack-block-by-the-firewall-but-increase-the/m-p/565806#M114390 A_Astardzhiev 2023-11-15T11:16:57Z https://live.paloaltonetworks.com/t5/general-topics/tcp-syn-with-data-attack-block-by-the-firewall-but-increase-the/m-p/565918#M114406 <P>Hi Reaper,</P> <P>&nbsp;</P> <P>In the ICMP , showing the latency during the event happen and consist with the logs tcp sync with data has been drop.&nbsp; That why we concern if this the cause the latency happen.</P> <P>&nbsp;</P> <P>i attach the show running resource monitor and session info (Doc log)&nbsp; and Yes we have enable the packet buffer.</P> <P>&nbsp;</P> <P>Thank you</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 16 Nov 2023 04:13:36 GMT https://live.paloaltonetworks.com/t5/general-topics/tcp-syn-with-data-attack-block-by-the-firewall-but-increase-the/m-p/565918#M114406 Fariq_Zaidi 2023-11-16T04:13:36Z