https://live.paloaltonetworks.com/t5/general-topics/check-tcp-sequense-number/m-p/18325#M13358 <HTML><HEAD></HEAD><BODY><P>Yes, it has. The new command is:</P><P># set deviceconfig setting tcp asymmetric-path bypass</P><P></P><P>You'll need to follow that with a commit for it to take effect.</P><P></P><P>-Greg </P></BODY></HTML> Wed, 12 Dec 2012 17:30:53 GMT gwesson 2012-12-12T17:30:53Z https://live.paloaltonetworks.com/t5/general-topics/check-tcp-sequense-number/m-p/18321#M13354 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>I am not sure if PA box could default check TCP sequense number ... have CLI cmd to tigger this checking</P><P></P><P></P><P>Jeff Jin</P><P></P><P></P><P></P><P></P><P></P><P> <BR /> </P></BODY></HTML> Fri, 14 Oct 2011 12:26:21 GMT https://live.paloaltonetworks.com/t5/general-topics/check-tcp-sequense-number/m-p/18321#M13354 JeffJin 2011-10-14T12:26:21Z https://live.paloaltonetworks.com/t5/general-topics/check-tcp-sequense-number/m-p/18322#M13355 <HTML><HEAD></HEAD><BODY><P>Not sure if this is what you're looking for but here are some tcp settings options. This is through the configure mode to make it persistent.</P><P></P><P>#set deviceconfig setting tcp</P><P></P><P>bypass-exceed-oo-queue&nbsp;&nbsp; whether to skip inspection of session if out-of-order packets limit is exceeded</P><P>drop-out-of-wnd&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; drop/allow out of window packets, also control enable/disable TCP sequence number check for FIN/RST</P><P>favor-new-seg&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; whether to favor new segments when overlapping happens</P><P>out-of-sync&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; actions for out of sync tcp sessions (ACK is out of sync with TCP sliding window tracking)</P><P>urgent-data&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; clear urgent flag in TCP header </P><P></P><P>-Renato</P></BODY></HTML> Fri, 14 Oct 2011 13:54:45 GMT https://live.paloaltonetworks.com/t5/general-topics/check-tcp-sequense-number/m-p/18322#M13355 gswcowboy 2011-10-14T13:54:45Z https://live.paloaltonetworks.com/t5/general-topics/check-tcp-sequense-number/m-p/18323#M13356 <HTML><HEAD></HEAD><BODY><P>Jeff,</P><P></P><P>TCP sequence number checking is enabled by default.You can turn it off if you wish using the command above.</P><P></P><P>Thanks</P></BODY></HTML> Fri, 14 Oct 2011 15:08:27 GMT https://live.paloaltonetworks.com/t5/general-topics/check-tcp-sequense-number/m-p/18323#M13356 mrajdev 2011-10-14T15:08:27Z https://live.paloaltonetworks.com/t5/general-topics/check-tcp-sequense-number/m-p/18324#M13357 <HTML><HEAD></HEAD><BODY><P>I cannot find command for drop-out-of-wnd parametar in PAN-OS 4.1 and 5.0</P><P>Is this command changed?</P></BODY></HTML> Wed, 12 Dec 2012 15:19:03 GMT https://live.paloaltonetworks.com/t5/general-topics/check-tcp-sequense-number/m-p/18324#M13357 igor_mamuzic 2012-12-12T15:19:03Z https://live.paloaltonetworks.com/t5/general-topics/check-tcp-sequense-number/m-p/18325#M13358 <HTML><HEAD></HEAD><BODY><P>Yes, it has. The new command is:</P><P># set deviceconfig setting tcp asymmetric-path bypass</P><P></P><P>You'll need to follow that with a commit for it to take effect.</P><P></P><P>-Greg </P></BODY></HTML> Wed, 12 Dec 2012 17:30:53 GMT https://live.paloaltonetworks.com/t5/general-topics/check-tcp-sequense-number/m-p/18325#M13358 gwesson 2012-12-12T17:30:53Z