topic Re: Zone Protection - Reject Non-SYN TCP in General Topics

Zone Protection - Reject Non-SYN TCP

sturla — Wed, 27 Jun 2012 06:27:28 GMT

Hi everyone!

I've configured a zone protection profile with SYN Flood protection and SYN Cookies enabled. In the same profile I've set the option "Reject Non-SYN TCP" to "no". I've applied this profile to my untrust zone and run a commit.

When I run the CLI command show session info i noticed that under session setup TCP - reject non-SYN first packet is set to True. Why is there a mismatch between the GUI and the CLI, and which one can I trust (I usually trust the CLI)?

Exerpt from CLI command show session info:

--------------------------------------------------------------------------------

Session setup

TCP - reject non-SYN first packet: True

Hardware session offloading: True

IPv6 firewalling: False

--------------------------------------------------------------------------------

Regards

Sturla

Re: Zone Protection - Reject Non-SYN TCP

mikand — Wed, 27 Jun 2012 06:42:28 GMT

Export the running-config.xml and verify it there.

network profiles -> zone-protection-profile can contain:

tcp-reject-non-syn {global | no | yes}

+ tcp-reject-non-syn — Reject non-SYN TCP packet for session setup

global — Use global setting

no — Accept non-SYN TCP

yes — Reject non-SYN TCP

The global setting is found in deviceconfig -> session:

tcp-reject-non-syn {no | yes}

+ tcp-reject-non-syn — Reject non-SYN TCP packet for session setup

and is handled by the "set session" command (if you are in CLI).

My guess is that "show session info" will display the global value and not your custom zone-specific setting.

Re: Zone Protection - Reject Non-SYN TCP

sdurga — Wed, 27 Jun 2012 06:49:37 GMT

If global setting is set to reject non syn packets and zone setting is set to allow non syn packets then which setting comes into effect ?

Re: Zone Protection - Reject Non-SYN TCP

mikand — Wed, 27 Jun 2012 07:24:41 GMT

I hope that PA uses "best match" which would mean that zone setting overrules the global setting (which I guess is confirmed by the zone protection who has not only yes/no but also global as a valid setting).

In your case that non syn packets are allowed when they arrive at the specific zone.

Re: Zone Protection - Reject Non-SYN TCP

sturla — Wed, 27 Jun 2012 08:07:56 GMT

Thank you for your answer!

I was not aware of a global setting for this. Where is the global setting for this located in the GUI? I'm not able to find it.

Re: Zone Protection - Reject Non-SYN TCP

mikand — Wed, 27 Jun 2012 08:47:28 GMT

Seems like it isnt available through GUI, according to admin guide 4.1 (looking at zone protection settings):

Global—Use system-wide setting that is assigned through the CLI.