topic Re: How to REJECT instead of DROP? in General Topics

How to REJECT instead of DROP?

Priyan — Tue, 06 Jul 2010 14:58:04 GMT

Try as I might, I cannot find a way to do the equivalent of the venerable iptables target REJECT --with-icmp-ureachable or --with-tcp-reset for basic firewalling on a 4020.

This is handy for bouncing internal clients quickly, whereas DROP is better to make things slower for adversaries who are scanning our nets from outside.

For example. If I want to prevent smtp/ntp/dns attempts for our internal clients, thus forcing them through the relevant internal services, I don't expect them to have to wait for a timeout, when a simple reject rule can speed things along for them.

It seems the two targets available for basic layer 3 firewalling are simply allow, or drop. Why no reject?

I hope someone knows how. If this is the wrong forum I apologise, but I expect this is a missing feature. I feel it's quite a basic essential.

Re: How to REJECT instead of DROP?

SRA — Tue, 13 Jul 2010 20:16:12 GMT

Priyan -

The deny action used in a security policy will either ‘drop’ or ‘drop-reset’ based on the app being used in the policy.

For most browser-based apps, it is drop-reset - this prevents the browser from spinning while retrying.

For client-server apps that are based on http (or other protocols that we have decoders for), we generally use drop-reset if the app is considered harmless. We don't currently support icmp-host-unreachable for udp/icmp but it is on the cards.

Srinivas

Re: How to REJECT instead of DROP?

lardsa — Wed, 13 Jul 2011 08:27:55 GMT

Hello,

any news on this topic ? I would to see this implemented, I have some special conditions where it would help.

Regards

Re: How to REJECT instead of DROP?

dlassalle — Tue, 07 Feb 2012 19:51:32 GMT

I would also like the ability to select the type of drop manually.

Re: How to REJECT instead of DROP?

uniovi — Mon, 19 Mar 2012 07:32:52 GMT

We'd also like to select the type of deny. In some cases, we need to explicitity send RESET instead simply DROP the packet.

Re: How to REJECT instead of DROP?

mikand — Mon, 19 Mar 2012 07:51:11 GMT

I would also like to place myself in this feature-line regarding ability to (per security rule) define if the traffic should be denied (drop) or rejected (drop-reset). Perhaps it could be called just "deny" vs "deny-rst" in the gui.

Would also be nice to be able to define if icmp-unreachable should be sent or not.

Re: How to REJECT instead of DROP?

Duplem — Wed, 27 Jun 2012 13:50:06 GMT

I also need the ability to select the type of drop manually.

"We don't currently support icmp-host-unreachable for udp/icmp but it is on the cards."

Any news about this feature ?

Re: How to REJECT instead of DROP?

pawel_stankiewicz — Mon, 09 Jul 2012 12:42:03 GMT

The same here...

It is disastrous how much time I've spend on debugging timeouts...

tcp-reject from internal net to external/between zones is a must !

Best regards,

Pawel

Re: How to REJECT instead of DROP?

garryshtern — Mon, 30 Jul 2012 19:07:08 GMT

I second this. This is a huge oversight on part of Palo Alto. One neat feature of ScreenOS is the ability to specify RST on a per-zone basis...

Re: How to REJECT instead of DROP?

Kevin.lane — Fri, 24 Jan 2014 00:26:07 GMT

You mention that there is work in progress to provide further options for reject. I didn't see anything specific mentioned in the 6.0 release notes. Can you tell me whether there have been any improvements upon this? We also require the ability to set a specific reject for a particular policy. We'd like to let some things remain drop, but for specific subnets that we still want to block, we'd like to do a reject.

Re: How to REJECT instead of DROP?

Anon1 — Fri, 24 Jan 2014 18:10:21 GMT

What happens when the drop rule has both application and service set to "any"? Drop or reject?

Re: How to REJECT instead of DROP?

vchanal — Wed, 06 Aug 2014 09:02:11 GMT

Hello,

Any news about this topic?