https://live.paloaltonetworks.com/t5/general-topics/about-non-syn-tcp-option/m-p/36408#M26764 <HTML><HEAD></HEAD><BODY><P>As I understand PAN-OS_4.1_CLI_Reference_Guide.pdf when you enable tcp-reject-non-syn (which is enabled by default if im not mistaken) a new session will only be allowed if the first packet seen is a syn (for tcp traffic).</P><P></P><P>This will break stuff if you have asymetric routing or for some other reason will involve a PA box in an already established flow.</P><P></P><P>By setting tcp-reject-non-syn to no you will allow the PA to setup a new (tcp) flow even if the first packet that hit your PA isnt a syn (one could argue that by allowing (tcp) flows to establish even without initial handshake you will in some way open up for some attacks to bypass your firewall). This can also be bad for performance reasons where someone from internet could send just bogus packets to your firewall and make it eat up all its sessiontables (compared to when a syn is needed, the attacker would then be limited to actually use syn as first packets for tcp traffic).</P></BODY></HTML> Thu, 10 May 2012 08:28:13 GMT mikand 2012-05-10T08:28:13Z https://live.paloaltonetworks.com/t5/general-topics/about-non-syn-tcp-option/m-p/36407#M26763 <HTML><HEAD></HEAD><BODY><P>Hello guys.</P><P></P><P>As you know that PAN has got a option of session that non-syn-tcp.</P><P>I have a question about non-syn-tcp.</P><P></P><P>When reject non-SYN first packet was false (when non-syn-tcp was not dropeed) and non-syn-tcp session already establised throught PAN device If non-syn-tcp option were changed to true that makes drop session that established non-syn-tcp session?</P><P></P><P>If it used command of configureation mode "set deviceconfig setting session tcp-reject-non-syn yes | commit", that makes drop also established non-syn-tcp session?</P><P></P><P>Thanks.</P><P>Regards.</P><P>Roh.</P></BODY></HTML> Thu, 10 May 2012 06:41:44 GMT https://live.paloaltonetworks.com/t5/general-topics/about-non-syn-tcp-option/m-p/36407#M26763 ttongfly 2012-05-10T06:41:44Z https://live.paloaltonetworks.com/t5/general-topics/about-non-syn-tcp-option/m-p/36408#M26764 <HTML><HEAD></HEAD><BODY><P>As I understand PAN-OS_4.1_CLI_Reference_Guide.pdf when you enable tcp-reject-non-syn (which is enabled by default if im not mistaken) a new session will only be allowed if the first packet seen is a syn (for tcp traffic).</P><P></P><P>This will break stuff if you have asymetric routing or for some other reason will involve a PA box in an already established flow.</P><P></P><P>By setting tcp-reject-non-syn to no you will allow the PA to setup a new (tcp) flow even if the first packet that hit your PA isnt a syn (one could argue that by allowing (tcp) flows to establish even without initial handshake you will in some way open up for some attacks to bypass your firewall). This can also be bad for performance reasons where someone from internet could send just bogus packets to your firewall and make it eat up all its sessiontables (compared to when a syn is needed, the attacker would then be limited to actually use syn as first packets for tcp traffic).</P></BODY></HTML> Thu, 10 May 2012 08:28:13 GMT https://live.paloaltonetworks.com/t5/general-topics/about-non-syn-tcp-option/m-p/36408#M26764 mikand 2012-05-10T08:28:13Z https://live.paloaltonetworks.com/t5/general-topics/about-non-syn-tcp-option/m-p/36409#M26765 <HTML><HEAD></HEAD><BODY><P>I use the command <EM>set deviceconfig setting session tcp-reject-non-syn no</EM> (default yes) only when doing a POC and inserting the fw in vwire mode. In this case previous established sessions continue without having AS400 users screaming all arount having lost connection <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>In normal operations I let on "yes" in order to avoid secuirtyy and performace issues.</P></BODY></HTML> Thu, 10 May 2012 12:07:29 GMT https://live.paloaltonetworks.com/t5/general-topics/about-non-syn-tcp-option/m-p/36409#M26765 NGS_SOC 2012-05-10T12:07:29Z