topic Stateful Package Inspection Features in General Topics https://live.paloaltonetworks.com/t5/general-topics/stateful-package-inspection-features/m-p/5049#M3704 <HTML><HEAD></HEAD><BODY><P>Hi Guys,</P><P></P><P>I was just wondering if you someone could clarify a few doubts that are lingering in my mind.</P><P></P><P>1.&nbsp; IP Checksum Enforcement</P><P>&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp; Does PA have an option to enforce header checksums for IP headers and UDP packets?</P><P></P><P>2.&nbsp; QoS</P><P>&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp; Does have QoS support bi-directional support for DSCP and 802.1p</P><P></P><P>Many thanks,</P><P>Kalyan</P></BODY></HTML> Thu, 07 Jun 2012 12:15:44 GMT kalyanram.piratla 2012-06-07T12:15:44Z Stateful Package Inspection Features https://live.paloaltonetworks.com/t5/general-topics/stateful-package-inspection-features/m-p/5049#M3704 <HTML><HEAD></HEAD><BODY><P>Hi Guys,</P><P></P><P>I was just wondering if you someone could clarify a few doubts that are lingering in my mind.</P><P></P><P>1.&nbsp; IP Checksum Enforcement</P><P>&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp; Does PA have an option to enforce header checksums for IP headers and UDP packets?</P><P></P><P>2.&nbsp; QoS</P><P>&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp; Does have QoS support bi-directional support for DSCP and 802.1p</P><P></P><P>Many thanks,</P><P>Kalyan</P></BODY></HTML> Thu, 07 Jun 2012 12:15:44 GMT https://live.paloaltonetworks.com/t5/general-topics/stateful-package-inspection-features/m-p/5049#M3704 kalyanram.piratla 2012-06-07T12:15:44Z Re: Stateful Package Inspection Features https://live.paloaltonetworks.com/t5/general-topics/stateful-package-inspection-features/m-p/5050#M3705 <HTML><HEAD></HEAD><BODY><P>According to PA-4.1_Administrators_Guide.pdf</P><P></P><P>1) If exists I think it should be in Network &gt; Network Profiles &gt; Zone Protection, however I cant find such option. Perhaps this is done automagically?</P><P></P><P>According to NSS-Labs-Report.pdf back from 2010 testing PA-4020 the PA unit blocked 100% of the attempts regarding:</P><P></P><P>5.8.1 Ordered 1 byte segments, interleaved duplicate segments with invalid TCP checksums.</P><P></P><P>2) I dont think PA will automatically listen to 802.1p and DSCP stuff, but you can manually set those bits for outgoing traffic. Which means that you need to manually define QoS rules in your PA aswell.</P></BODY></HTML> Thu, 07 Jun 2012 18:51:22 GMT https://live.paloaltonetworks.com/t5/general-topics/stateful-package-inspection-features/m-p/5050#M3705 mikand 2012-06-07T18:51:22Z