https://live.paloaltonetworks.com/t5/general-topics/session-table/m-p/50695#M37311 <HTML><HEAD></HEAD><BODY><P>Hi </P><P>We dont have the feature to turn of stateful inspection, and all traffic would always be subjected to stateful inspection.</P><P></P><P>BR,</P><P>Karthik RP</P></BODY></HTML> Fri, 12 Jul 2013 13:33:57 GMT kprakash 2013-07-12T13:33:57Z https://live.paloaltonetworks.com/t5/general-topics/session-table/m-p/50694#M37310 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>is it possible to use a PAloalto firewall not to keep sessions and works like a non stateful Access Control device.</P><P></P><P>Thanks.</P></BODY></HTML> Fri, 12 Jul 2013 11:21:55 GMT https://live.paloaltonetworks.com/t5/general-topics/session-table/m-p/50694#M37310 Retired Member 2013-07-12T11:21:55Z https://live.paloaltonetworks.com/t5/general-topics/session-table/m-p/50695#M37311 <HTML><HEAD></HEAD><BODY><P>Hi </P><P>We dont have the feature to turn of stateful inspection, and all traffic would always be subjected to stateful inspection.</P><P></P><P>BR,</P><P>Karthik RP</P></BODY></HTML> Fri, 12 Jul 2013 13:33:57 GMT https://live.paloaltonetworks.com/t5/general-topics/session-table/m-p/50695#M37311 kprakash 2013-07-12T13:33:57Z https://live.paloaltonetworks.com/t5/general-topics/session-table/m-p/50696#M37312 <HTML><HEAD></HEAD><BODY><P>Although we cannot disable stateful inspection, we can instruct the PA to ignore state via disabling 'Reject Non-SYN TCP'.&nbsp; The PA can ignore session state per zone via configuration under Network tab ==&gt; Zone Protection ==&gt; Packet Based Attack Protection ==&gt; TCP/IP Drop, and setting 'Reject Non-SYN TCP' to no. </P><P></P><P>To ignore session state globally for the entire PA, You can use the CLI and issue the commands as described here:</P><P></P><P><A __default_attr="3196" __jive_macro_name="document" class="jive_macro jive_macro_document" href="https://live.paloaltonetworks.com/"></A></P><P></P><P>Thanks.</P></BODY></HTML> Fri, 12 Jul 2013 14:56:06 GMT https://live.paloaltonetworks.com/t5/general-topics/session-table/m-p/50696#M37312 rmonvon 2013-07-12T14:56:06Z https://live.paloaltonetworks.com/t5/general-topics/session-table/m-p/50697#M37313 <HTML><HEAD></HEAD><BODY><P>Hi rmonvon,</P><P>This would work only for TCP sessions. The UDP and protocols without port numbers ( ICMP, OSPF, PIM, ESP,etc)&nbsp; however will still have sessions established for it.</P><P></P><P>BR,</P><P>Karthik RP</P></BODY></HTML> Fri, 12 Jul 2013 15:55:52 GMT https://live.paloaltonetworks.com/t5/general-topics/session-table/m-p/50697#M37313 kprakash 2013-07-12T15:55:52Z https://live.paloaltonetworks.com/t5/general-topics/session-table/m-p/50698#M37314 <HTML><HEAD></HEAD><BODY><P>I was wondering what to do when session limit is reached.That is why asked that for.</P></BODY></HTML> Fri, 12 Jul 2013 16:00:37 GMT https://live.paloaltonetworks.com/t5/general-topics/session-table/m-p/50698#M37314 Retired Member 2013-07-12T16:00:37Z https://live.paloaltonetworks.com/t5/general-topics/session-table/m-p/50699#M37315 <HTML><HEAD></HEAD><BODY><P>When session limit is reached, the PA will not allow the excess sessions to pass through.&nbsp; Thanks.</P></BODY></HTML> Fri, 12 Jul 2013 16:05:22 GMT https://live.paloaltonetworks.com/t5/general-topics/session-table/m-p/50699#M37315 rmonvon 2013-07-12T16:05:22Z