https://live.paloaltonetworks.com/t5/general-topics/drop-reset-application-list/m-p/50859#M37424 <HTML><HEAD></HEAD><BODY><P>Thank you for this answer.</P><P>This is a problem because Skype opens many TCP connections which then remain in the INIT state. As MS Windows allows only limited number of simultaneous connections, all other connection attempts are slowed and users are complaining.</P><P></P><P>Please could you confirm that the deny action is a drop and not a drop-reset ?</P><P></P><P>In this case we will need to find a workaround, and this will generate delay and additional cost for us.</P><P>As already said by many users, we would appreciate to have the opportunity to choose the action by ourselves !</P><P></P><P>Best Regards</P></BODY></HTML> Fri, 25 May 2012 15:16:11 GMT Duplem 2012-05-25T15:16:11Z https://live.paloaltonetworks.com/t5/general-topics/drop-reset-application-list/m-p/50857#M37422 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I found this explanation about TCP REJECT today :</P><P class="MsoNormal"><SPAN style="color: #0000ff;">"The deny action used in a security policy will either ‘drop’ or ‘drop-reset’ based on the app being used in the policy.</SPAN></P><P class="MsoNormal"><SPAN style="color: #0000ff;">For most browser-based apps, it is drop-reset - this prevents the browser from spinning while retrying.</SPAN></P><P class="MsoNormal"><SPAN style="color: #0000ff;">For&nbsp; client-server apps that are based on http (or other protocols that we&nbsp; have decoders for), we generally use drop-reset if the app is considered&nbsp; harmless. We don't currently support icmp-host-unreachable for udp/icmp but it is on the cards."</SPAN></P><P></P><P>Where could I get information about drop-reset implementation on apps ? Could this information be added on applipedia ?</P><P>If this information is not available for customers, could you tell me which action is choosed for skype app ? You can contact me by email if necessary.</P><P></P><P>Best Regards,</P><P></P><P>Emmanuel</P></BODY></HTML> Wed, 23 May 2012 14:40:57 GMT https://live.paloaltonetworks.com/t5/general-topics/drop-reset-application-list/m-p/50857#M37422 Duplem 2012-05-23T14:40:57Z https://live.paloaltonetworks.com/t5/general-topics/drop-reset-application-list/m-p/50858#M37423 <HTML><HEAD></HEAD><BODY><P>Hi...Since skype is not a browser-based app, the deny action would be a drop action.&nbsp; You can confirm by blocking skype and performing a packet capture of the traffic.&nbsp; Thanks.</P></BODY></HTML> Fri, 25 May 2012 15:01:46 GMT https://live.paloaltonetworks.com/t5/general-topics/drop-reset-application-list/m-p/50858#M37423 rmonvon 2012-05-25T15:01:46Z https://live.paloaltonetworks.com/t5/general-topics/drop-reset-application-list/m-p/50859#M37424 <HTML><HEAD></HEAD><BODY><P>Thank you for this answer.</P><P>This is a problem because Skype opens many TCP connections which then remain in the INIT state. As MS Windows allows only limited number of simultaneous connections, all other connection attempts are slowed and users are complaining.</P><P></P><P>Please could you confirm that the deny action is a drop and not a drop-reset ?</P><P></P><P>In this case we will need to find a workaround, and this will generate delay and additional cost for us.</P><P>As already said by many users, we would appreciate to have the opportunity to choose the action by ourselves !</P><P></P><P>Best Regards</P></BODY></HTML> Fri, 25 May 2012 15:16:11 GMT https://live.paloaltonetworks.com/t5/general-topics/drop-reset-application-list/m-p/50859#M37424 Duplem 2012-05-25T15:16:11Z https://live.paloaltonetworks.com/t5/general-topics/drop-reset-application-list/m-p/50860#M37425 <HTML><HEAD></HEAD><BODY><P>The users can't use skype since you're blocking skype anyway.&nbsp; Even with drop-reset, skype will retry and open new connections again.&nbsp; Can they signed out of skype then skype won't take up the computer's resource.&nbsp; Thanks.</P></BODY></HTML> Fri, 25 May 2012 15:21:47 GMT https://live.paloaltonetworks.com/t5/general-topics/drop-reset-application-list/m-p/50860#M37425 rmonvon 2012-05-25T15:21:47Z https://live.paloaltonetworks.com/t5/general-topics/drop-reset-application-list/m-p/50861#M37426 <HTML><HEAD></HEAD><BODY><P>It seems you didn't understood the problem. Better say me that if I don't want skype on my network, skype should not be installed on computers... Easy to say, no&nbsp; ?</P><P></P><P>In addition, you didn't answer all questions :</P><P>Where could I get information about drop-reset implementation on apps ? Could this information be added on applipedia ?</P><P></P><P>Last but not least, we <STRONG>need</STRONG> to be able to choose the type of deny action, but this is another topic.</P></BODY></HTML> Wed, 27 Jun 2012 13:49:08 GMT https://live.paloaltonetworks.com/t5/general-topics/drop-reset-application-list/m-p/50861#M37426 Duplem 2012-06-27T13:49:08Z