https://live.paloaltonetworks.com/t5/general-topics/rudimentary-tcp-session-and-monitor-question/m-p/68975#M40116 <P>Yep. &nbsp;This is it. &nbsp;It will not log it to the monitor but will acrrue counters against&nbsp;the global TCP counters. &nbsp;</P> <P>&nbsp;</P> <P>Thanks all!</P> Thu, 03 Dec 2015 17:59:08 GMT mrcs 2015-12-03T17:59:08Z https://live.paloaltonetworks.com/t5/general-topics/rudimentary-tcp-session-and-monitor-question/m-p/68963#M40107 <P>I feel like I should already know this, but I just need a sanity check.</P> <P>&nbsp;</P> <P>I have a rule that allows host A to B via tcp/900. &nbsp;So host A starts to communicate via host B via that port. &nbsp;The firewall allows it and a session is created. &nbsp;Now, assume A and B stop talking but don't formally close the session. &nbsp;After the default timer, the PAN closes that session. &nbsp;Now, A tries to communicate to B b/c it still thinks it has an active session. &nbsp;When that traffic hits the firewall, should it show up in the monitor log as a "deny"? &nbsp;Will it just silently drop the packet? &nbsp;Will it try to start a new session and I'd see a new "start" in the monitor?</P> Thu, 03 Dec 2015 15:27:54 GMT https://live.paloaltonetworks.com/t5/general-topics/rudimentary-tcp-session-and-monitor-question/m-p/68963#M40107 mrcs 2015-12-03T15:27:54Z https://live.paloaltonetworks.com/t5/general-topics/rudimentary-tcp-session-and-monitor-question/m-p/68964#M40108 <P>B probably take this new session as new.</P> <P>Firewall sees this as new if this has expired in firewa..</P> <P>Source port is usually diferent for diferent sessions even if destination port is 900 in both cases.</P> <P>Also new session starts with new SYN so B should take it as new.</P> Thu, 03 Dec 2015 15:48:31 GMT https://live.paloaltonetworks.com/t5/general-topics/rudimentary-tcp-session-and-monitor-question/m-p/68964#M40108 Raido_Rattameister 2015-12-03T15:48:31Z https://live.paloaltonetworks.com/t5/general-topics/rudimentary-tcp-session-and-monitor-question/m-p/68969#M40113 <P>Hi,</P> <P>&nbsp;</P> <P>The firewall will silently drop the packets, unless you entered the command "set session tcp-reject-non-syn no" in the CLI. Eventually, the OS of the client will notice that there are no ACKs and will close or reset the connection. Apparently, it can takes a couple minutes for that to happen. If it's a problem for you, you can change the timer for specific applications (or system-wide, but I wouldn't do that). You could also make sure the client application sends packets from time to time to keep the session alive.</P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp;</P> <P>Benjamin</P> Thu, 03 Dec 2015 16:13:25 GMT https://live.paloaltonetworks.com/t5/general-topics/rudimentary-tcp-session-and-monitor-question/m-p/68969#M40113 BenjAudy.MTL 2015-12-03T16:13:25Z https://live.paloaltonetworks.com/t5/general-topics/rudimentary-tcp-session-and-monitor-question/m-p/68971#M40114 <P>Right.</P> <P>I missed the part that A still thinks that session is active.</P> <P>In this case yes fw will drop those packets.</P> Thu, 03 Dec 2015 16:44:08 GMT https://live.paloaltonetworks.com/t5/general-topics/rudimentary-tcp-session-and-monitor-question/m-p/68971#M40114 Raido_Rattameister 2015-12-03T16:44:08Z https://live.paloaltonetworks.com/t5/general-topics/rudimentary-tcp-session-and-monitor-question/m-p/68975#M40116 <P>Yep. &nbsp;This is it. &nbsp;It will not log it to the monitor but will acrrue counters against&nbsp;the global TCP counters. &nbsp;</P> <P>&nbsp;</P> <P>Thanks all!</P> Thu, 03 Dec 2015 17:59:08 GMT https://live.paloaltonetworks.com/t5/general-topics/rudimentary-tcp-session-and-monitor-question/m-p/68975#M40116 mrcs 2015-12-03T17:59:08Z