https://live.paloaltonetworks.com/t5/general-topics/rst-first-packet-isn-t-a-syn-flows-rst-both-deny-action-for-nfs/m-p/355727#M87575 <P>the deny action is not configured in the application, but is set in the policy. some applications have a deny action which is the default action the firewall will take if you set the security policy to 'deny' instead of drop</P><P>if you want more control over the deny action, you need to set hte security rule to reset client/server/both, and/or enable 'send ICMP unreachable'</P><P>&nbsp;</P><P>these actions, however, will only apply to 'new' sessions if they get discarded by security policy. any sessions that are interrupted halfway through by an admin clearing the session will see followup packets discarded as 'illegal' packets (non-syn tcp etc) which is part of TCP protection and no longer security policy decissions. these types of packets are discarded (instead of RST) to prevent reconnaissance/DDoS/packet based attacks</P><P>&nbsp;</P> Mon, 12 Oct 2020 09:07:13 GMT reaper 2020-10-12T09:07:13Z https://live.paloaltonetworks.com/t5/general-topics/rst-first-packet-isn-t-a-syn-flows-rst-both-deny-action-for-nfs/m-p/355595#M87561 <P>Hi Experts,</P><P>&nbsp;</P><P>I'm right now dealing with a situation where occasionally I need to reset NFS sessions within an HA A/A PA 5220 cluster (see also&nbsp;<A href="https://live.paloaltonetworks.com/t5/general-topics/pan-os-session-table-clearing-gt-no-rst-fin-connection-sent-out/td-p/355556" target="_blank">https://live.paloaltonetworks.com/t5/general-topics/pan-os-session-table-clearing-gt-no-rst-fin-connection-sent-out/td-p/355556</A>).</P><P>&nbsp;</P><P>More generally, how can I configure the Palo Alto Firewall to RST (instead of dropping, as I figured out based on several packet capture analysis) PSH.ACK TCP segments for TCP sessions for given applications (like NFS - where apparently there's no configured / configurable deny action at application level - see next point) flowing across the firewall and "belonging" to former TCP sessions which are no longer existing within the Firewall Session Table (due to the fact that, for example, and admin manually cleared those sessions) ?<BR /><BR />Do I need to perform this at Policy level ? Can this be configured at Platform wide level ?</P><P>&nbsp;</P><P>And another question:</P><P>&nbsp;</P><P>I recently read this post:</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/blogs/what-a-difference-a-deny-makes/ba-p/188811" target="_blank">https://live.paloaltonetworks.com/t5/blogs/what-a-difference-a-deny-makes/ba-p/188811</A></P><P>&nbsp;</P><P>which provided me with useful insights as to how the Palo Alto Firewall resets / drops application traffic - however for the NFS application case that I'm focusing on right now I do not see the possibility to configure any "deny action":</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CarloTaddei_0-1602397214713.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28167i761A87F759461596/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="CarloTaddei_0-1602397214713.png" alt="CarloTaddei_0-1602397214713.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="nfs.PNG" style="width: 814px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28168i3DF2FD497AC8BEE6/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="nfs.PNG" alt="nfs.PNG" /></span></P><P>&nbsp;</P><P>I've also checked the "depends on" and "implicitly uses" applications (portmapper and rpc for the nfs case) - none of them offers the possiblity to configure a "deny action".&nbsp;</P><P>&nbsp;</P><P>Thanks for the clarification</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 11 Oct 2020 06:35:37 GMT https://live.paloaltonetworks.com/t5/general-topics/rst-first-packet-isn-t-a-syn-flows-rst-both-deny-action-for-nfs/m-p/355595#M87561 CarloTaddei 2020-10-11T06:35:37Z https://live.paloaltonetworks.com/t5/general-topics/rst-first-packet-isn-t-a-syn-flows-rst-both-deny-action-for-nfs/m-p/355727#M87575 <P>the deny action is not configured in the application, but is set in the policy. some applications have a deny action which is the default action the firewall will take if you set the security policy to 'deny' instead of drop</P><P>if you want more control over the deny action, you need to set hte security rule to reset client/server/both, and/or enable 'send ICMP unreachable'</P><P>&nbsp;</P><P>these actions, however, will only apply to 'new' sessions if they get discarded by security policy. any sessions that are interrupted halfway through by an admin clearing the session will see followup packets discarded as 'illegal' packets (non-syn tcp etc) which is part of TCP protection and no longer security policy decissions. these types of packets are discarded (instead of RST) to prevent reconnaissance/DDoS/packet based attacks</P><P>&nbsp;</P> Mon, 12 Oct 2020 09:07:13 GMT https://live.paloaltonetworks.com/t5/general-topics/rst-first-packet-isn-t-a-syn-flows-rst-both-deny-action-for-nfs/m-p/355727#M87575 reaper 2020-10-12T09:07:13Z