https://live.paloaltonetworks.com/t5/general-topics/does-vwire-mode-still-send-tcp-reset-after-drop-packet/m-p/13389#M9815 <HTML><HEAD></HEAD><BODY><P>Hello Neilwu,</P><P></P><P>You are correct, It should send a TCP RST packet while <SPAN class="GINGER_SOFTWARE_mark">droping</SPAN> the connection in V-Wire mode too.&nbsp; </P><P></P><P>Could you please set below mentioned parameter in that profile and take <SPAN class="GINGER_SOFTWARE_mark">capture</SPAN> at both server and client. </P><P></P><P>DEFAULT ACTION<SPAN class="GINGER_SOFTWARE_mark"> :</SPAN> Reset-both</P><P>DIRECTION- Client-to-Server</P><P>AFFECTED SYSTEM: <SPAN class="GINGER_SOFTWARE_mark">Cliend</SPAN> and server</P><P></P><P>Thanks</P></BODY></HTML> Mon, 21 Apr 2014 15:28:32 GMT HULK 2014-04-21T15:28:32Z https://live.paloaltonetworks.com/t5/general-topics/does-vwire-mode-still-send-tcp-reset-after-drop-packet/m-p/13386#M9812 <HTML><HEAD></HEAD><BODY><P>I can see the traffic status show "reset-server" but I can not receive RST packet for this session on the server.</P><P></P><P>So I have a question, does&nbsp; vwire mode still send&nbsp; TCP reset after drop packet ?</P><P></P><P>Thank you.</P></BODY></HTML> Fri, 18 Apr 2014 06:13:17 GMT https://live.paloaltonetworks.com/t5/general-topics/does-vwire-mode-still-send-tcp-reset-after-drop-packet/m-p/13386#M9812 neilwu 2014-04-18T06:13:17Z https://live.paloaltonetworks.com/t5/general-topics/does-vwire-mode-still-send-tcp-reset-after-drop-packet/m-p/13387#M9813 <HTML><HEAD></HEAD><BODY><P>Hello Sir,</P><P></P><P>PAN firewall will not send a TCP RST packet after dropping a packet<SPAN class="GINGER_SOFTWARE_mark">,</SPAN><SPAN class="GINGER_SOFTWARE_mark">( </SPAN>it will be silently <SPAN class="GINGER_SOFTWARE_mark">drop</SPAN>).</P><P></P><P>FYI...</P><P></P><P>Currently, we can configure our security policy to allow or deny packets only. We do not have a third option called "Reject", when selected can send a TCP Reset, <SPAN class="GINGER_SOFTWARE_mark">ICMP Destination Unreachable</SPAN> and so on. There is a feature request already submitted for the same, </P><P></P><P>Feature Request: reject <SPAN class="GINGER_SOFTWARE_mark">action</SPAN> support in security rule </P><P>Request details: "Reject" <SPAN class="GINGER_SOFTWARE_mark">action</SPAN> support in security policy rule setting so that PAN device would send TCP-Reset when rejecting session. </P><P>FR ID: 408 </P><P></P><P>Thanks</P></BODY></HTML> Mon, 21 Apr 2014 06:42:17 GMT https://live.paloaltonetworks.com/t5/general-topics/does-vwire-mode-still-send-tcp-reset-after-drop-packet/m-p/13387#M9813 HULK 2014-04-21T06:42:17Z https://live.paloaltonetworks.com/t5/general-topics/does-vwire-mode-still-send-tcp-reset-after-drop-packet/m-p/13388#M9814 <HTML><HEAD></HEAD><BODY><P>Hi Hulk,</P><P></P><P>Thanks for your description.</P><P></P><P>But In Vulnerability Profile Actions, It's have this option.</P><P><IMG alt="2014-04-21 17 00 53.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/12948_2014-04-21 17 00 53.png" style="width: 620px; height: 83px;" /></P><P></P><P>so if I use vwire mode and set the Vulnerability Profile Actions to be reset-server, does it can still send RST ?</P><P>(In my LAB I don't receive the RST on my server)</P></BODY></HTML> Mon, 21 Apr 2014 09:03:35 GMT https://live.paloaltonetworks.com/t5/general-topics/does-vwire-mode-still-send-tcp-reset-after-drop-packet/m-p/13388#M9814 neilwu 2014-04-21T09:03:35Z https://live.paloaltonetworks.com/t5/general-topics/does-vwire-mode-still-send-tcp-reset-after-drop-packet/m-p/13389#M9815 <HTML><HEAD></HEAD><BODY><P>Hello Neilwu,</P><P></P><P>You are correct, It should send a TCP RST packet while <SPAN class="GINGER_SOFTWARE_mark">droping</SPAN> the connection in V-Wire mode too.&nbsp; </P><P></P><P>Could you please set below mentioned parameter in that profile and take <SPAN class="GINGER_SOFTWARE_mark">capture</SPAN> at both server and client. </P><P></P><P>DEFAULT ACTION<SPAN class="GINGER_SOFTWARE_mark"> :</SPAN> Reset-both</P><P>DIRECTION- Client-to-Server</P><P>AFFECTED SYSTEM: <SPAN class="GINGER_SOFTWARE_mark">Cliend</SPAN> and server</P><P></P><P>Thanks</P></BODY></HTML> Mon, 21 Apr 2014 15:28:32 GMT https://live.paloaltonetworks.com/t5/general-topics/does-vwire-mode-still-send-tcp-reset-after-drop-packet/m-p/13389#M9815 HULK 2014-04-21T15:28:32Z https://live.paloaltonetworks.com/t5/general-topics/does-vwire-mode-still-send-tcp-reset-after-drop-packet/m-p/13390#M9816 <HTML><HEAD></HEAD><BODY><P>If you are blocking an application, about 25% of the applications send a TCP RST. Unfortunately this list is not published.</P><P></P><P>If you suspect the Paloalto is sending the TCP reset, use this command to verify.</P><P></P><P>admin@PA-200&gt;</P><P>admin@PA-200&gt; show counter global | match RST</P><P>flow_action_close&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7971&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 drop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; flow&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pktproc&nbsp;&nbsp; TCP sessions closed via injecting RST</P><P>flow_action_reset&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 239&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 drop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; flow&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pktproc&nbsp;&nbsp; TCP clients reset via responding RST</P><P>admin@PA-200&gt;</P><P></P><P>Since the VWIRE is supposed to be transparent, when the PAN sends the RESET it spoofs the MAC address instead of using a PAN MAC address. The RST will apear to come from one of the next hop gateways. Whatever MAC address is used by the conversation and does not belong to the end point being reset.</P></BODY></HTML> Tue, 22 Apr 2014 17:56:59 GMT https://live.paloaltonetworks.com/t5/general-topics/does-vwire-mode-still-send-tcp-reset-after-drop-packet/m-p/13390#M9816 skrall 2014-04-22T17:56:59Z