What a difference a Deny makes

by Community Manager ‎11-27-2017 05:36 AM - edited ‎11-28-2017 07:42 AM (22,602 Views)

I had an interesting discussion with @soporteseguridad the other day where we tried to figure out some unexpected packets he was seeing on his external router.

The security policy was set to block all SMB packets, based on their service port, rather than the application. The external router, however, was still picking up packets with destination port 445 so we wanted to figure out why.

deny policy.pngSecurity policy with action Deny

 

The firewall will treat sessions differently depending on how the security policy has been set up and which decissions have been made in favor of alternatives: When a policy is created to block a specific application, the only way for the firewall to find out which application is used in a specific session, is to let packets tricke through and a session to be established. Once the session has been established, the firewall will be able to identify an application based on the payload of the packets and how the session behaves. For example if the server sends a response 220 and the client replies with an ack, the application will be FTP, if the client sends out an HTTP GET, it's going to be web-browsing.

For this stage to be reached, however, the TCP handshake needs to be allowed through, even though the security policy eventually is set to block the application.

handshake required.pngTCP handshake will need to be allowed for this policy to match and Deny to be applied

If the security policy is set to 'any' application and has only services (or another 'any' in the services) with the action set to drop, the SYN packets will be immediately dropped upon receipt because there is no need to identify the application,

policy drop.pngPackets will immediately be discarded by this security policy, no handshake required

 

One exception to this last policy behavior is when the securtity policy action is set to 'Deny'. This is where 'the devil is in the details':

The drop action simply drops all packets silently, the Deny action implies a reset action, which may be desirable in some scenarios, but there are also separate reset actions for each direction:

security policy actions.pngSecurity Policy Reset Actions

 

So what makes 'Deny' so special?

The 'Deny' action applies an action that is preferred per specific application. Some applications can be silently dropped after being identified while others may be better served by being sent a reset to terminate the session.

Deny action application preference.pngThe Deny action refers to the applications' Deny Action

So, choose wisely when deciding which actions to apply to your security policies; several different ones are available to allow you more control over how to handle specific applications.

 

 

You can follow the original discussion here: PA SMB deny behaviour

Last year I had a similar discussion about the other options in the firewall action, you can check it here: reset-client vs. reset-server

 

 

Reaper out

Comments
by jyates
on ‎11-29-2017 08:46 AM

Nice post, well-written.

by epeeler
on ‎11-30-2017 08:17 AM

So in the very top example with application set to any and the service identified but with action set to deny, the firewall is still having to ID the app to determine what the correct "deny" action is.  Is that correct?

by Community Manager
on ‎11-30-2017 10:05 AM

@epeeler that's correct

'Deny' is app dependent whereas 'Drop' is not

by epeeler
on ‎11-30-2017 10:57 AM

Great info. Excellent post, thank you!

Ask Questions Get Answers Join the Live Community
Labels