How to Set the Palo Alto Networks Firewall to Allow Non-Syn First Packet

• Any PAN-OS
• Any Firewall

Overview

Palo Alto Networks firewall will, by default, reject the first packet that does not have the SYN flag turned on as a security measure. Normal TCP connections start with a 3-way handshake, which means if the first packet seen by the firewall is not the SYN packet, it is likely not a valid packet and discards it.

In rare occasions, it can be necessary to allow packets through without doing this security check. Asymmetric routing is usually why this feature needs to be disabled.

Details

• To disable the option permanently, run the following CLI commands:
  > configure
  # set deviceconfig setting session tcp-reject-non-syn no
  # commit
   
• Turn the feature back on by using the following CLI commands:
  > configure
  # set deviceconfig setting session tcp-reject-non-syn yes
  # commit
   
• To temporarily allow non-SYN TCP packets, run the following CLI command (not in Configure mode):
  > set session tcp-reject-non-syn no
  Note: This command is temporary and will turn back on after a commit or change that causes a commit or reboot.
   
• Additionally, these settings can be changed in the GUI per zone, with Zone Protection as show below:
  1. Go to Network > Zone Protection
  2. Click on Add
  3. Select Packet Based Attack Protection > TCP/IP Drop
     
• To view definitions on Packet-Based Attack Protection, click on the help ('?') link at the top right corner of the window. Some important definitions are detailed below:
  • Reject Non-SYN TCP - Determines whether to reject the packet, if the first packet for the TCP session setup is not a SYN packet:
    • Global - Use system-wide setting that is assigned through the CLI
    • yes - Reject non-SYN TCP
    • no - Accept non-SYN TCP
      Note: Allowing non-SYN TCP traffic may prevent file blocking policies from working as expected in cases where the client and/or server connection is not set after the block occurs.

• • Asymmetric Path - Determines whether to drop or bypass packets that contain out of sync ACKs or out of window sequence numbers:
    • global - Use system wide setting that is assigned through the CLI
    • drop - Drop packets that contain an asymmetric path
    • bypass - Bypass scanning on packets that contain an asymmetric path

• Apply this Zone protection Profile to the Interface/Zone wanted by going to Network > Zones. The example below shows No Zone Protection Profiles.

• Click the Zone, for example "Untust1," to add the Zone Protection Profile and select it from the drop down menu in the Zone Protection Profile as shown below.

• Once the desired Zone Protection Profile has been selected, click OK. The example below shows, "Untrust1" zone with the Zone Protection Profile "Recon-Protect-Alert"

owner: ppatel