No RST connection

Reply
Highlighted
L0 Member

No RST connection

Hi, my scenario is:  one Security Rule that allow one IP of inside (10.10.10.1) to outside with ftp application. I've captured traffic and I see that the three way handshake begins but when Palo Alto detects that the traffic is not ftp, it doesn't send RST to the client, simply doesn't respond. This is a problem if the client application has high timeout.

Is this the way Palo Alto works??

Is there any way to change this behavior in order to Palo Alto sends a RST to client in this situation?..

Thank you in advance.

Samuel

Tags (4)
L6 Presenter

Re: No RST connection

The Palo Alto firewall only sends RST traffic to terminate traffic that matches a Threat.

The PA firewall does not have an option to send RST packets for applications that do not match the security rule's allowed application list.

Client applications that complete a TCP three-way handshake will sit in an idle state until their TCP session timer expires.

L7 Applicator

Re: No RST connection

Hi Samuel

This is by design.

This can actually be a dangerous feature if implemented incorrectly, since it will allow agressive applications (the ones that just keep trying to connect) or mallicious users to generate much higher connection rates since they don't have to wait for the timeout.

There is currently no possibility to enable sending of RST packets

regards

Tom

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!