drop-reset application list

Reply
Highlighted
L2 Linker

drop-reset application list

Hello,

I found this explanation about TCP REJECT today :

"The deny action used in a security policy will either ‘drop’ or ‘drop-reset’ based on the app being used in the policy.

For most browser-based apps, it is drop-reset - this prevents the browser from spinning while retrying.

For  client-server apps that are based on http (or other protocols that we  have decoders for), we generally use drop-reset if the app is considered  harmless. We don't currently support icmp-host-unreachable for udp/icmp but it is on the cards."

Where could I get information about drop-reset implementation on apps ? Could this information be added on applipedia ?

If this information is not available for customers, could you tell me which action is choosed for skype app ? You can contact me by email if necessary.

Best Regards,

Emmanuel

L6 Presenter

Re: drop-reset application list

Hi...Since skype is not a browser-based app, the deny action would be a drop action.  You can confirm by blocking skype and performing a packet capture of the traffic.  Thanks.

L2 Linker

Re: drop-reset application list

Thank you for this answer.

This is a problem because Skype opens many TCP connections which then remain in the INIT state. As MS Windows allows only limited number of simultaneous connections, all other connection attempts are slowed and users are complaining.

Please could you confirm that the deny action is a drop and not a drop-reset ?

In this case we will need to find a workaround, and this will generate delay and additional cost for us.

As already said by many users, we would appreciate to have the opportunity to choose the action by ourselves !

Best Regards

L6 Presenter

Re: drop-reset application list

The users can't use skype since you're blocking skype anyway.  Even with drop-reset, skype will retry and open new connections again.  Can they signed out of skype then skype won't take up the computer's resource.  Thanks.

L2 Linker

Re: drop-reset application list

It seems you didn't understood the problem. Better say me that if I don't want skype on my network, skype should not be installed on computers... Easy to say, no  ?

In addition, you didn't answer all questions :

Where could I get information about drop-reset implementation on apps ? Could this information be added on applipedia ?

Last but not least, we need to be able to choose the type of deny action, but this is another topic.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!