How to Determine the Number of Rejected Non-SYN TCP Packets

How to Determine the Number of Rejected Non-SYN TCP Packets

29272
Created On 09/25/18 19:24 PM - Last Modified 06/05/23 07:57 AM


Resolution


To check the current setting (default value=true)

> show session info | match non-SYN

  TCP - reject non-SYN first packet:             True

 

To enable the rejection of Non-SYN TCP packets, run the following CLI command:

> set session tcp-reject-non-syn yes

Note: The above command will not be permanent unless issued from the configuration mode. To configure permanently, see the configuration command below:

 

To make the change permanent, issue the following command in configuration mode:

# set deviceconfig setting session tcp-reject-non-syn yes

 

To monitor the packet drops, run the following commands:
> show counter global filter delta yes packet-filter yes | match syn

> show counter global filter delta yes packet-filter yes | match drop

 

owner: panagent
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXYCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language