- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-09-2012 11:41 PM
Hello guys.
As you know that PAN has got a option of session that non-syn-tcp.
I have a question about non-syn-tcp.
When reject non-SYN first packet was false (when non-syn-tcp was not dropeed) and non-syn-tcp session already establised throught PAN device If non-syn-tcp option were changed to true that makes drop session that established non-syn-tcp session?
If it used command of configureation mode "set deviceconfig setting session tcp-reject-non-syn yes | commit", that makes drop also established non-syn-tcp session?
Thanks.
Regards.
Roh.
05-10-2012 05:07 AM
I use the command set deviceconfig setting session tcp-reject-non-syn no (default yes) only when doing a POC and inserting the fw in vwire mode. In this case previous established sessions continue without having AS400 users screaming all arount having lost connection 🙂
In normal operations I let on "yes" in order to avoid secuirtyy and performace issues.
05-10-2012 01:28 AM
As I understand PAN-OS_4.1_CLI_Reference_Guide.pdf when you enable tcp-reject-non-syn (which is enabled by default if im not mistaken) a new session will only be allowed if the first packet seen is a syn (for tcp traffic).
This will break stuff if you have asymetric routing or for some other reason will involve a PA box in an already established flow.
By setting tcp-reject-non-syn to no you will allow the PA to setup a new (tcp) flow even if the first packet that hit your PA isnt a syn (one could argue that by allowing (tcp) flows to establish even without initial handshake you will in some way open up for some attacks to bypass your firewall). This can also be bad for performance reasons where someone from internet could send just bogus packets to your firewall and make it eat up all its sessiontables (compared to when a syn is needed, the attacker would then be limited to actually use syn as first packets for tcp traffic).
05-10-2012 05:07 AM
I use the command set deviceconfig setting session tcp-reject-non-syn no (default yes) only when doing a POC and inserting the fw in vwire mode. In this case previous established sessions continue without having AS400 users screaming all arount having lost connection 🙂
In normal operations I let on "yes" in order to avoid secuirtyy and performace issues.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!