About non-syn-tcp option

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

About non-syn-tcp option

Hello guys.

As you know that PAN has got a option of session that non-syn-tcp.

I have a question about non-syn-tcp.

When reject non-SYN first packet was false (when non-syn-tcp was not dropeed) and non-syn-tcp session already establised throught PAN device If non-syn-tcp option were changed to true that makes drop session that established non-syn-tcp session?

If it used command of configureation mode "set deviceconfig setting session tcp-reject-non-syn yes | commit", that makes drop also established non-syn-tcp session?

Thanks.

Regards.

Roh.


Accepted Solutions
Highlighted
L3 Networker

I use the command set deviceconfig setting session tcp-reject-non-syn no (default yes) only when doing a POC and inserting the fw in vwire mode. In this case previous established sessions continue without having AS400 users screaming all arount having lost connection :-)

In normal operations I let on "yes" in order to avoid secuirtyy and performace issues.

View solution in original post


All Replies
Highlighted
L6 Presenter

As I understand PAN-OS_4.1_CLI_Reference_Guide.pdf when you enable tcp-reject-non-syn (which is enabled by default if im not mistaken) a new session will only be allowed if the first packet seen is a syn (for tcp traffic).

This will break stuff if you have asymetric routing or for some other reason will involve a PA box in an already established flow.

By setting tcp-reject-non-syn to no you will allow the PA to setup a new (tcp) flow even if the first packet that hit your PA isnt a syn (one could argue that by allowing (tcp) flows to establish even without initial handshake you will in some way open up for some attacks to bypass your firewall). This can also be bad for performance reasons where someone from internet could send just bogus packets to your firewall and make it eat up all its sessiontables (compared to when a syn is needed, the attacker would then be limited to actually use syn as first packets for tcp traffic).

Highlighted
L3 Networker

I use the command set deviceconfig setting session tcp-reject-non-syn no (default yes) only when doing a POC and inserting the fw in vwire mode. In this case previous established sessions continue without having AS400 users screaming all arount having lost connection :-)

In normal operations I let on "yes" in order to avoid secuirtyy and performace issues.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!