About non-syn-tcp option

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

About non-syn-tcp option

L3 Networker

Hello guys.

As you know that PAN has got a option of session that non-syn-tcp.

I have a question about non-syn-tcp.

When reject non-SYN first packet was false (when non-syn-tcp was not dropeed) and non-syn-tcp session already establised throught PAN device If non-syn-tcp option were changed to true that makes drop session that established non-syn-tcp session?

If it used command of configureation mode "set deviceconfig setting session tcp-reject-non-syn yes | commit", that makes drop also established non-syn-tcp session?

Thanks.

Regards.

Roh.

1 accepted solution

Accepted Solutions

L3 Networker

I use the command set deviceconfig setting session tcp-reject-non-syn no (default yes) only when doing a POC and inserting the fw in vwire mode. In this case previous established sessions continue without having AS400 users screaming all arount having lost connection 🙂

In normal operations I let on "yes" in order to avoid secuirtyy and performace issues.

View solution in original post

2 REPLIES 2

L6 Presenter

As I understand PAN-OS_4.1_CLI_Reference_Guide.pdf when you enable tcp-reject-non-syn (which is enabled by default if im not mistaken) a new session will only be allowed if the first packet seen is a syn (for tcp traffic).

This will break stuff if you have asymetric routing or for some other reason will involve a PA box in an already established flow.

By setting tcp-reject-non-syn to no you will allow the PA to setup a new (tcp) flow even if the first packet that hit your PA isnt a syn (one could argue that by allowing (tcp) flows to establish even without initial handshake you will in some way open up for some attacks to bypass your firewall). This can also be bad for performance reasons where someone from internet could send just bogus packets to your firewall and make it eat up all its sessiontables (compared to when a syn is needed, the attacker would then be limited to actually use syn as first packets for tcp traffic).

L3 Networker

I use the command set deviceconfig setting session tcp-reject-non-syn no (default yes) only when doing a POC and inserting the fw in vwire mode. In this case previous established sessions continue without having AS400 users screaming all arount having lost connection 🙂

In normal operations I let on "yes" in order to avoid secuirtyy and performace issues.

  • 1 accepted solution
  • 7304 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!