Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-14-2011 05:26 AM
Hi
I am not sure if PA box could default check TCP sequense number ... have CLI cmd to tigger this checking
Jeff Jin
10-14-2011 08:08 AM
Jeff,
TCP sequence number checking is enabled by default.You can turn it off if you wish using the command above.
Thanks
10-14-2011 06:54 AM
Not sure if this is what you're looking for but here are some tcp settings options. This is through the configure mode to make it persistent.
#set deviceconfig setting tcp
bypass-exceed-oo-queue whether to skip inspection of session if out-of-order packets limit is exceeded
drop-out-of-wnd drop/allow out of window packets, also control enable/disable TCP sequence number check for FIN/RST
favor-new-seg whether to favor new segments when overlapping happens
out-of-sync actions for out of sync tcp sessions (ACK is out of sync with TCP sliding window tracking)
urgent-data clear urgent flag in TCP header
-Renato
10-14-2011 08:08 AM
Jeff,
TCP sequence number checking is enabled by default.You can turn it off if you wish using the command above.
Thanks
12-12-2012 07:19 AM
I cannot find command for drop-out-of-wnd parametar in PAN-OS 4.1 and 5.0
Is this command changed?
12-12-2012 09:30 AM
Yes, it has. The new command is:
# set deviceconfig setting tcp asymmetric-path bypass
You'll need to follow that with a commit for it to take effect.
-Greg
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
