Does vwire mode still send TCP reset after drop packet ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Does vwire mode still send TCP reset after drop packet ?

L2 Linker

I can see the traffic status show "reset-server" but I can not receive RST packet for this session on the server.

So I have a question, does  vwire mode still send  TCP reset after drop packet ?

Thank you.

1 accepted solution

Accepted Solutions

Hello Neilwu,

You are correct, It should send a TCP RST packet while droping the connection in V-Wire mode too. 

Could you please set below mentioned parameter in that profile and take capture at both server and client.

DEFAULT ACTION : Reset-both

DIRECTION- Client-to-Server

AFFECTED SYSTEM: Cliend and server

Thanks

View solution in original post

4 REPLIES 4

L7 Applicator

Hello Sir,

PAN firewall will not send a TCP RST packet after dropping a packet,( it will be silently drop).

FYI...

Currently, we can configure our security policy to allow or deny packets only. We do not have a third option called "Reject", when selected can send a TCP Reset, ICMP Destination Unreachable and so on. There is a feature request already submitted for the same,

Feature Request: reject action support in security rule

Request details: "Reject" action support in security policy rule setting so that PAN device would send TCP-Reset when rejecting session.

FR ID: 408

Thanks

Hi Hulk,

Thanks for your description.

But In Vulnerability Profile Actions, It's have this option.

2014-04-21 17 00 53.png

so if I use vwire mode and set the Vulnerability Profile Actions to be reset-server, does it can still send RST ?

(In my LAB I don't receive the RST on my server)

Hello Neilwu,

You are correct, It should send a TCP RST packet while droping the connection in V-Wire mode too. 

Could you please set below mentioned parameter in that profile and take capture at both server and client.

DEFAULT ACTION : Reset-both

DIRECTION- Client-to-Server

AFFECTED SYSTEM: Cliend and server

Thanks

L4 Transporter

If you are blocking an application, about 25% of the applications send a TCP RST. Unfortunately this list is not published.

If you suspect the Paloalto is sending the TCP reset, use this command to verify.

admin@PA-200>

admin@PA-200> show counter global | match RST

flow_action_close                       7971        0 drop      flow      pktproc   TCP sessions closed via injecting RST

flow_action_reset                        239        0 drop      flow      pktproc   TCP clients reset via responding RST

admin@PA-200>

Since the VWIRE is supposed to be transparent, when the PAN sends the RESET it spoofs the MAC address instead of using a PAN MAC address. The RST will apear to come from one of the next hop gateways. Whatever MAC address is used by the conversation and does not belong to the end point being reset.

  • 1 accepted solution
  • 4384 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!