This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

drop-reset application list

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

drop-reset application list

Duplem
L2 Linker

‎05-23-2012 07:40 AM

Hello,

I found this explanation about TCP REJECT today :

"The deny action used in a security policy will either ‘drop’ or ‘drop-reset’ based on the app being used in the policy.

For most browser-based apps, it is drop-reset - this prevents the browser from spinning while retrying.

For  client-server apps that are based on http (or other protocols that we  have decoders for), we generally use drop-reset if the app is considered  harmless. We don't currently support icmp-host-unreachable for udp/icmp but it is on the cards."

Where could I get information about drop-reset implementation on apps ? Could this information be added on applipedia ?

If this information is not available for customers, could you tell me which action is choosed for skype app ? You can contact me by email if necessary.

Best Regards,

Emmanuel

0 Likes Likes
4 REPLIES 4

rmonvon
L6 Presenter

‎05-25-2012 08:01 AM

Hi...Since skype is not a browser-based app, the deny action would be a drop action.  You can confirm by blocking skype and performing a packet capture of the traffic.  Thanks.

0 Likes Likes

Duplem
L2 Linker
In response to rmonvon

‎05-25-2012 08:16 AM

Thank you for this answer.

This is a problem because Skype opens many TCP connections which then remain in the INIT state. As MS Windows allows only limited number of simultaneous connections, all other connection attempts are slowed and users are complaining.

Please could you confirm that the deny action is a drop and not a drop-reset ?

In this case we will need to find a workaround, and this will generate delay and additional cost for us.

As already said by many users, we would appreciate to have the opportunity to choose the action by ourselves !

Best Regards

0 Likes Likes

rmonvon
L6 Presenter
In response to Duplem

‎05-25-2012 08:21 AM

The users can't use skype since you're blocking skype anyway.  Even with drop-reset, skype will retry and open new connections again.  Can they signed out of skype then skype won't take up the computer's resource.  Thanks.

0 Likes Likes

Duplem
L2 Linker
In response to rmonvon

‎06-27-2012 06:49 AM

It seems you didn't understood the problem. Better say me that if I don't want skype on my network, skype should not be installed on computers... Easy to say, no  ?

In addition, you didn't answer all questions :

Where could I get information about drop-reset implementation on apps ? Could this information be added on applipedia ?

Last but not least, we need to be able to choose the type of deny action, but this is another topic.

0 Likes Likes
  • 4686 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks