This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to REJECT instead of DROP?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to REJECT instead of DROP?

Go to solution
Priyan
Not applicable

‎07-06-2010 07:58 AM

Try as I might, I cannot find a way to do the equivalent of the venerable iptables target REJECT --with-icmp-ureachable or --with-tcp-reset for basic firewalling on a 4020.


This is handy for bouncing internal clients quickly, whereas DROP is better to make things slower for adversaries who are scanning our nets from outside.

For example. If I want to prevent smtp/ntp/dns attempts for our internal clients, thus forcing them through the relevant internal services, I don't expect them to have to wait for a timeout, when a simple reject rule can speed things along for them.

It seems the two targets available for basic layer 3 firewalling are simply allow, or drop. Why no reject?

I hope someone knows how. If this is the wrong forum I apologise, but I expect this is a missing feature. I feel it's quite a basic essential.

1 accepted solution

Accepted Solutions

Go to solution
SRA
L4 Transporter

‎07-13-2010 01:16 PM

Priyan -

The deny action used in a security policy will either ‘drop’ or ‘drop-reset’ based on the app being used in the policy.

For most browser-based apps, it is drop-reset - this prevents the browser from spinning while retrying.

For client-server apps that are based on http (or other protocols that we have decoders for), we generally use drop-reset if the app is considered harmless. We don't currently support icmp-host-unreachable for udp/icmp but it is on the cards.

Srinivas

View solution in original post

11 REPLIES 11

Go to solution
SRA
L4 Transporter

‎07-13-2010 01:16 PM

Priyan -

The deny action used in a security policy will either ‘drop’ or ‘drop-reset’ based on the app being used in the policy.

For most browser-based apps, it is drop-reset - this prevents the browser from spinning while retrying.

For client-server apps that are based on http (or other protocols that we have decoders for), we generally use drop-reset if the app is considered harmless. We don't currently support icmp-host-unreachable for udp/icmp but it is on the cards.

Srinivas

Go to solution
lardsa
Not applicable
In response to SRA

‎07-13-2011 01:27 AM

Hello,

any news on this topic ? I would to see this implemented, I have some special conditions where it would help.

Regards

0 Likes Likes

Go to solution
dlassalle
Not applicable

‎02-07-2012 11:51 AM

I would also like the ability to select the type of drop manually.

0 Likes Likes

Go to solution
uniovi
L0 Member

‎03-19-2012 12:32 AM

We'd also like to select the type of deny. In some cases, we need to explicitity send RESET instead simply DROP the packet.

0 Likes Likes

Go to solution
mikand
L6 Presenter
In response to uniovi

‎03-19-2012 12:51 AM

I would also like to place myself in this feature-line regarding ability to (per security rule) define if the traffic should be denied (drop) or rejected (drop-reset). Perhaps it could be called just "deny" vs "deny-rst" in the gui.

Would also be nice to be able to define if icmp-unreachable should be sent or not.

Go to solution
Duplem
L2 Linker
In response to mikand

‎06-27-2012 06:50 AM

I also need the ability to select the type of drop manually.

"We don't currently support icmp-host-unreachable for udp/icmp but it is on the cards."

Any news about this feature ?

Go to solution
pawel_stankiewicz
Not applicable
In response to Duplem

‎07-09-2012 05:42 AM

The same here...

It is disastrous how much time I've spend on debugging timeouts...

tcp-reject from internal net to external/between zones is a must !

Best regards,

Pawel

0 Likes Likes

Go to solution
garryshtern
Not applicable
In response to pawel_stankiewicz

‎07-30-2012 12:07 PM

I second this.  This is a huge oversight on part of Palo Alto.  One neat feature of ScreenOS is the ability to specify RST on a per-zone basis...

0 Likes Likes

Go to solution
Kevin.lane
L0 Member
In response to SRA

‎01-23-2014 04:26 PM

You mention that there is work in progress to provide further options for reject. I didn't see anything specific mentioned in the 6.0 release notes. Can you tell me whether there have been any improvements upon this?  We also require the ability to set a specific reject for a particular policy.  We'd like to let some things remain drop, but for specific subnets that we still want to block, we'd like to do a reject.

0 Likes Likes

Go to solution
Anon1
L4 Transporter

‎01-24-2014 10:10 AM

What happens when the drop rule has both application and service set to "any"? Drop or reject?

0 Likes Likes

Go to solution
vchanal
L1 Bithead
In response to Anon1

‎08-06-2014 02:02 AM

Hello,

Any news about this topic?

  • 1 accepted solution
  • 15560 Views
  • 11 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks