10-01-2015 09:12 AM
Hello Community,
I need your help to how to identify the asymetric routing in my PA-3020? and what are the best way to allow or bypass these traffic until solve the routing issue the third party device?.
Best Regards
Andres Padilla
10-01-2015 09:57 AM
Depending on what assimetric routing the firewall is seeing, the most agressive/global is
set session tcp-reject-non-syn no
You can also add a a Zone protection profile in this one select "packet based attack protection", uncheck mismatched overlapping TCP segment, reject non-syn tcp: no, asymetric path: bypass. And attach it to the zone where the assimetric traffic is arriving.
regards,
Gerardo
10-01-2015 09:57 AM
Depending on what assimetric routing the firewall is seeing, the most agressive/global is
set session tcp-reject-non-syn no
You can also add a a Zone protection profile in this one select "packet based attack protection", uncheck mismatched overlapping TCP segment, reject non-syn tcp: no, asymetric path: bypass. And attach it to the zone where the assimetric traffic is arriving.
regards,
Gerardo
10-01-2015 10:10 AM
I set up a protection zone the following way.
And assinged to untrust zone.
After performed this change I see the
the numer 51303508 not changed.
flow_tcp_non_syn_drop 51303508 0 drop flow session Packets dropped: non-SYN TCP without session match
But this number always increase 51316034.
flow_tcp_non_syn 51316034 4 info flow session Non-SYN TCP packets without session match
10-01-2015 03:37 PM
To identify the asymmetric routing issue one of the possible way is to do a ping from a host and then check if the s2c byte are 0 or not if the s2c are 0 and ping is sucessful then reply is not comint through firewall
Refer to following document for non syn packets
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Set-the-Palo-Alto-Networks-Firewa...
10-02-2015 12:11 AM - edited 10-02-2015 12:12 AM
the numer 51303508 not changed.
flow_tcp_non_syn_drop 51303508 0 drop flow session Packets dropped: non-SYN TCP without session match
But this number always increase 51316034.
flow_tcp_non_syn 51316034 4 info flow session Non-SYN TCP packets without session match
That means you are no longer dropping asymmetric TCP sessions, but there are still such sessions happening. Now you have to resolve your routing and when both counters stop increasing you know you don't have any asymmetric routing any longer. Then start dropping non-SYN sessions again.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
