Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
Hi All Experts,
Looking for advice here. Want to block non-syn-tcp packets. Global settings are:
> show session info | match non-SYN
TCP - reject non-SYN first packet: True
Zone protection profile in place:
But still Allow in the traffic logs. Is it normal? If yes, why? One more question. When configuring a zone protection profile reject Non-SYN TCP option is set to global, doest it means that profile will inherit global settings?
P.S PA-3050 PAN-OS 7.1.7
Thx,
Myky
Hi Reaper,
Thanks!
This stuff is not the best of my side:-) So if policy allows the traffic based on 5 criteria you mentioned earlier why the logs suggest the different (still confused). And is it actually normal to see these logs and is there a way to disable these logs (but leave good logs on)? Doest that mean that the traffic Non-SYN TCP traffic is hitting the destination or not?
On second point l understood if l choice allow Non-SYN TCP, the non-syn-tcp traffic will be allow regardless of the global config, right?
From the CLI l can see traffic dropped:
l think it is normal behaviour as it makes sense now. Reading the KB article Palo Alto Networks firewall will, by default, reject the first packet that does not have the SYN flag turned on as a security measure. Normal TCP connections start with a 3-way handshake, which means if the first packet seen by the firewall is not the SYN packet, it is likely not a valid packet and discards it.
So for the new session first packet must be SYN:
If the first packet other than non-SYN flag — such as ACK, URG, RST, FIN:
and there is no existing session PA will drop the packet. If the session exists it will allow.
A bit strange still that it is appearing in the logs for the already existing session (will confirm on Monday the session details)
Found a bit better explanation on Juniper website:
Forgive me 🙂
