RST First packet isn't a SYN flows (RST Both) + Deny action for NFS (?)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

RST First packet isn't a SYN flows (RST Both) + Deny action for NFS (?)

L1 Bithead

Hi Experts,

 

I'm right now dealing with a situation where occasionally I need to reset NFS sessions within an HA A/A PA 5220 cluster (see also https://live.paloaltonetworks.com/t5/general-topics/pan-os-session-table-clearing-gt-no-rst-fin-conn...).

 

More generally, how can I configure the Palo Alto Firewall to RST (instead of dropping, as I figured out based on several packet capture analysis) PSH.ACK TCP segments for TCP sessions for given applications (like NFS - where apparently there's no configured / configurable deny action at application level - see next point) flowing across the firewall and "belonging" to former TCP sessions which are no longer existing within the Firewall Session Table (due to the fact that, for example, and admin manually cleared those sessions) ?

Do I need to perform this at Policy level ? Can this be configured at Platform wide level ?

 

And another question:

 

I recently read this post:

 

https://live.paloaltonetworks.com/t5/blogs/what-a-difference-a-deny-makes/ba-p/188811

 

which provided me with useful insights as to how the Palo Alto Firewall resets / drops application traffic - however for the NFS application case that I'm focusing on right now I do not see the possibility to configure any "deny action":

 

CarloTaddei_0-1602397214713.pngnfs.PNG

 

I've also checked the "depends on" and "implicitly uses" applications (portmapper and rpc for the nfs case) - none of them offers the possiblity to configure a "deny action". 

 

Thanks for the clarification

 

 

1 REPLY 1

Cyber Elite
Cyber Elite

the deny action is not configured in the application, but is set in the policy. some applications have a deny action which is the default action the firewall will take if you set the security policy to 'deny' instead of drop

if you want more control over the deny action, you need to set hte security rule to reset client/server/both, and/or enable 'send ICMP unreachable'

 

these actions, however, will only apply to 'new' sessions if they get discarded by security policy. any sessions that are interrupted halfway through by an admin clearing the session will see followup packets discarded as 'illegal' packets (non-syn tcp etc) which is part of TCP protection and no longer security policy decissions. these types of packets are discarded (instead of RST) to prevent reconnaissance/DDoS/packet based attacks

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 3468 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!