This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

RST First packet isn't a SYN flows (RST Both) + Deny action for NFS (?)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

RST First packet isn't a SYN flows (RST Both) + Deny action for NFS (?)

CarloTaddei
L1 Bithead

‎10-10-2020 11:35 PM

Hi Experts,

 

I'm right now dealing with a situation where occasionally I need to reset NFS sessions within an HA A/A PA 5220 cluster (see also https://live.paloaltonetworks.com/t5/general-topics/pan-os-session-table-clearing-gt-no-rst-fin-conn...).

 

More generally, how can I configure the Palo Alto Firewall to RST (instead of dropping, as I figured out based on several packet capture analysis) PSH.ACK TCP segments for TCP sessions for given applications (like NFS - where apparently there's no configured / configurable deny action at application level - see next point) flowing across the firewall and "belonging" to former TCP sessions which are no longer existing within the Firewall Session Table (due to the fact that, for example, and admin manually cleared those sessions) ?

Do I need to perform this at Policy level ? Can this be configured at Platform wide level ?

 

And another question:

 

I recently read this post:

 

https://live.paloaltonetworks.com/t5/blogs/what-a-difference-a-deny-makes/ba-p/188811

 

which provided me with useful insights as to how the Palo Alto Firewall resets / drops application traffic - however for the NFS application case that I'm focusing on right now I do not see the possibility to configure any "deny action":

 

CarloTaddei_0-1602397214713.pngnfs.PNG

 

I've also checked the "depends on" and "implicitly uses" applications (portmapper and rpc for the nfs case) - none of them offers the possiblity to configure a "deny action". 

 

Thanks for the clarification

 

 

0 Likes Likes
1 REPLY 1

reaper
Cyber Elite
Cyber Elite

‎10-12-2020 02:06 AM - edited ‎10-12-2020 02:07 AM

the deny action is not configured in the application, but is set in the policy. some applications have a deny action which is the default action the firewall will take if you set the security policy to 'deny' instead of drop

if you want more control over the deny action, you need to set hte security rule to reset client/server/both, and/or enable 'send ICMP unreachable'

 

these actions, however, will only apply to 'new' sessions if they get discarded by security policy. any sessions that are interrupted halfway through by an admin clearing the session will see followup packets discarded as 'illegal' packets (non-syn tcp etc) which is part of TCP protection and no longer security policy decissions. these types of packets are discarded (instead of RST) to prevent reconnaissance/DDoS/packet based attacks

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes
  • 2997 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks