- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-10-2020 11:35 PM
Hi Experts,
I'm right now dealing with a situation where occasionally I need to reset NFS sessions within an HA A/A PA 5220 cluster (see also https://live.paloaltonetworks.com/t5/general-topics/pan-os-session-table-clearing-gt-no-rst-fin-conn...).
More generally, how can I configure the Palo Alto Firewall to RST (instead of dropping, as I figured out based on several packet capture analysis) PSH.ACK TCP segments for TCP sessions for given applications (like NFS - where apparently there's no configured / configurable deny action at application level - see next point) flowing across the firewall and "belonging" to former TCP sessions which are no longer existing within the Firewall Session Table (due to the fact that, for example, and admin manually cleared those sessions) ?
Do I need to perform this at Policy level ? Can this be configured at Platform wide level ?
And another question:
I recently read this post:
https://live.paloaltonetworks.com/t5/blogs/what-a-difference-a-deny-makes/ba-p/188811
which provided me with useful insights as to how the Palo Alto Firewall resets / drops application traffic - however for the NFS application case that I'm focusing on right now I do not see the possibility to configure any "deny action":
I've also checked the "depends on" and "implicitly uses" applications (portmapper and rpc for the nfs case) - none of them offers the possiblity to configure a "deny action".
Thanks for the clarification
10-12-2020 02:06 AM - edited 10-12-2020 02:07 AM
the deny action is not configured in the application, but is set in the policy. some applications have a deny action which is the default action the firewall will take if you set the security policy to 'deny' instead of drop
if you want more control over the deny action, you need to set hte security rule to reset client/server/both, and/or enable 'send ICMP unreachable'
these actions, however, will only apply to 'new' sessions if they get discarded by security policy. any sessions that are interrupted halfway through by an admin clearing the session will see followup packets discarded as 'illegal' packets (non-syn tcp etc) which is part of TCP protection and no longer security policy decissions. these types of packets are discarded (instead of RST) to prevent reconnaissance/DDoS/packet based attacks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!