RST First packet isn't a SYN flows (RST Both) + Deny action for NFS (?)

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

RST First packet isn't a SYN flows (RST Both) + Deny action for NFS (?)

Hi Experts,

 

I'm right now dealing with a situation where occasionally I need to reset NFS sessions within an HA A/A PA 5220 cluster (see also https://live.paloaltonetworks.com/t5/general-topics/pan-os-session-table-clearing-gt-no-rst-fin-conn...).

 

More generally, how can I configure the Palo Alto Firewall to RST (instead of dropping, as I figured out based on several packet capture analysis) PSH.ACK TCP segments for TCP sessions for given applications (like NFS - where apparently there's no configured / configurable deny action at application level - see next point) flowing across the firewall and "belonging" to former TCP sessions which are no longer existing within the Firewall Session Table (due to the fact that, for example, and admin manually cleared those sessions) ?

Do I need to perform this at Policy level ? Can this be configured at Platform wide level ?

 

And another question:

 

I recently read this post:

 

https://live.paloaltonetworks.com/t5/blogs/what-a-difference-a-deny-makes/ba-p/188811

 

which provided me with useful insights as to how the Palo Alto Firewall resets / drops application traffic - however for the NFS application case that I'm focusing on right now I do not see the possibility to configure any "deny action":

 

CarloTaddei_0-1602397214713.pngnfs.PNG

 

I've also checked the "depends on" and "implicitly uses" applications (portmapper and rpc for the nfs case) - none of them offers the possiblity to configure a "deny action". 

 

Thanks for the clarification

 

 

Highlighted
L7 Applicator

the deny action is not configured in the application, but is set in the policy. some applications have a deny action which is the default action the firewall will take if you set the security policy to 'deny' instead of drop

if you want more control over the deny action, you need to set hte security rule to reset client/server/both, and/or enable 'send ICMP unreachable'

 

these actions, however, will only apply to 'new' sessions if they get discarded by security policy. any sessions that are interrupted halfway through by an admin clearing the session will see followup packets discarded as 'illegal' packets (non-syn tcp etc) which is part of TCP protection and no longer security policy decissions. these types of packets are discarded (instead of RST) to prevent reconnaissance/DDoS/packet based attacks

 

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!