07-12-2013 04:21 AM
Hi,
is it possible to use a PAloalto firewall not to keep sessions and works like a non stateful Access Control device.
Thanks.
07-12-2013 06:33 AM
Hi
We dont have the feature to turn of stateful inspection, and all traffic would always be subjected to stateful inspection.
BR,
Karthik RP
07-12-2013 06:33 AM
Hi
We dont have the feature to turn of stateful inspection, and all traffic would always be subjected to stateful inspection.
BR,
Karthik RP
07-12-2013 07:56 AM
Although we cannot disable stateful inspection, we can instruct the PA to ignore state via disabling 'Reject Non-SYN TCP'. The PA can ignore session state per zone via configuration under Network tab ==> Zone Protection ==> Packet Based Attack Protection ==> TCP/IP Drop, and setting 'Reject Non-SYN TCP' to no.
To ignore session state globally for the entire PA, You can use the CLI and issue the commands as described here:
Thanks.
07-12-2013 08:55 AM
Hi rmonvon,
This would work only for TCP sessions. The UDP and protocols without port numbers ( ICMP, OSPF, PIM, ESP,etc) however will still have sessions established for it.
BR,
Karthik RP
07-12-2013 09:00 AM
I was wondering what to do when session limit is reached.That is why asked that for.
07-12-2013 09:05 AM
When session limit is reached, the PA will not allow the excess sessions to pass through. Thanks.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
