11-15-2021 09:44 AM
Hello Everyone,
I have TCP reset packets being dropped in the Palo when they are sent from tcp-rst-from-server or tcp-rst-from-client. I've taken a pcap to verify the traffic is being dropped. I've put in a ticket with support and their solution was to change the TCP Drop configuration in Zone Protection Profile to not reject Non-SYN TCP. I tested that change and had TCP rest packets were still being dropped, verified with another pcap.
I've reviewed the traffic in the monitor log and I can see traffic with tcp-rst-from-server and tcp-rst-from-client both having actions as allow.
I am at a loss as to what else to check or change. If someone has a potential solution, please let me know.
Thanks
11-15-2021 10:32 AM
Hello,
What does it say at the "Log Subtype" column header?
This sometimes tells a better story. Also clicking on the magnifying glass to expand the session traffic helps as well.
Hope that helps.
11-15-2021 12:12 PM
Hi,
The 'Log Subtype' says 'end'. When I review the detailed log view, everything looks similar to other traffic.
11-15-2021 12:37 PM
Hello,
I forgot to ask which logs you are looking at. I typically look at the Unified logs rather than the Traffic logs. The unified logs have the traffic, URL, and Threat logs rolled into it. Makes it easier to correlate traffic data. Also check the session flow data, CLI only, to see if it reveals anything significant.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVECA0
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
