Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Zone Protection - Reject Non-SYN TCP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Zone Protection - Reject Non-SYN TCP

Not applicable

Hi everyone!

I've configured a zone protection profile with SYN Flood protection and SYN Cookies enabled. In the same profile I've set the option "Reject Non-SYN TCP" to "no". I've applied this profile to my untrust zone and run a commit.

When I run the CLI command show session info i noticed that under session setup TCP - reject non-SYN first packet is set to True. Why is there a mismatch between the GUI and the CLI, and which one can I trust (I usually trust the CLI)?

Exerpt from CLI command show session info:

--------------------------------------------------------------------------------

Session setup

  TCP - reject non-SYN first packet:             True

  Hardware session offloading:                   True

  IPv6 firewalling:                              False

--------------------------------------------------------------------------------

Regards

Sturla

1 accepted solution

Accepted Solutions

L6 Presenter

Export the running-config.xml and verify it there.

network profiles -> zone-protection-profile can contain:

tcp-reject-non-syn {global | no | yes}

+ tcp-reject-non-syn — Reject non-SYN TCP packet for session setup

global — Use global setting

no — Accept non-SYN TCP

yes — Reject non-SYN TCP

The global setting is found in deviceconfig -> session:

tcp-reject-non-syn {no | yes}

+ tcp-reject-non-syn — Reject non-SYN TCP packet for session setup

and is handled by the "set session" command (if you are in CLI).

My guess is that "show session info" will display the global value and not your custom zone-specific setting.

View solution in original post

5 REPLIES 5

L6 Presenter

Export the running-config.xml and verify it there.

network profiles -> zone-protection-profile can contain:

tcp-reject-non-syn {global | no | yes}

+ tcp-reject-non-syn — Reject non-SYN TCP packet for session setup

global — Use global setting

no — Accept non-SYN TCP

yes — Reject non-SYN TCP

The global setting is found in deviceconfig -> session:

tcp-reject-non-syn {no | yes}

+ tcp-reject-non-syn — Reject non-SYN TCP packet for session setup

and is handled by the "set session" command (if you are in CLI).

My guess is that "show session info" will display the global value and not your custom zone-specific setting.

If global setting is set to reject non syn packets and zone setting is set to allow non syn packets then which setting comes into effect ?

I hope that PA uses "best match" which would mean that zone setting overrules the global setting (which I guess is confirmed by the zone protection who has not only yes/no but also global as a valid setting).

In your case that non syn packets are allowed when they arrive at the specific zone.

Thank you for your answer!

I was not aware of a global setting for this. Where is the global setting for this located in the GUI? I'm not able to find it.

/S

Seems like it isnt available through GUI, according to admin guide 4.1 (looking at zone protection settings):

Global—Use system-wide setting that is assigned through the CLI.

  • 1 accepted solution
  • 5877 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!