06-26-2012 11:27 PM
Hi everyone!
I've configured a zone protection profile with SYN Flood protection and SYN Cookies enabled. In the same profile I've set the option "Reject Non-SYN TCP" to "no". I've applied this profile to my untrust zone and run a commit.
When I run the CLI command show session info i noticed that under session setup TCP - reject non-SYN first packet is set to True. Why is there a mismatch between the GUI and the CLI, and which one can I trust (I usually trust the CLI)?
Exerpt from CLI command show session info:
--------------------------------------------------------------------------------
Session setup
TCP - reject non-SYN first packet: True
Hardware session offloading: True
IPv6 firewalling: False
--------------------------------------------------------------------------------
Regards
Sturla
06-26-2012 11:42 PM
Export the running-config.xml and verify it there.
network profiles -> zone-protection-profile can contain:
tcp-reject-non-syn {global | no | yes}
+ tcp-reject-non-syn — Reject non-SYN TCP packet for session setup
global — Use global setting
no — Accept non-SYN TCP
yes — Reject non-SYN TCP
The global setting is found in deviceconfig -> session:
tcp-reject-non-syn {no | yes}
+ tcp-reject-non-syn — Reject non-SYN TCP packet for session setup
and is handled by the "set session" command (if you are in CLI).
My guess is that "show session info" will display the global value and not your custom zone-specific setting.
06-26-2012 11:42 PM
Export the running-config.xml and verify it there.
network profiles -> zone-protection-profile can contain:
tcp-reject-non-syn {global | no | yes}
+ tcp-reject-non-syn — Reject non-SYN TCP packet for session setup
global — Use global setting
no — Accept non-SYN TCP
yes — Reject non-SYN TCP
The global setting is found in deviceconfig -> session:
tcp-reject-non-syn {no | yes}
+ tcp-reject-non-syn — Reject non-SYN TCP packet for session setup
and is handled by the "set session" command (if you are in CLI).
My guess is that "show session info" will display the global value and not your custom zone-specific setting.
06-26-2012 11:49 PM
If global setting is set to reject non syn packets and zone setting is set to allow non syn packets then which setting comes into effect ?
06-27-2012 12:24 AM
I hope that PA uses "best match" which would mean that zone setting overrules the global setting (which I guess is confirmed by the zone protection who has not only yes/no but also global as a valid setting).
In your case that non syn packets are allowed when they arrive at the specific zone.
06-27-2012 01:07 AM
Thank you for your answer!
I was not aware of a global setting for this. Where is the global setting for this located in the GUI? I'm not able to find it.
/S
06-27-2012 01:47 AM
Seems like it isnt available through GUI, according to admin guide 4.1 (looking at zone protection settings):
Global—Use system-wide setting that is assigned through the CLI.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
