Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Tcp Scan on VPN Global Protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Tcp Scan on VPN Global Protect

L1 Bithead

Dear Team,

 

I have a server with ip 10.206.195.16, on that server port 4410 is not active. But when I try to Tcp Scan to that server with port 4410 using VPN Global Protect the state TcpTestSuccessed is 'True'. When I try to Tcp Scan to that server with port using another VPN (Anyconnect) or with internal network without VPN the state TcpTestSuccessed is 'False'. Why is  VPN Global Protect said the TCP Test 'Success' where the port of that server is not active ?

 

Please help me to solved this or where must be I checked?

 

Thank You

8 REPLIES 8

Hi @Hendrik9 ,

Can you confirm if your Zone associated with GlobalProtect tunnel is configured with Zone-Protection profile?

Is this zone-protection profile using SYN Cookie for TCP flood protection?

Hi Aleksandar,

 

Zone-Protection Profile configuration on here.

Screenshot_363.png

Is that what you mean? Any concern of from the configuration that relate with my issue?

 

Thank You.

Hi @Hendrik9 ,

No. What you have highligthed will drop TCP connection if the SYN-ACK (the respond from destionation to the SYN) is split to two separate packets - SYN and ACK.

 

What I am refering to is under Flood Protection tab (the first from your screenshot). Can you please share screenshot for this?

 

 

Hi Aleksandar,

 

Sorry for the late response.

Here is the screenshot that you want. Is there something wrong ?

Screenshot_364.png

 

Thank You.

Hi @Hendrik9 ,

 

The screenshot confirms that PAN FW is applying SYN-Cookie protection against TCP flood attack. The behaviour you observe is expected when SYN cookie is used (compared to RED - random early drop).

The following link is better than me explaining exactly why - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgRCAS&refURL=http%3A%2F%...

 

Since this is for GlobalProtect zone - where you have some layer of protection by authenticating the users first, the probabilty to have TCP flood from that zone is lower (in my personal opinion, attacker will use your VPN to silently infiltrate your organization,not using it for DoS) it should be safe to change from SYN cookie to RED for this particular zone.

 

Hi Aleksandar,

 

Thank you for your help and your information.

When I read the docs when we use RED, it will drop syn packet if there is tcp flood and exceed the threshold limit.

Is this the maximun threshold?

Hendrik9_0-1688455536638.png

Thank You

 

Hi @Hendrik9 ,

Yes, that is correct.

I just noticed that your "Activate" rate is set to 0. To be honest I am still not completely sure what is the difference between Activate and Maximum, but if I understand the docs correctly "Activate" will tell when to start the protection. So in your case FW will perform SYN-Cookie for every new connection, no matter the rate.

 

I would still recommend to change to RED, the docs mentioned another good reason
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/zone-protection-and-dos-protection/zone-d...

When SYN Cookies
is activated, the firewall does not honor the TCP options that the server sends because it does not know these values at the time that it proxies the SYN/ACK. Therefore, values such as the TCP server’s window size and MSS values cannot be negotiated during the TCP handshake and the firewall will use its own default values. In the scenario where the MSS of the path to the server is smaller than the firewall’s default MSS value, the packet will need to be fragmented.

 

But if you still want to use SYN-Cookie you may try to set activate level little higher than the Alert level and see if your port scan will show open ports.

 

The link above gives suggestion how to select correct rate for flood protection. Pay attention at the note on the bottom of the page. You didn't mentioned what device you are using, but check if it is using multiple dataplane to calculate your rates properly.

Hi Aleksandar,

 

I think I will do like your suggestion, but I want to discuss with my customer first about this action.

Thank You very much for your help and you information. If there is another question about this problem. I will mention you again.

 

Thank You.

  • 2364 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!