cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this solution

Cyber Elite
Cyber Elite

A drop is silent, you simply discard the packet and don't tell anyone about it. This is great for most siatuations as you don't generate more traffic on your network and outsiders who may potentially be scanning you are non the wiser

 

A deny sends a notification to the sender that something happened and their packet was rejected

This could be helpful in providing a 'friendly' user experience as some applications will be able to pop up an error message telling the user their connection was rejected (instead of timing out, causing the user to have to wait and possibly keep trying), and tell applications to stop trying to connect.

 

My inbound rules are all drop while my outbound ones are deny (for rules that only trigger on App-ID, eg. "block ftp", you can also pick from 'reset-client', 'reset-server' and 'reset-both' depending which ones are 'internal' and deserve a notification)

 

I wrote a couple things regarding this, fyi:

https://live.paloaltonetworks.com/t5/Tutorials/Configurable-Deny-Action/ta-p/76613

https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-reset-server-reset-client-or-silent-drop...

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

Who Me Too'd this solution