I receive hundreds of TCP SYN with data Threat Alerts from my BYOD zone every day. I was learning more about it and I understood that it is a TCP syn packet with data in its payload. However, as almost all of them seems to come from non-malicious sources, I am not sure if I should worry about it or just consider it as a false positive and tweak my firewall.
Any advice would be much appreciated.
If the firewall detects a TCP packet with data and your Zone Protection profile is set to drop these, then I wouldn't think it is a false positive. It triggers the protection because the firewall sees these.
More information available at:
There is currently no way to inhibit these protections from writing to the Threat Logs, however, if you receive the alerts through a Log Forwarding profile, you can edit the profile so that these are not forwarded out using a Filter in PAN-OS 8.0:
(severity eq informational) and (threatid neq 8723)
Selective Log Forwarding
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!