As far as I've been able to determine, the configuration for the two firewalls (PA-500s) are identical (with different IPs/subnets obviously), but the way they handle blocked connections is very different. On one firewall, a telnet to a blocked port just hangs until it eventually times out and the connection is dropped. On the other firewall, a telnet to a blocked port connects and waits for input. Once you type something and hit enter, the connection is immediately dropped. For example, if you telnet to port 80, the first firewall gives the following: $ telnet server.somedomain 80 Trying 1.2.3.4... telnet: connect to address 1.2.3.4: Operation timed out telnet: Unable to connect to remote host While a telnet to port 80 on the other firewall gives the following: $ telnet server.someotherdomain 80 Trying 1.2.3.5... Connected to server.someotherdomain. Escape character is '^]'. GET / <very long wait for it to timeout at this point> Connection closed by foreign host. The behaviour we want is the former, just hang the connection until it times out, or drop it right away. The issue we're running into is that the provincial body that manages/monitors the Internet links for the schools is doing old-school port scanning of all our firewalls, and some of them are showing "successful connections" for random ports, and sending us security alerts. My gut instinct is that this has to do with the way application filtering works, where the firewall accepts the first few packets but doesn't forward them through until it's identified the application, then decides whether to allow or block the connection. Which is great, except why is the one firewall acting differently? And how do we get them all to act the same way? I'm in the process of comparing the rules between the firewalls, but so far, they are the same, in the same order (most were created from a template and are fairly generic) on each firewall.
... View more