Tcp Scan on VPN Global Protect

Hi Aleksandar,

Zone-Protection Profile configuration on here.

Is that what you mean? Any concern of from the configuration that relate with my issue?

Thank You.

Hi @Hendrik9 ,

No. What you have highligthed will drop TCP connection if the SYN-ACK (the respond from destionation to the SYN) is split to two separate packets - SYN and ACK.

What I am refering to is under Flood Protection tab (the first from your screenshot). Can you please share screenshot for this?

Hi Aleksandar,

Sorry for the late response.

Here is the screenshot that you want. Is there something wrong ?

Thank You.

Hi @Hendrik9 ,

The screenshot confirms that PAN FW is applying SYN-Cookie protection against TCP flood attack. The behaviour you observe is expected when SYN cookie is used (compared to RED - random early drop).

The following link is better than me explaining exactly why - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgRCAS&refURL=http%3A%2F%...

Since this is for GlobalProtect zone - where you have some layer of protection by authenticating the users first, the probabilty to have TCP flood from that zone is lower (in my personal opinion, attacker will use your VPN to silently infiltrate your organization,not using it for DoS) it should be safe to change from SYN cookie to RED for this particular zone.

Hi Aleksandar,

Thank you for your help and your information.

When I read the docs when we use RED, it will drop syn packet if there is tcp flood and exceed the threshold limit.

Is this the maximun threshold?

Thank You

Hi @Hendrik9 ,

Yes, that is correct.

I just noticed that your "Activate" rate is set to 0. To be honest I am still not completely sure what is the difference between Activate and Maximum, but if I understand the docs correctly "Activate" will tell when to start the protection. So in your case FW will perform SYN-Cookie for every new connection, no matter the rate.

I would still recommend to change to RED, the docs mentioned another good reason
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/zone-protection-and-dos-protection/zone-d...

When SYN Cookies
is activated, the firewall does not honor the TCP options that the server sends because it does not know these values at the time that it proxies the SYN/ACK. Therefore, values such as the TCP server’s window size and MSS values cannot be negotiated during the TCP handshake and the firewall will use its own default values. In the scenario where the MSS of the path to the server is smaller than the firewall’s default MSS value, the packet will need to be fragmented.

But if you still want to use SYN-Cookie you may try to set activate level little higher than the Alert level and see if your port scan will show open ports.

The link above gives suggestion how to select correct rate for flood protection. Pay attention at the note on the bottom of the page. You didn't mentioned what device you are using, but check if it is using multiple dataplane to calculate your rates properly.

Hi Aleksandar,

I think I will do like your suggestion, but I want to discuss with my customer first about this action.

Thank You very much for your help and you information. If there is another question about this problem. I will mention you again.

Thank You.