Today, while doing a lot of testing of my trace handling code as well as in preparation for the upcoming Sharkfest 2013, I got a trace sample from Landi that he wanted me to take a look at because he wondered about some SSL decoding stuff.
It can be initiated unidirectionally and applied to the Destination Zone only, or bidirectionally and applied to both Zones.Update: since Wireshark version 1.12 is out, lots of people look for the meaning of “tcp spurious retransmission” info message, so I changed the post a little to make it easier to find what you’re looking for. Apply the Zone protection profile to one zone or both, depending on if asymmetric traffic is required. Note: If traffic spans two Security Zones, the Zone Protection Profile keys the Destination zone. Go to the destination Zone in question, and assign the Zone Protection Profile.Go to the Packet Based Attack Protection tab and, on the pulldown menu, select the following:.Go to Network > Zone Protection Profile.Session with asymmetric path : drop packetĪlternatively, users can narrow down bypass asymmetric routing just for traffic going to a specific destination Zone by creating a Zone Protection Profile.
> show running tcp state | match asymmetric Use the following command to check the current action on asymmetric traffic: # delete deviceconfig setting tcp asymmetric-path The changes can be reverted back with the following: # set deviceconfig setting tcp asymmetric-path bypass Use the following command to configure the firewall to bypass asymmetric routing globally. Captures show it is receiving a SYN packet and an ACK packet, but never receives a SYN ACK: For more information on packet captures, see: Using Packet Filtering through GUI with PAN-OS 4.1Īs shown below, in the counters see that the packets are getting dropped due to TCP reassembly.
In order to confirm, run packet captures and check the global counter. The firewall will drop the packets because of a failure in the TCP reassembly. For example, if a SYN packet goes through the Palo Alto Networks firewall, but SYN-ACK never goes through the firewall and the firewall receives an ACK. This will normally happen if there is asymmetric routing in the network. Packets are getting dropped due to TCP reassembly.
0 kommentar(er)
