>
    Strata Copilot
    Prevent TCP Split Handshake Session Establishment
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Session Settings and Timeouts
    4. Prevent TCP Split Handshake Session Establishment
    Download PDF
    Next-Generation Firewall

    Prevent TCP Split Handshake Session Establishment

    Table of Contents

    Prevent TCP Split Handshake Session Establishment

    Enforce a standard three-way handshake to establish TCP sessions.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by PAN-OS or Panorama)
    You can configure a TCP Split Handshake Drop in a Zone Protection profile to prevent TCP sessions from being established unless they use the standard three-way handshake. This task assumes that you assigned a security zone for the interface where you want to prevent TCP split handshakes from establishing a session.
    1. Configure a Zone Protection profile to prevent TCP sessions that use anything other than a three-way handshake to establish a session.
      1. Select NetworkNetwork ProfilesZone Protection and Add a new profile (or select an existing profile).
      2. If creating a new profile, enter a Name for the profile and an optional Description.
      3. Select Packet Based Attack ProtectionTCP Drop and select Split Handshake.
      4. Click OK.
    2. Apply the profile to one or more security zones.
      1. Select NetworkZones and select the zone where you want to assign the zone protection profile.
      2. In the Zone window, from the Zone Protection Profile list, select the profile you configured in the previous step.
        Alternatively, you could start creating a new profile here by clicking Zone Protection Profile, in which case you would continue accordingly.
      3. Click OK.
      4. (Optional) Repeat steps 1-3 to apply the profile to additional zones.
    3. Commit your changes.
      Click OK and Commit.

    © 2026 Palo Alto Networks, Inc. All rights reserved.