Prevent TCP Split Handshake Session Establishment
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Prevent TCP Split Handshake Session Establishment
You can configure a TCP
Split Handshake Drop in a Zone Protection profile to prevent
TCP sessions from being established unless they use the standard
three-way handshake. This task assumes that you assigned a security
zone for the interface where you want to prevent TCP split handshakes
from establishing a session.
- Configure a Zone Protection profile to prevent TCP sessions that use anything other than a three-way handshake to establish a session.
- Select NetworkNetwork ProfilesZone Protection and Add a new profile (or select an existing profile).If creating a new profile, enter a Name for the profile and an optional Description.Select Packet Based Attack ProtectionTCP Drop and select Split Handshake.Click OK.Apply the profile to one or more security zones.
- Select NetworkZones and select the zone where you want to assign the zone protection profile.In the Zone window, from the Zone Protection Profile list, select the profile you configured in the previous step.Alternatively, you could start creating a new profile here by clicking Zone Protection Profile, in which case you would continue accordingly.Click OK.(Optional) Repeat steps 1-3 to apply the profile to additional zones.Commit your changes.Click OK and Commit.