The Split Handshake option in
a Zone Protection profile will prevent a TCP session from being
established if the session establishment procedure does not use
the well-known three-way handshake, but instead uses a variation,
such as a four-way or five-way split handshake or a simultaneous
open.
The Palo Alto Networks® next-generation firewall correctly
handles sessions and all Layer 7 processes for split handshake and
simultaneous open session establishment without enabling the Split
Handshake option. Nevertheless, the Split
Handshake option (which causes a TCP split handshake
drop) is made available. When the Split Handshake option
is configured for a Zone Protection profile and that profile is
applied to a zone, TCP sessions for interfaces in that zone must
be established using the standard three-way handshake; variations
are not allowed.
The Split Handshake option is disabled
by default.
The following illustrates the standard three-way handshake used
to establish a TCP session with a PAN-OS firewall between the initiator
(typically a client) and the listener (typically a server).
The Split Handshake option is configured
for a Zone Protection profile that is assigned to a zone. An interface
that is a member of the zone drops any synchronization (SYN) packets
sent from the server, preventing the following variations of handshakes.
The letter A in the figure indicates the session initiator and B
indicates the listener. Each numbered segment of the handshake has
an arrow indicating the direction of the segment from the sender
to the receiver, and each segment indicates the control bit(s) setting.