a Zone Protection profile will prevent a TCP session from being
established if the session establishment procedure does not use
the well-known three-way handshake, but instead uses a variation,
such as a four-way or five-way split handshake or a simultaneous
The Palo Alto Networks
next-generation firewall correctly
handles sessions and all Layer 7 processes for split handshake and
simultaneous open session establishment without enabling the
option. Nevertheless, the
option (which causes a TCP split handshake
drop) is made available. When the
is configured for a Zone Protection profile and that profile is
applied to a zone, TCP sessions for interfaces in that zone must
be established using the standard three-way handshake; variations
are not allowed.
option is disabled
The following illustrates the standard three-way handshake used
to establish a TCP session with a PAN-OS firewall between the initiator
(typically a client) and the listener (typically a server).
option is configured
for a Zone Protection profile that is assigned to a zone. An interface
that is a member of the zone drops any synchronization (SYN) packets
sent from the server, preventing the following variations of handshakes.
The letter A in the figure indicates the session initiator and B
indicates the listener. Each numbered segment of the handshake has
an arrow indicating the direction of the segment from the sender
to the receiver, and each segment indicates the control bit(s) setting.