Table of Contents
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
TCP
Transmission Control Protocol (TCP) (RFC 793) is one of the
main protocols in the Internet Protocol (IP) suite, and is so prevalent
that it is frequently referenced together with IP as TCP/IP.
TCP is considered a reliable transport protocol because it provides
error-checking while transmitting and receiving segments, acknowledges
segments received, and reorders segments that arrive in the wrong
order. TCP also requests and provides retransmission of segments
that were dropped. TCP is stateful and connection-oriented, meaning
a connection between the sender and receiver is established for the
duration of the session. TCP provides flow control of packets, so
it can handle congestion over networks.
TCP performs a handshake during session setup to initiate and
acknowledge a session. After the data is transferred, the session
is closed in an orderly manner, where each side transmits a FIN
packet and acknowledges it with an ACK packet. The handshake that
initiates the TCP session is often a three-way handshake (an exchange
of three messages) between the initiator and the listener, or it
could be a variation, such as a four-way or five-way split handshake
or a simultaneous open. The TCP Split Handshake Drop explains
how to Prevent TCP Split Handshake Session Establishment.
Applications that use TCP as their transport protocol include
Hypertext Transfer Protocol (HTTP), HTTP Secure (HTTPS), File Transfer
Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Telnet, Post
Office Protocol version 3 (POP3), Internet Message Access Protocol
(IMAP), and Secure Shell (SSH).
The following topics describe details of the PAN-OS implementation
of TCP.
You can configure packet-based attack protection and
thereby drop IP, TCP, and IPv6 packets with undesirable characteristics
or strip undesirable options from packets before allowing them into
the zone. You can also configure flood protection, specifying the
rate of SYN connections per second (not matching an existing session)
that trigger an alarm, cause the firewall to randomly drop SYN packets
or use SYN cookies, and cause the firewall to drop SYN packets that
exceed the maximum rate.