a Zone Protection profile will prevent a TCP session from being
established if the session establishment procedure does not use
the well-known three-way handshake, but instead uses a variation,
such as a four-way or five-way split handshake or a simultaneous
The Palo Alto Networks next-generation firewall correctly handles
sessions and all Layer 7 processes for split handshake and simultaneous
open session establishment without enabling the
option. Nevertheless, the
option (which causes a TCP split handshake
drop)is made available. When the
option is configured for a Zone Protection
profile and that profile is applied to a zone, TCP sessions for
interfaces in that zone must be established using the standard three-way
handshake; variations are not allowed.
option is disabled
The following illustrates the standard three-way handshake used
to establish a TCP session with a PAN-OS firewall between the initiator
(typically a client) and the listener (typically a server).
option is configured
for a Zone Protection profile that is assigned to a zone. An interface
that is a member of the zone drops any synchronization (SYN) packets
sent from the server, preventing the following variations of handshakes.
The letter A in the figure indicates the session initiator and B
indicates the listener. Each numbered segment of the handshake has
an arrow indicating the direction of the segment from the sender
to the receiver, and each segment indicates the control bit(s) setting.