Transmission Control Protocol (TCP) (RFC 793) is one of the main protocols
in the Internet Protocol (IP) suite, and is so prevalent that it
is frequently referenced together with IP as TCP/IP.
TCP is considered a reliable transport protocol because it provides
error-checking while transmitting and receiving segments, acknowledges
segments received, and reorders segments that arrive in the wrong
order. TCP also requests and provides retransmission of segments
that were dropped. TCP is stateful and connection-oriented, meaning
a connection between the sender and receiver is established for
the duration of the session. TCP provides flow control of packets,
so it can handle congestion over networks.
TCP performs a handshake during session setup to initiate and
acknowledge a session. After the data is transferred, the session
is closed in an orderly manner, where each side transmits a FIN
packet and acknowledges it with an ACK packet. The handshake that
initiates the TCP session is often a three-way handshake (an exchange
of three messages) between the initiator and the listener, or it
could be a variation, such as a four-way or five-way split handshake
or a simultaneous open. The TCP Split Handshake Drop explains
how to Prevent TCP Split Handshake Session Establishment.
Applications that use TCP as their transport protocol include
Hypertext Transfer Protocol (HTTP), HTTP Secure (HTTPS), File Transfer
Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Telnet, Post
Office Protocol version 3 (POP3), Internet Message Access Protocol
(IMAP), and Secure Shell (SSH).
The following topics describe details of the PAN-OS implementation
You can use Zone Protection Profiles on
the firewall to configure packet-based attack protection and thereby
drop IP, TCP, and IPv6 packets with undesirable characteristics
or strip undesirable options from packets before allowing them into
the zone. You can also configure flood protection, specifying the
rate of SYN connections per second (not matching an existing session)
that trigger an alarm, cause the firewall to randomly drop SYN packets
or use SYN cookies, and cause the firewall to drop SYN packets that
exceed the maximum rate.