Palo Alto Networks Knowledgebase: Multi-Path TCP on Palo Alto Networks Firewalls

Multi-Path TCP on Palo Alto Networks Firewalls

Created On 02/08/19 00:03 AM - Last Updated 02/08/19 00:04 AM
Device Management Initial Configuration Installation QoS Zone and DoS Protection


What is a multi-path TCP? A multi-path TCP (MPTCP) is a modification to the TCP stack that allows an application’s data flow to be split over multiple TCP connections, split over multiple ports and/or entirely different interfaces and networks. Because the data flow is split over multiple TCP sessions (possibly over different networks), a given network security device is unable to reliably reassemble the session contents for threat inspection purposes.


The benefits of a multi-path TCP is it is a better resource utilization, better throughput and smoother reaction to failures.


The App/OS that supports multi-path may initiate multiple completely independent TCP sessions out of the local NIC(s), some of which may traverse the Palo Alto Networks firewall, depending on what sessions the endpoint establishes and the presence of multiple NICs on the device.  From a L4 perspective, everything is normal. However, at L7 it will most likely appear as fragments of application traffic if multiple MPTCP sessions are established, and the App-ID and threat scanning may or may not function correctly (leading to unknown-tcp or some other result).


Introduced in PAN-OS 8.0 MPTCP option can be removed to prevent multipath tcp sessions from being established


owner: harshanatarajan

  • Print
  • Copy Link

Choose Language