Difference Between Drop and Drop-all-packets Action in Threat Security Profiles
Resolution
Overview
When configuring a security policy, two drop actions are available:
- Drop
- Drop-all-packets
If the drop action is configured, the firewall will drop the first packet only.
If the drop-all-packets action is configured, the firewall will drop every subsequent packet for that session. The session will be set to DISCARD and packets will be dropped until the TCP or UDP Timeout for the session is reached and the session is removed from the session table.
The tracker stage firewall will list: "mitigation tdb drop all" and the reason will be "threat."
For a UDP connection, there is no retransmit mechanism. Setting the option to drop will cause the firewall to discard the faulty packet but transmit the rest of the communication. If the firewall is set to drop-all-packets the faulty packet, as well as any subsequent packets, will be discarded.
In the case of a TCP connection, the behavior will be the same. The first packet will be dropped and the workstation will send a retransmit, which will also be dropped.
The GUI screenshot below illustrates where the option is found.
UPDATE:
The drop-all-packets action has been consolidated to the drop action since PAN-OS 7.0 and the action is no longer available in the newer PAN-OS versions.
As the PAN-OS 7.0 Release Notes explains, the drop option in PAN-OS 7.0 or higher performs the same action as the drop-all-packets option does in PAN-OS 6.1.
owner: panagent