Application being identified as "non-syn-tcp" and is allowed/blocked
70731
Created On 04/03/19 13:29 PM - Last Modified 04/12/19 21:01 PM
Symptom
Application identified as "non-syn-tcp".
The traffic is being Allowed or Dropped depending on the tcp-reject-non-syn settings.
Environment
- PAN OS
- Network with Asymmetric Routing
Cause
- When the firewall receives a non-SYN first packet, it would be allowed or dropped based on tcp-reject-non-syn config and the application is identified as non-syn-tcp app.
- This could happen when there is Asymmetric Routing in the Network environments.
- Asymmetric routing is a situation where packets follow a different route in an outbound direction than they follow when returning in the inbound direction.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSHCA0
Resolution
Solution to this depends on situations.
- If the traffic is being identified as non-syn-tcp and is dropped/allowed, and needs to be allowed/blocked, you may need to configure non-syn-tcp globally or per zone basis. See below article for reference:
- Network architecture can be changed to eliminate asymmetric routing.