Prisma Cloud Compute: Packet dropped by 3rd Party Firewall/Network Security Device after enabling Network Monitoring/CNNS/CNNF
2011
Created On 07/25/23 01:45 AM - Last Modified 05/15/24 03:01 AM
Symptom
- The connection cannot be established after enabling Network Monitoring with a certain path or a certain remote website
Environment
- Prisma Cloud Compute
- Waas
Cause
- Based on the design of WAAS, we will insert an additional "TCP Option(flag)" at SYN packet. For example:
- However, some of the Network Security Device would block the packet when it has unknown TCP Option. For example:
Resolution
Please choose one of below options:
- Disable Network Monitoring on Prisma Cloud Compute: Console > Radars > Settings > (Disable Container network monitoring & Host network monitoring)
- Check with the 3rd Party Vendor to check which security feature would block the unknown TCP Options:
- Check Point: Disable SecureXL
- Sonicwall: Enable Fix/ignore malformed TCP headers and disable Enable TCP sequence number randomization