How To Understand L4 Checksum and Disable on Network Processor
34932
Created On 04/28/19 08:47 AM - Last Modified 03/28/24 13:22 PM
Objective
Learn how to understand L4 checksum on Palo Alto Networks firewall.
Procedure
The L4 checksum is calculated and validated on dataplane on all PAN-OS devices. This checksum is done during the ingress stage packet parsing stage. For more information, please refer to the following article: Packet Flow Sequence in PAN-OS (section 2.1).
In PA-5200 and PA-3200, there is an additional validation of L4 checksum on the network processor.
Here is how you check if the L4 checksum is enabled on the dataplane, which is enabled by default:
> show session info
target-dp: *.*
--------------------------------------------------------------------------------
Number of sessions supported: 8388604
Number of allocated sessions: 0
Number of active TCP sessions: 0
Number of active UDP sessions: 0
Number of active ICMP sessions: 0
Number of active GTPc sessions: 0
Number of active GTPu sessions: 0
Number of pending GTPu sessions: 0
Number of active BCAST sessions: 0
Number of active MCAST sessions: 0
Number of active predict sessions: 0
Session table utilization: 0%
Number of sessions created since bootup: 0
Packet rate: 0/s
Throughput: 0 kbps
New connection establish rate: 0 cps
--------------------------------------------------------------------------------
Session timeout
TCP default timeout: 3600 secs
TCP session timeout before SYN-ACK received: 5 secs
TCP session timeout before 3-way handshaking: 10 secs
TCP half-closed session timeout: 120 secs
TCP session timeout in TIME_WAIT: 15 secs
TCP session delayed ack timeout: 250 millisecs
TCP session timeout for unverified RST: 30 secs
UDP default timeout: 30 secs
ICMP default timeout: 6 secs
other IP default timeout: 30 secs
Captive Portal session timeout: 30 secs
Session timeout in discard state:
TCP: 90 secs, UDP: 60 secs, other IP protocols: 60 secs
--------------------------------------------------------------------------------
Session accelerated aging: True
Accelerated aging threshold: 80% of utilization
Scaling factor: 2 X
--------------------------------------------------------------------------------
Session setup
TCP - reject non-SYN first packet: True
Hardware session offloading: True
Hardware UDP session offloading: True
IPv6 firewalling: True
Strict TCP/IP checksum: True
Strict TCP RST sequence: True
Reject TCP small initial window: False
ICMP Unreachable Packet Rate: 200 pps
--------------------------------------------------------------------------------
Application trickling scan parameters:
Timeout to determine application trickling: 10 secs
Resource utilization threshold to start scan: 80%
Scan scaling factor over regular aging: 8
--------------------------------------------------------------------------------
Session behavior when resource limit is reached: drop
--------------------------------------------------------------------------------
Pcap token bucket rate : 10485760
--------------------------------------------------------------------------------
Max pending queued mcast packets per session : 0
--------------------------------------------------------------------------------
Here is how to disable this checksum:
> set session strict-checksum no
> show session info
target-dp: *.dp0
--------------------------------------------------------------------------------
Number of sessions supported: 4194302
Number of allocated sessions: 0
Number of active TCP sessions: 0
Number of active UDP sessions: 0
Number of active ICMP sessions: 0
Number of active GTPc sessions: 0
Number of active GTPu sessions: 0
Number of pending GTPu sessions: 0
Number of active BCAST sessions: 0
Number of active MCAST sessions: 0
Number of active predict sessions: 0
Number of active SCTP sessions: 0
Number of active SCTP associations: 0
Session table utilization: 0%
Number of sessions created since bootup: 4785
Packet rate: 0/s
Throughput: 0 kbps
New connection establish rate: 0 cps
--------------------------------------------------------------------------------
Session timeout
TCP default timeout: 3600 secs
TCP session timeout before SYN-ACK received: 5 secs
TCP session timeout before 3-way handshaking: 10 secs
TCP half-closed session timeout: 120 secs
TCP session timeout in TIME_WAIT: 15 secs
TCP session delayed ack timeout: 250 millisecs
TCP session timeout for unverified RST: 30 secs
UDP default timeout: 30 secs
ICMP default timeout: 6 secs
SCTP default timeout: 3600 secs
SCTP timeout before INIT-ACK received: 5 secs
SCTP timeout before COOKIE received: 60 secs
SCTP timeout before SHUTDOWN received: 30 secs
other IP default timeout: 30 secs
Captive Portal session timeout: 30 secs
Session timeout in discard state:
TCP: 90 secs, UDP: 60 secs, SCTP: 60 secs, other IP protocols: 60 secs
--------------------------------------------------------------------------------
Session accelerated aging: True
Accelerated aging threshold: 80% of utilization
Scaling factor: 2 X
--------------------------------------------------------------------------------
Session setup
TCP - reject non-SYN first packet: True
Hardware session offloading: True
Hardware UDP session offloading: True
IPv6 firewalling: True
Strict TCP/IP checksum: False
Strict TCP RST sequence: True
Reject TCP small initial window: False
ICMP Unreachable Packet Rate: 200 pps
--------------------------------------------------------------------------------
Application trickling scan parameters:
Timeout to determine application trickling: 10 secs
Resource utilization threshold to start scan: 80%
Scan scaling factor over regular aging: 8
--------------------------------------------------------------------------------
Session behavior when resource limit is reached: drop
--------------------------------------------------------------------------------
Pcap token bucket rate : 10485760
--------------------------------------------------------------------------------
Max pending queued mcast packets per session : 0
--------------------------------------------------------------------------------
Processing CPU: dp1
Broadcast first packet: no
--------------------------------------------------------------------------------
Here is how to check if the L4 checksum is enabled on the network processor, which is ONLY on PA-5200 and PA-3200:
> show system state | match l4
cfg.hw.fe100: { 'cfg_mode': 4, 'l4_chk_sum': 1, 'usecase': 1, 'v4_v6_choice': 2, }
OR
> show system state | match l4
<no output>
By default, l4_chk_sum is enabled when you run the above command and you would see no output. If it's manually enabled, 'l4_chk_sum' is set to 1. Hence, if you either see no output or if the l4_chk_sum is set to 1, that means the L4 checksum is enabled on the network processor.
Here is how to disable L4 checksum on the network processor:
> set system setting layer4-checksum ? > disable Disable layer4 checksum > enable Enable layer4 checksum > set system setting layer4-checksum disable
A reboot is required to bring the change into effect:
> request restart system