How To Understand L4 Checksum and Disable on Network Processor

How To Understand L4 Checksum and Disable on Network Processor

36363
Created On 04/28/19 08:47 AM - Last Modified 03/28/24 13:22 PM


Objective


Learn how to understand L4 checksum on Palo Alto Networks firewall.

Procedure


The L4 checksum is calculated and validated on dataplane on all PAN-OS devices. This checksum is done during the ingress stage packet parsing stage. For more information, please refer to the following article: Packet Flow Sequence in PAN-OS (section 2.1).

In PA-5200 and PA-3200, there is an additional validation of L4 checksum on the network processor.

Here is how you check if the L4 checksum is enabled on the dataplane, which is enabled by default:
> show session info

target-dp:                                       *.*
--------------------------------------------------------------------------------
Number of sessions supported:                    8388604
Number of allocated sessions:                    0
Number of active TCP sessions:                   0
Number of active UDP sessions:                   0
Number of active ICMP sessions:                  0
Number of active GTPc sessions:                  0
Number of active GTPu sessions:                  0
Number of pending GTPu sessions:                 0
Number of active BCAST sessions:                 0
Number of active MCAST sessions:                 0
Number of active predict sessions:               0
Session table utilization:                       0%
Number of sessions created since bootup:         0
Packet rate:                                     0/s
Throughput:                                      0 kbps
New connection establish rate:                   0 cps
--------------------------------------------------------------------------------
Session timeout
  TCP default timeout:                           3600 secs
  TCP session timeout before SYN-ACK received:      5 secs
  TCP session timeout before 3-way handshaking:    10 secs
  TCP half-closed session timeout:                120 secs
  TCP session timeout in TIME_WAIT:                15 secs
  TCP session delayed ack timeout:                250 millisecs
  TCP session timeout for unverified RST:          30 secs
  UDP default timeout:                             30 secs
  ICMP default timeout:                             6 secs
  other IP default timeout:                        30 secs
  Captive Portal session timeout:                  30 secs
  Session timeout in discard state:
    TCP: 90 secs, UDP: 60 secs, other IP protocols: 60 secs
--------------------------------------------------------------------------------
Session accelerated aging:                       True
  Accelerated aging threshold:                   80% of utilization
  Scaling factor:                                2 X
--------------------------------------------------------------------------------
Session setup
  TCP - reject non-SYN first packet:             True
  Hardware session offloading:                   True
  Hardware UDP session offloading:               True
  IPv6 firewalling:                              True
  Strict TCP/IP checksum:                        True
  Strict TCP RST sequence:                       True
  Reject TCP small initial window:               False
  ICMP Unreachable Packet Rate:                  200 pps
--------------------------------------------------------------------------------
Application trickling scan parameters:
  Timeout to determine application trickling:    10 secs
  Resource utilization threshold to start scan:  80%
  Scan scaling factor over regular aging:        8
--------------------------------------------------------------------------------
Session behavior when resource limit is reached: drop
--------------------------------------------------------------------------------
Pcap token bucket rate                         : 10485760
--------------------------------------------------------------------------------
Max pending queued mcast packets per session   : 0
--------------------------------------------------------------------------------
Here is how to disable this checksum:
> set session strict-checksum no
> show session info

target-dp:                                       *.dp0
--------------------------------------------------------------------------------
Number of sessions supported:                    4194302
Number of allocated sessions:                    0
Number of active TCP sessions:                   0
Number of active UDP sessions:                   0
Number of active ICMP sessions:                  0
Number of active GTPc sessions:                  0
Number of active GTPu sessions:                  0
Number of pending GTPu sessions:                 0
Number of active BCAST sessions:                 0
Number of active MCAST sessions:                 0
Number of active predict sessions:               0
Number of active SCTP sessions:                  0
Number of active SCTP associations:              0
Session table utilization:                       0%
Number of sessions created since bootup:         4785
Packet rate:                                     0/s
Throughput:                                      0 kbps
New connection establish rate:                   0 cps
--------------------------------------------------------------------------------
Session timeout
  TCP default timeout:                           3600 secs
  TCP session timeout before SYN-ACK received:      5 secs
  TCP session timeout before 3-way handshaking:    10 secs
  TCP half-closed session timeout:                120 secs
  TCP session timeout in TIME_WAIT:                15 secs
  TCP session delayed ack timeout:                250 millisecs
  TCP session timeout for unverified RST:          30 secs
  UDP default timeout:                             30 secs
  ICMP default timeout:                             6 secs
  SCTP default timeout:                          3600 secs
  SCTP timeout before INIT-ACK received:            5 secs
  SCTP timeout before COOKIE received:             60 secs
  SCTP timeout before SHUTDOWN received:           30 secs
  other IP default timeout:                        30 secs
  Captive Portal session timeout:                  30 secs
  Session timeout in discard state:
    TCP: 90 secs, UDP: 60 secs, SCTP: 60 secs, other IP protocols: 60 secs
--------------------------------------------------------------------------------
Session accelerated aging:                       True
  Accelerated aging threshold:                   80% of utilization
  Scaling factor:                                2 X
--------------------------------------------------------------------------------
Session setup
  TCP - reject non-SYN first packet:             True
  Hardware session offloading:                   True
  Hardware UDP session offloading:               True
  IPv6 firewalling:                              True
  Strict TCP/IP checksum:                        False
  Strict TCP RST sequence:                       True
  Reject TCP small initial window:               False
  ICMP Unreachable Packet Rate:                  200 pps
--------------------------------------------------------------------------------
Application trickling scan parameters:
  Timeout to determine application trickling:    10 secs
  Resource utilization threshold to start scan:  80%
  Scan scaling factor over regular aging:        8
--------------------------------------------------------------------------------
Session behavior when resource limit is reached: drop
--------------------------------------------------------------------------------
Pcap token bucket rate                         : 10485760
--------------------------------------------------------------------------------
Max pending queued mcast packets per session   : 0
--------------------------------------------------------------------------------
Processing CPU:                                  dp1
Broadcast first packet:                          no
--------------------------------------------------------------------------------

Here is how to check if the L4 checksum is enabled on the network processor, which is ONLY on PA-5200 and PA-3200:
> show system state | match l4
cfg.hw.fe100: { 'cfg_mode': 4, 'l4_chk_sum': 1, 'usecase': 1, 'v4_v6_choice': 2, }

OR

> show system state | match l4
<no output>

By default, l4_chk_sum is enabled when you run the above command and you would see no output. If it's manually enabled, 'l4_chk_sum' is set to 1. Hence, if you either see no output or if the l4_chk_sum is set to 1, that means the L4 checksum is enabled on the network processor.

Here is how to disable L4 checksum on the network processor:
> set system setting layer4-checksum  ?

> disable   Disable layer4 checksum
> enable    Enable layer4 checksum

> set system setting layer4-checksum disable

A reboot is required to bring the change into effect:
> request restart system


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PLpI&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail