The Palo Alto Networks next-generation firewall correctly handles
sessions and all Layer 7 processes for split handshake and simultaneous
open session establishment without enabling the
Split
Handshake
option. Nevertheless, the
Split
Handshake
option (which causes a TCP split handshake
drop) is made available. When the
Split Handshake
option
is configured for a Zone Protection profile and that profile is
applied to a zone, TCP sessions for interfaces in that zone must be
established using the standard three-way handshake; variations are
not allowed.