The Split Handshake option in
a Zone Protection profile will prevent a TCP session from being
established if the session establishment procedure does not use the
well-known three-way handshake, but instead uses a variation, such
as a four-way or five-way split handshake or a simultaneous open.
The Palo Alto Networks next-generation firewall correctly handles
sessions and all Layer 7 processes for split handshake and simultaneous
open session establishment without enabling the Split
Handshake option. Nevertheless, the Split
Handshake option (which causes a TCP split handshake
drop) is made available. When the Split Handshake option
is configured for a Zone Protection profile and that profile is
applied to a zone, TCP sessions for interfaces in that zone must be
established using the standard three-way handshake; variations are
not allowed.
The Split Handshake option is disabled
by default.
The following illustrates the standard three-way handshake used
to establish a TCP session with a PAN-OS firewall between the initiator
(typically a client) and the listener (typically a server).
The Split Handshake option is configured
for a Zone Protection profile that is assigned to a zone. An interface
that is a member of the zone drops any synchronization (SYN) packets
sent from the server, preventing the following variations of handshakes.
The letter A in the figure indicates the session initiator and B indicates
the listener. Each numbered segment of the handshake has an arrow
indicating the direction of the segment from the sender to the receiver,
and each segment indicates the control bit(s) setting.