The Palo Alto Networks
®
next-generation firewall correctly
handles sessions and all Layer 7 processes for split handshake and
simultaneous open session establishment without enabling the
Split
Handshake
option. Nevertheless, the
Split
Handshake
option (which causes a TCP split handshake
drop) is made available. When the
Split Handshake
option
is configured for a Zone Protection profile and that profile is
applied to a zone, TCP sessions for interfaces in that zone must
be established using the standard three-way handshake; variations
are not allowed.