Hello,
First packet of any TCP communication is always TCP SYN.
If firewall receives packet for which it does not have any session, then it has to be a TCP SYN packet with which firewall can decide whether to create new session or drop.
But if that packet is not TCP SYN, firewall ideally should drop it as it could be an attack or result of assymmetric routing.
Either firewall can drop it silently or it can send TCP RST to the sender of that packet.With tcp-rst on zone, it sends TCP RST packet back.
Regards,
Rushi