Next-Generation Firewall
Configure Packet Based Attack Protection
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure Packet Based Attack Protection
Defend your zones against packet based attacks.
Contact your account team to enable Cloud Management for NGFWs using
Strata Cloud Manager.
Where Can I Use This? | What Do I Need? |
---|---|
|
One of these:
|
A Zone Protection profile configured for packet-based attacks check IPv4, TCP, ICM, and ICMPv6
packet headers and enable you to specify whether to drop packets that have
undesirable characteristics or to strip characteristics from packets before
admitting them to the zone.
For example, you can drop TCP SYN and SYN-ACK packets
that contain data in the payload during a TCP three-way handshake.
A Zone Protection profile by default is set to drop SYN and SYN-ACK
packets with data.
- Log in to cloud management.Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesDoS Protection and select the Configuration Scope where you want to create the Zone Protection profile.You can select a folder or firewall from your Folders or select Snippets to configure the Zone Protection profile in a snippet.Navigate to the Zone Protection Profiles and Add Profile.Enter a descriptive Name.(Optional) Enter a Description.Select Packet Based Attack.Configure the packet-based attack protection that you want to enforce.
- IP Drop—Specify when the firewall should drop IP-based traffic entering the zone.(Best Practices) Drop Unknown and Malformed. Also, drop Strict Source Routing and Loose Source Routing because allowing these options allows adversaries to bypass Security policy rules that use the Destination IP address as the matching criteria. For internal zones only, check Spoofed IP Address so only traffic with a source address that matches the firewall routing table can access the zone.
- TCP Drop—Specify when the firewall should drop TCP-based traffic entering the zone.(Best Practices) Retain the default TCP SYN with Data and TCP SYNACK with Data drops, drop Mismatched overlapping TCP segment and Split Handshake packets, and strip the TCP Timestamp from packets.The TCP Fast Open option (RFC 7413) preserves the speed of a connection setup by including data in the payload of SYN and SYN-ACK packets. A Zone Protection profile treats handshakes that use the TCP Fast Open option separately from other SYN and SYN-ACK packets; the Zone Protection profile by default is set to allow the handshake packets if they contain a valid Fast Open Cookie.
- ICMP Drop—Specify when the firewall should drop ICMP-based traffic entering the zone.There are no standard best practices for configuring ICMP packet-based protection because dropping ICMP packets depending on how you use ICMP.
- IPv6 Drop—Specify when the firewall should drop IPv6-based traffic entering the zone.If compliance matters, ensure that the firewall drops packets with noncompliant headers and extensions.
- ICMPv6 Drop—Specify when the firewall should drop ICMPv6-based traffic entering the zoneIf compliance matters, ensure the firewall drops packets that don’t match the policy rule the Zone Protection profile is associated with.
Save.