>
    Configure Packet Based Attack Protection
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Zone Protection and DoS Protection
    4. Zone Defense
    5. Zone Protection Profiles
    6. Configure Packet Based Attack Protection
    Download PDF
    Next-Generation Firewall

    Configure Packet Based Attack Protection

    Table of Contents

    Configure Packet Based Attack Protection

    Use packet based attack protection to allow or drop IP, IPv6, TCP, ICMP, or ICMPv6 packets to help improve your zone security.
    Where Can I Use This?What Do I Need?
    NGFW (Managed by PAN-OS or Panorama)
    • No prerequisites needed
    To enhance security for a zone, Packet-Based Attack Protection allows you to specify whether the firewall drops IP, IPv6, TCP, ICMP, or ICMPv6 packets that have certain characteristics or strips certain options from the packets.
    For example, you can drop TCP SYN and SYN-ACK packets that contain data in the payload during a TCP three-way handshake. A Zone Protection profile by default is set to drop SYN and SYN-ACK packets with data (you must apply the profile to the zone).
    The TCP Fast Open option (RFC 7413) preserves the speed of a connection setup by including data in the payload of SYN and SYN-ACK packets. A Zone Protection profile treats handshakes that use the TCP Fast Open option separately from other SYN and SYN-ACK packets; the profile by default is set to allow the handshake packets if they contain a valid Fast Open cookie.
    If you have existing Zone Protection profiles in place when you upgrade to PAN-OS 8.0, the three default settings will apply to each profile and the firewall will act accordingly.
    Beginning with PAN-OS 8.1.2 and later releases, you can use a CLI command (step 4 in the PAN-OS tab) to enable the firewall to generate a Threat log when the firewall receives and drops the following types of packets, so that you can more easily analyze these occurrences and also fulfill audit and compliance requirements:
    • Teardrop attack
    • DoS attack using ping of death
    Furthermore, the same CLI command also enables the firewall to generate Threat logs for the following types of packets if you enable the corresponding Packet Based Attack Protection:
    • Fragmented IP packets
    • IP address spoofing
    • ICMP packets larger than 1024 bytes
    • Packets containing ICMP fragments
    • ICMP packets embedded with an error message
    • First packets for a TCP session that are not SYN packets

    PAN-OS

    Configure packet based attack protection on a PAN-OS firewall to determine how the zone protection profile handles IP, IPv6, TCP, ICMP, or ICMPv6 packets.
    1. Create a Zone Protection profile and configure Packet-Based Attack Protection settings.
      1. Select NetworkNetwork ProfilesZone Protection and Add a new profile.
      2. Enter a Name for the profile and an optional Description.
      3. Select Packet Based Attack Protection.
      4. On each tab (IP Drop, TCP Drop, ICMP Drop, IPv6 Drop, and ICMPv6 Drop), select the Packet-Based Attack Protection settings you want to enforce to protect a zone.
      5. Click OK.
    2. Apply the Zone Protection profile to a security zone that is assigned to interfaces you want to protect.
      1. Select NetworkZones and select the zone where you want to assign the Zone Protection profile.
      2. Add the Interfaces belonging to the zone.
      3. For Zone Protection Profile, select the profile you just created.
      4. Click OK.
    3. Commit your changes.
    4. (PAN-OS 8.1.2 and later releases) Enable the firewall to generate Threat logs for a teardrop attack and a DoS attack using ping of death, and also generate Threat logs for the types of packets listed above if you enable the corresponding packet-based attack protection (in Step 1). For example, if you enable packet-based attack protection for Spoofed IP address, using the following CLI causes the firewall to generate a Threat log when the firewall receives and drops a packet with a spoofed IP address.
      1. Access the CLI.
      2. Use the operational CLI command set system setting additional-threat-log on. Default is off.

    Cloud Management

    Configure packet based attack protection on a cloud managed service to determine how the zone protection profile handles IP, IPv6, TCP, ICMP, or ICMPv6 packets.
    1. Create a Zone Protection profile and configure Packet-Based Attack Protection settings.
      1. Select ManageConfigurationNGFW and Prisma Access Security ServicesDoS Protection.
      2. Under Zone Protection Profiles, select an existing profile or Add Profile.
        If you add a new Zone Protection profile:
        • Enter a Name for the profile.
        • (Optional) Add a Description.
        • Configure Flood, Reconnaissance, Protocol, or EthernetSGT settings.
      3. Select Packet Based Attack. On each tab (IP Drop, TCP Drop, ICMP Drop, IPv6 Drop, and ICMPv6 Drop), select the Packet-Based Attack Protection settings you want to enforce to protect a zone.
      4. Save the Zone Protection profile.
    2. Apply the Zone Protection profile to a security zone assigned to interfaces you want to protect.
      1. Select Device SettingsZones, then either select an existing zone or Add Zone.
      2. For Zone Protection Profile, select the Zone Protection profile that you configured.
      3. Save the Zone settings.
      4. Push Config.

    © 2025 Palo Alto Networks, Inc. All rights reserved.