Use packet based attack protection to allow or drop IP, IPv6, TCP, ICMP, or ICMPv6
packets to help improve your zone security.
| Where Can I Use This? | What Do I Need? |
|---|
| NGFW (Managed by PAN-OS or Panorama) |
|
To enhance security for a zone,
Packet-Based Attack Protection
allows you to specify whether the firewall drops IP, IPv6, TCP, ICMP, or ICMPv6
packets that have certain characteristics or strips certain options from the
packets.
For example, you can drop TCP SYN and SYN-ACK packets that contain data in the
payload during a TCP three-way handshake. A Zone Protection profile by default is
set to drop SYN and SYN-ACK packets with data (you must apply the profile to the
zone).
The
TCP Fast Open option (
RFC
7413) preserves the speed of a connection setup by including data in the
payload of SYN and SYN-ACK packets. A Zone Protection profile treats handshakes that
use the TCP Fast Open option separately from other SYN and SYN-ACK packets; the
profile by default is set to allow the handshake packets if they contain a valid
Fast Open cookie.
If you have existing Zone Protection profiles in place when you upgrade to PAN-OS
8.0, the three default settings will apply to each profile and the firewall will
act accordingly.
Beginning with PAN-OS 8.1.2 and later releases, you can use a CLI command (step 4 in
the PAN-OS tab) to enable the firewall to generate a Threat log when the firewall
receives and drops the following types of packets, so that you can more easily
analyze these occurrences and also fulfill audit and compliance requirements:
Furthermore, the same CLI command also enables the firewall to generate Threat logs
for the following types of packets if you enable the corresponding Packet Based
Attack Protection:
- Fragmented IP packets
- IP address spoofing
- ICMP packets larger than 1024 bytes
- Packets containing ICMP fragments
- ICMP packets embedded with an error message
- First packets for a TCP session that are not SYN packets
