SCTP Introduction
Palo Alto Networks firewalls allow you to inspect SCTP
traffic, validate messages, filter SCTP payload protocol IDs, Diameter
applications, and SS7 chunks, and protect against SCTP INIT packet
flooding.
Stream Control Transmission Protocol (SCTP—protocol
number 132) is an IP transport-layer protocol in addition to TCP
and UDP. You can think of the SCTP transport service as a layer
between the IP layer and the SCTP user application above the IP
layer in the four-layer IP stack.
You use the multilayered approach of your firewall to secure
your SCTP traffic, such as validating SCTP packets to ensure they
comply with
RFC 4960. You can filter SCTP traffic
based on payload protocol IDs (PPIDs) and you can apply granular-level
filtering on Diameter traffic over SCTP and SS7 traffic over SCTP.
You can also protect against flooding of SCTP initiation (INIT)
packets. In the case of mobile networks, these security measures
prevent attackers from causing network congestion and outages that
disrupt data and voice services of mobile subscribers and IoT devices
connected to these networks. Additionally, you can view SCTP logs,
ACC information, and reports to verify configurations and gain visibility
into the SCTP events and traffic between two endpoints.
SCTP requires content release version 785 or a later version.
You configure a supported firewall with an SCTP Protection profile
attached to a Security policy rule for a zone; the SCTP Protection
profile enforces the SCTP security feature capabilities. Firewalls
in an active/passive HA configuration support SCTP; firewalls in
an active/active HA configuration do not support SCTP. You must
enable SCTP on both the active and passive firewall or disable SCTP
on both—you cannot enable SCTP on one HA firewall and disable SCTP
on the other. SCTP firewall sessions and SCTP associations are synchronized
across peers in an active/passive HA configuration.