Focus

Configure Packet Based Attack Protection

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 9.1
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1

Configure Reconnaissance Protection

Configure Protocol Protection

Configure Packet Based Attack Protection

To enhance security for a zone, Packet-Based Attack Protection allows you to specify whether the firewall drops IP, IPv6, TCP, ICMP, or ICMPv6 packets that have certain characteristics or strips certain options from the packets.

For example, you can drop TCP SYN and SYN-ACK packets that contain data in the payload during a TCP three-way handshake. A Zone Protection profile by default is set to drop SYN and SYN-ACK packets with data (you must apply the profile to the zone).

The TCP Fast Open option (RFC 7413) preserves the speed of a connection setup by including data in the payload of SYN and SYN-ACK packets. A Zone Protection profile treats handshakes that use the TCP Fast Open option separately from other SYN and SYN-ACK packets; the profile by default is set to allow the handshake packets if they contain a valid Fast Open cookie.

If you have existing Zone Protection profiles in place when you upgrade to PAN-OS 8.0, the three default settings will apply to each profile and the firewall will act accordingly.

Beginning with PAN-OS 8.1.2 and later releases, you can use a CLI command (Step 4 in this task) to enable the firewall to generate a Threat log when the firewall receives and drops the following types of packets, so that you can more easily analyze these occurrences and also fulfill audit and compliance requirements:

Teardrop attack

DoS attack using ping of death

Furthermore, the same CLI command also enables the firewall to generate Threat logs for the following types of packets if you enable the corresponding Packet Based Attack Protection:

Fragmented IP packets

IP address spoofing

ICMP packets larger than 1024 bytes

Packets containing ICMP fragments

ICMP packets embedded with an error message

First packets for a TCP session that are not SYN packets

Create a Zone Protection profile and configure Packet-Based Attack Protection settings.

Select

Network

Network Profiles

Zone Protection

and

Add

a new profile.

Enter a

Name

for the profile and an optional

Description

Select

Packet Based Attack Protection

On each tab (

IP Drop

TCP Drop

ICMP Drop

IPv6 Drop

, and

ICMPv6 Drop

), select the Packet-Based Attack Protection settings you want to enforce to protect a zone.

Click

Apply the Zone Protection profile to a security zone that is assigned to interfaces you want to protect.

Select

Network

Zones

and select the zone where you want to assign the Zone Protection profile.

Add

the

Interfaces

belonging to the zone.

For

Zone Protection Profile

, select the profile you just created.

Click

Commit

your changes.

(PAN-OS 8.1.2 and later releases) Enable the firewall to generate Threat logs for a teardrop attack and a DoS attack using ping of death, and also generate Threat logs for the types of packets listed above if you enable the corresponding packet-based attack protection (in Step 1). For example, if you enable packet-based attack protection for

Spoofed IP address

, using the following CLI causes the firewall to generate a Threat log when the firewall receives and drops a packet with a spoofed IP address.

Access the CLI.

Use the operational CLI command

set system setting additional-threat-log on

. Default is

off

Configure Reconnaissance Protection

Configure Protocol Protection

Next-Generation Firewall Docs

Configure Packet Based Attack Protection

Next-Generation Firewall Docs

Configure Packet Based Attack Protection

Recommended For You

Activation and Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner