Support for Custom Layer 3 and Layer 4 Threat Signatures
Expand all | Collapse all
Support for Custom Layer 3 and Layer 4 Threat Signatures
As part of zone security enhancements, you
can now write custom threat (vulnerability) signatures based on
Layer 3 and Layer 4 header fields (such as IP flags, acknowledgment numbers,
etc). This enables you to provide improved vulnerability signature
coverage resulting from old and deprecated TCP/IP stacks used in
embedded / IoT devices.
Custom L3 & L4 vulnerability signatures
are expressed through your Zone and Zone Protection profile configuration.
You must specify how the firewall responds when it detects a threat.
Select and enable
L3
& L4 Header Inspection
globally on the firewall.
Create a Zone Protection profile and configure the L3
& L4 header inspection settings.
Select and
either select an existing profile or
Add
a
new profile.
If you are creating a new zone protection profile,
enter a
Name
for the profile and an optional
Description
.
Select
L3 & L4 Header Inspection
to
define your custom vulnerability signatures.
Add
new custom rules by defining
the configuration and signature details for each entry, which are
performed in their respective tabs:
Configuration
and
Signature
.
Under
Configuration
, fill out
the following required fields in the General, Properties, and Preference
section.
Rule
—Specify the custom
rule name.
Threat ID
—Enter a numeric ID between
41000 and 45000 or 6800001 and 6900000.
Comment
—Optionally, add a description
of the custom rule.
Packet Capture
—Select a packet capture
setting.
Optionally, select
send icmp unreachable
packets if packet is dropped
to send an ICMP unreachable
response to the client upon packet loss.
Exempt IP
—Enter the IP address(es)
for which you do not want the custom rule to apply to.
Log Severity
—Select the severity of
the threat.
Log Interval
—Indicates how frequently
an event is logged.
Action
—Choose the action to take when
there is a custom signatures match. Options include alert, drop,
reset-client, reset-server, and reset-both. Refer to
Security Policy Actions for
more information about these action settings.
Preference
—Add references to provide
context or related information about the custom threat signature.
You can add CVEs, Bugtraq citations, 3rd party vendor IDs, or reference
links to additional analysis or background information.
From the
Signature
tab, provide
a name or description of the custom vulnerability under
Comment
.
After specifying a name, select
Add
to provide
the custom signature details.
Specify a matching Or Condition. When finished,
select
Add
to configure an And Condition
and the associated values in a new window.
If you select a
Less Than
or
Greater Than
operator,
specify a
Context
and a
Value
.
The
Equal To
operator additionally has
Mask
and
Negate
options.
Click OK when you have finished configuring the new and condition.
Repeat for each matching condition that you want to
add.
Click
OK
and review your signatures.
Click
OK
again to return to the zone protection
profile.
From the
L3 & L4 Header Inspection
tab,
you can reorder, disable, and clone the custom rule entries as necessary.
Click
OK
to exit the zone protection profile.
Apply the Zone Protection profile to a security zone
that is assigned to interfaces you want to protect.
Select and select the zone where
you want to assign the Zone Protection profile.
Add
the
Interfaces
belonging
to the zone.
For
Zone Protection Profile
,
select the profile you just created.
Select
Enable Net Inspection
to
enable the L3 & L4 header inspection configuration settings.