Support for Custom Layer 3 and Layer 4 Threat Signatures
As part of zone security enhancements, you
can now write custom threat (vulnerability) signatures based on
Layer 3 and Layer 4 header fields (such as IP flags, acknowledgment numbers,
etc). This enables you to provide improved vulnerability signature
coverage resulting from old and deprecated TCP/IP stacks used in
embedded / IoT devices.
Custom L3 & L4 vulnerability signatures
are expressed through your Zone and Zone Protection profile configuration.
You must specify how the firewall responds when it detects a threat.
Create a Zone Protection profile and configure the L3
& L4 header inspection settings.
either select an existing profile or
If you are creating a new zone protection profile,
for the profile and an optional
L3 & L4 Header Inspection
define your custom vulnerability signatures.
new custom rules by defining
the configuration and signature details for each entry, which are
performed in their respective tabs:
, fill out
the following required fields in the General, Properties, and Preference
—Specify the custom
—Enter a numeric ID between
41000 and 45000 or 6800001 and 6900000.
—Optionally, add a description
of the custom rule.
—Select a packet capture
send icmp unreachable
packets if packet is dropped
to send an ICMP unreachable
response to the client upon packet loss.
—Enter the IP address(es)
for which you do not want the custom rule to apply to.
—Select the severity of
—Indicates how frequently
an event is logged.
—Choose the action to take when
there is a custom signatures match. Options include alert, drop,
reset-client, reset-server, and reset-both. Refer to Security Policy Actions for
more information about these action settings.
—Add references to provide
context or related information about the custom threat signature.
You can add CVEs, Bugtraq citations, 3rd party vendor IDs, or reference
links to additional analysis or background information.
a name or description of the custom vulnerability under
After specifying a name, select
the custom signature details.
Specify a matching Or Condition. When finished,
to configure an And Condition
and the associated values in a new window.
If you select a
operator additionally has
Click OK when you have finished configuring the new and condition.
Repeat for each matching condition that you want to
and review your signatures.
again to return to the zone protection
L3 & L4 Header Inspection
you can reorder, disable, and clone the custom rule entries as necessary.
to exit the zone protection profile.
Apply the Zone Protection profile to a security zone
that is assigned to interfaces you want to protect.
and select the zone where
you want to assign the Zone Protection profile.
to the zone.
Zone Protection Profile
select the profile you just created.
Enable Net Inspection
enable the L3 & L4 header inspection configuration settings.