Support for Custom Layer 3 and Layer 4 Threat Signatures

As part of zone security enhancements, you can now write custom threat (vulnerability) signatures based on Layer 3 and Layer 4 header fields (such as IP flags, acknowledgment numbers, etc). This enables you to provide improved vulnerability signature coverage resulting from old and deprecated TCP/IP stacks used in embedded / IoT devices.
Custom L3 & L4 vulnerability signatures are expressed through your Zone and Zone Protection profile configuration. You must specify how the firewall responds when it detects a threat.
  1. Select
    Device
    Setup
    Session
    and enable
    L3 & L4 Header Inspection
    globally on the firewall.
  2. Create a Zone Protection profile and configure the L3 & L4 header inspection settings.
    1. Select
      Network
      Network Profiles
      Zone Protection
      and either select an existing profile or
      Add
      a new profile.
    2. If you are creating a new zone protection profile, enter a
      Name
      for the profile and an optional
      Description
      .
    3. Select
      L3 & L4 Header Inspection
      to define your custom vulnerability signatures.
    4. Add
      new custom rules by defining the configuration and signature details for each entry, which are performed in their respective tabs:
      Configuration
      and
      Signature
      .
    5. Under
      Configuration
      , fill out the following required fields in the General, Properties, and Preference section.
      • Rule
        —Specify the custom rule name.
      • Threat ID
        —Enter a numeric ID between 41000 and 45000 or 6800001 and 6900000.
      • Comment
        —Optionally, add a description of the custom rule.
      • Packet Capture
        —Select a packet capture setting.
        Optionally, select
        send icmp unreachable packets if packet is dropped
        to send an ICMP unreachable response to the client upon packet loss.
      • Exempt IP
        —Enter the IP address(es) for which you do not want the custom rule to apply to.
      • Log Severity
        —Select the severity of the threat.
      • Log Interval
        —Indicates how frequently an event is logged.
      • Action
        —Choose the action to take when there is a custom signatures match. Options include alert, drop, reset-client, reset-server, and reset-both. Refer to Security Policy Actions for more information about these action settings.
      • Preference
        —Add references to provide context or related information about the custom threat signature. You can add CVEs, Bugtraq citations, 3rd party vendor IDs, or reference links to additional analysis or background information.
    6. From the
      Signature
      tab, provide a name or description of the custom vulnerability under
      Comment
      . After specifying a name, select
      Add
      to provide the custom signature details.
      • Specify a matching Or Condition. When finished, select
        Add
        to configure an And Condition and the associated values in a new window.
      • If you select a
        Less Than
        or
        Greater Than
        operator, specify a
        Context
        and a
        Value
        . The
        Equal To
        operator additionally has
        Mask
        and
        Negate
        options. Click OK when you have finished configuring the new and condition.
    7. Repeat for each matching condition that you want to add.
    8. Click
      OK
      and review your signatures. Click
      OK
      again to return to the zone protection profile.
    9. From the
      L3 & L4 Header Inspection
      tab, you can reorder, disable, and clone the custom rule entries as necessary. Click
      OK
      to exit the zone protection profile.
  3. Apply the Zone Protection profile to a security zone that is assigned to interfaces you want to protect.
    1. Select
      Network
      Zones
      and select the zone where you want to assign the Zone Protection profile.
    2. Add
      the
      Interfaces
      belonging to the zone.
    3. For
      Zone Protection Profile
      , select the profile you just created.
    4. Select
      Enable Net Inspection
      to enable the L3 & L4 header inspection configuration settings.
    5. Click
      OK
      .
  4. Commit
    your changes.

Recommended For You