End-of-Life (EoL)

Configure Packet Based Attack Protection

To enhance security for a zone, Packet-Based Attack Protection allows you to specify whether the firewall drops IP, IPv6, TCP, ICMP, or ICMPv6 packets that have certain characteristics or strips certain options from the packets.
For example, you can drop TCP SYN and SYN-ACK packets that contain data in the payload during a TCP three-way handshake. A Zone Protection profile by default is set to drop SYN and SYN-ACK packets with data (you must apply the profile to the zone).
The TCP Fast Open option (RFC 7413) preserves the speed of a connection setup by including data in the payload of SYN and SYN-ACK packets. A Zone Protection profile treats handshakes that use the TCP Fast Open option separately from other SYN and SYN-ACK packets; the profile by default is set to allow the handshake packets if they contain a valid Fast Open cookie.
If you have existing Zone Protection profiles in place when you upgrade to PAN-OS 8.0, the three default settings will apply to each profile and the firewall will act accordingly.
  1. Create a Zone Protection profile for packet based attack protection.
    1. Select
      Network Profiles
      Zone Protection
      a new profile.
    2. Enter a
      for the profile and an optional
    3. Select
      Packet Based Attack Protection
    4. On each tab (
      IP Drop
      TCP Drop
      ICMP Drop
      IPv6 Drop
      , and
      ICMPv6 Drop
      ), select the settings you want to enforce to protect a zone.
    5. Click
  2. Apply the Zone Protection profile to a security zone that is assigned to interfaces you want to protect.
    1. Select
      and select the zone where you want to assign the Zone Protection profile.
    2. Add
      belonging to the zone.
    3. For
      Zone Protection Profile
      , select the profile you just created.
    4. Click
  3. Commit.

Recommended For You