Configure Packet Based Attack Protection
To enhance security for a zone, Packet-Based Attack Protection allows you to specify whether the firewall drops IP, IPv6, TCP, ICMP, or ICMPv6 packets that have certain characteristics or strips certain options from the packets.
For example, you can drop TCP SYN and SYN-ACK packets that contain data in the payload during a TCP three-way handshake. A Zone Protection profile by default is set to drop SYN and SYN-ACK packets with data (you must apply the profile to the zone).
The TCP Fast Open option (RFC 7413) preserves the speed of a connection setup by including data in the payload of SYN and SYN-ACK packets. A Zone Protection profile treats handshakes that use the TCP Fast Open option separately from other SYN and SYN-ACK packets; the profile by default is set to allow the handshake packets if they contain a valid Fast Open cookie.
If you have existing Zone Protection profiles in place when you upgrade to PAN-OS 8.0, the three default settings will apply to each profile and the firewall will act accordingly.
- Create a Zone Protection profile for packet based
- Select NetworkNetwork ProfilesZone Protection and Add a new profile.
- Enter a Name for the profile and an optional Description.
- Select Packet Based Attack Protection.
- On each tab (IP Drop, TCP Drop, ICMP Drop, IPv6 Drop, and ICMPv6 Drop), select the settings you want to enforce to protect a zone.
- Click OK.
- Apply the Zone Protection profile to a security zone
that is assigned to interfaces you want to protect.
- Select NetworkZones and select the zone where you want to assign the Zone Protection profile.
- Add the Interfaces belonging to the zone.
- For Zone Protection Profile, select the profile you just created.
- Click OK.
- Commit.Click Commit.
Zone Protection for SYN Data Payloads
Zone Protection for SYN Data Payloads You can now use a Zone Protection profile for Packet Based Attack Protection to drop TCP SYN and SYN-ACK ...
TCP Drop To instruct the firewall what to do with certain TCP packets it receives in the zone, specify the following settings. Zone Protection Profile ...
Packet-Based Attack Protection
Packet-Based Attack Protection Packet-based attacks take many forms. Zone protection profiles check IP, TCP, ICMP, IPv6, and ICMPv6 packet header parameters and protect a zone ...
Content Inspection Changes
Content Inspection Changes PAN-OS® 8.0 has the following changes in default behavior for content inspection features: Feature Change TCP settings The defaults for the following ...
Building Blocks of Zone Protection Profiles
Building Blocks of Zone Protection Profiles To create a Zone Protection profile, Add a profile and name it. Zone Protection Profile Settings Configured In Description ...
Flood Protection A zone protection profile with flood protection configured defends an entire ingress zone against SYN, ICMP, ICMPv6, UDP, and other IP floods. The ...
Networking Features New Networking Features Description Tunnel Content Inspection The firewall can now inspect the traffic content of cleartext tunnel protocols: Generic Routing Encapsulation (GRE) ...
Prevent TCP Split Handshake Session Establishment
Prevent TCP Split Handshake Session Establishment You can configure a TCP Split Handshake Drop in a Zone Protection profile to prevent TCP sessions from being ...
Flood Protection Network > Network Profiles > Zone Protection > Flood Protection Configure a profile that provides flood protection against SYN, ICMP, ICMPv6, and UDP ...