To enhance security for a zone, Packet-Based Attack Protection allows you to specify whether the firewall drops IP, IPv6, TCP,
ICMP, or ICMPv6 packets that have certain characteristics or strips
certain options from the packets.
For example, you can drop
TCP SYN and SYN-ACK packets that contain data in the payload during
a TCP three-way handshake. A Zone Protection profile by default
is set to drop SYN and SYN-ACK packets with data (you must apply
the profile to the zone).
The TCP Fast Open option (RFC
7413) preserves the speed of a connection setup by including
data in the payload of SYN and SYN-ACK packets. A Zone Protection
profile treats handshakes that use the TCP Fast Open option separately
from other SYN and SYN-ACK packets; the profile by default is set
to allow the handshake packets if they contain a valid Fast Open
If you have existing Zone Protection profiles
in place when you upgrade to PAN-OS 8.0, the three default settings
will apply to each profile and the firewall will act accordingly.
Create a Zone Protection profile for packet based
for the profile
and an optional
Packet Based Attack Protection
On each tab (
the settings you want to enforce to protect a zone.
Apply the Zone Protection profile to a security zone
that is assigned to interfaces you want to protect.
and select the zone where
you want to assign the Zone Protection profile.