Packet-Based Attack Protection

Packet-based attacks take many forms. Zone protection profiles check IP, TCP, ICMP, IPv6, and ICMPv6 packet header parameters and protect a zone by:
  • Dropping packets with undesirable characteristics.
  • Stripping undesirable options from packets before admitting them to the zone.
You select the drop characteristics for each packet type when you Configure Packet Based Attack Protection.
For example, you can drop malformed IP packets, TCP SYN and SYN-ACK packets that contain data, fragmented ICMP packets, and so on. Each packet type has a set of characteristics and options that you select to control whether the firewall drops a packet. Best Practices for Securing Your Network from Layer4 and Layer 7 Evasions includes some specific recommendations for configuring packet-based attack protection.

Related Documentation