Zone Protection for SYN Data Payloads

You can now use a Zone Protection profile for Packet Based Attack Protection to drop TCP SYN and SYN-ACK packets that contain data in the payload during a three-way handshake. A Zone Protection profile by default is set to drop SYN and SYN-ACK packets with data.
The TCP Fast Open option (RFC 7413) preserves the speed of a connection setup by including data in the payload of SYN and SYN-ACK packets. A Zone Protection profile treats handshakes that use the TCP Fast Open option separately from other SYN and SYN-ACK packets; the profile by default is set to allow the handshake packets if they contain a valid Fast Open cookie.
You can control how the Zone Protection profile handles these three options (SYN packets with data in the payload, SYN-ACK packets with data in the payload, and the TCP Fast Open option) independently of each other. As an alternative to the default Zone Protection behavior, you can create a Zone Protection profile to strip the TCP Fast Open option and data payload from SYN and SYN-ACK packets.
If you have existing Zone Protection profiles in place when you upgrade to PAN-OS 8.0, the three default settings will apply to each profile and the firewall will act accordingly.
  1. Create a Zone Protection profile for Packet Based Attack Protection.
  2. Configure the profile to drop TCP SYN and SYN-ACK packets with data in the payload.
    1. Select TCP Drop.
    2. Select TCP SYN with Data to cause the firewall to drop SYN packets that contain data in the payload. Default is enabled.
    3. Select TCP SYNACK with Data to cause the firewall to drop SYN-ACK packets that contain data in the payload. Default is enabled.
    TCP_SYN_with_Data.png
  3. Configure the profile to preserve TCP Fast Open support.
    1. In the Strip TCP Option section, to allow a SYN or SYN-ACK with data and a cookie in the TCP Fast Open option (not strip the TCP Fast Open option or data), leave TCP Fast Open disabled (unchecked), which is the default.
      In a Zone Protection profile with Flood Protection against SYN packets, you can configure the firewall to take action against a SYN flood by enabling SYN Cookies. In a zone protected by the SYN Cookies action, when the firewall receives a SYN from a client, rather than immediately sending the SYN to the server, the firewall generates a cookie (on behalf of the server) to send in the SYN-ACK to the client. The client responds with its ACK and the cookie; upon this validation the firewall then sends the SYN to the server.
      Because the firewall responds to the client on behalf of the server, it removes all data from the SYN (including TCP Fast Open) before responding to the client with its SYN-ACK. That is, SYN Cookies does not support TCP Fast Open when the firewall acts as a SYN proxy for the server. If you need TCP Fast Open support, don’t use SYN Cookies as a SYN flood mitigation method; use Random Early Drop instead.
    2. Click OK.
  4. Apply the Zone Protection profile to a security zone that is assigned to interfaces you want to protect.
    1. Select NetworkZones and select the zone where you want to assign the Zone Protection profile.
    2. Add the Interfaces belonging to the zone.
    3. For Zone Protection Profile, select the profile you created.
    4. Click OK.
  5. Commit.
    Click Commit.
  6. Troubleshoot zone protection for a zone by viewing the TCP SYN, SYNACK and TCP Fast Open settings and the number of packets the firewall has dropped for each setting.
    > show zone-protection zone <zone-name>
    The following is sample output:
    > show zone-protection zone user
    ----------------------------------------------- 
    Number of zones with protection profile: 1 
    ----------------------------------------------- 
    Zone user, vsys vsys1, profile dos-protect-syn 
    ----------------------------------------------- 
    IPv(4/6)filter: 
    discard-tcp-syn-with-data enabled: yes, packet dropped: 10 
    discard-tcp-synack-with-data: enabled: yes, packet dropped: 20 
    strip-tcp-fast-open-and data: enabled: yes, packet dropped: 30 

Related Documentation