Zone Protection for SYN Data Payloads
You can now use a Zone Protection profile for Packet Based Attack Protection to drop TCP SYN and SYN-ACK packets that contain data in the payload during a three-way handshake. A Zone Protection profile by default is set to drop SYN and SYN-ACK packets with data.
The TCP Fast Open option (RFC 7413) preserves the speed of a connection setup by including data in the payload of SYN and SYN-ACK packets. A Zone Protection profile treats handshakes that use the TCP Fast Open option separately from other SYN and SYN-ACK packets; the profile by default is set to allow the handshake packets if they contain a valid Fast Open cookie.
You can control how the Zone Protection profile handles these three options (SYN packets with data in the payload, SYN-ACK packets with data in the payload, and the TCP Fast Open option) independently of each other. As an alternative to the default Zone Protection behavior, you can create a Zone Protection profile to strip the TCP Fast Open option and data payload from SYN and SYN-ACK packets.
If you have existing Zone Protection profiles in place when you upgrade to PAN-OS 8.0, the three default settings will apply to each profile and the firewall will act accordingly.
- Create a Zone Protection profile for Packet Based Attack Protection.
- Configure the profile to drop TCP SYN and SYN-ACK packets
with data in the payload.
- Select TCP Drop.
- Select TCP SYN with Data to cause the firewall to drop SYN packets that contain data in the payload. Default is enabled.
- Select TCP SYNACK with Data to cause the firewall to drop SYN-ACK packets that contain data in the payload. Default is enabled.
- Configure the profile to preserve TCP Fast Open support.
- In the Strip TCP Option section, to allow
a SYN or SYN-ACK with data and a cookie in the TCP Fast Open option
(not strip the TCP Fast Open option or data), leave TCP
Fast Open disabled (unchecked), which is the default.In a Zone Protection profile with Flood Protection against SYN packets, you can configure the firewall to take action against a SYN flood by enabling SYN Cookies. In a zone protected by the SYN Cookies action, when the firewall receives a SYN from a client, rather than immediately sending the SYN to the server, the firewall generates a cookie (on behalf of the server) to send in the SYN-ACK to the client. The client responds with its ACK and the cookie; upon this validation the firewall then sends the SYN to the server.Because the firewall responds to the client on behalf of the server, it removes all data from the SYN (including TCP Fast Open) before responding to the client with its SYN-ACK. That is, SYN Cookies does not support TCP Fast Open when the firewall acts as a SYN proxy for the server. If you need TCP Fast Open support, don’t use SYN Cookies as a SYN flood mitigation method; use Random Early Drop instead.
- Click OK.
- In the Strip TCP Option section, to allow a SYN or SYN-ACK with data and a cookie in the TCP Fast Open option (not strip the TCP Fast Open option or data), leave TCP Fast Open disabled (unchecked), which is the default.
- Apply the Zone Protection profile to a security zone
that is assigned to interfaces you want to protect.
- Select NetworkZones and select the zone where you want to assign the Zone Protection profile.
- Add the Interfaces belonging to the zone.
- For Zone Protection Profile, select the profile you created.
- Click OK.
- Commit.Click Commit.
- Troubleshoot zone protection for a zone by viewing the
TCP SYN, SYNACK and TCP Fast Open settings and the number of packets
the firewall has dropped for each setting.
> show zone-protection zone <zone-name>The following is sample output:
> show zone-protection zone user ----------------------------------------------- Number of zones with protection profile: 1 ----------------------------------------------- Zone user, vsys vsys1, profile dos-protect-syn ----------------------------------------------- IPv(4/6)filter: discard-tcp-syn-with-data enabled: yes, packet dropped: 10 discard-tcp-synack-with-data: enabled: yes, packet dropped: 20 strip-tcp-fast-open-and data: enabled: yes, packet dropped: 30
Configure Packet Based Attack Protection
Configure Packet Based Attack Protection To enhance security for a zone, Packet-Based Attack Protection allows you to specify whether the firewall drops IP, IPv6, TCP, ...
TCP Drop To instruct the firewall what to do with certain TCP packets it receives in the zone, specify the following settings. Zone Protection Profile ...
Content Inspection Changes
Content Inspection Changes PAN-OS® 8.0 has the following changes in default behavior for content inspection features: Feature Change TCP settings The defaults for the following ...
Flood Protection A zone protection profile with flood protection configured defends an entire ingress zone against SYN, ICMP, ICMPv6, UDP, and other IP floods. The ...
Networking Features New Networking Features Description Tunnel Content Inspection The firewall can now inspect the traffic content of cleartext tunnel protocols: Generic Routing Encapsulation (GRE) ...
Packet-Based Attack Protection
Packet-Based Attack Protection Packet-based attacks take many forms. Zone protection profiles check IP, TCP, ICMP, IPv6, and ICMPv6 packet header parameters and protect a zone ...
Flood Protection Network > Network Profiles > Zone Protection > Flood Protection Configure a profile that provides flood protection against SYN, ICMP, ICMPv6, and UDP ...
TCP Transmission Control Protocol (TCP) ( RFC 793 ) is one of the main protocols in the Internet Protocol (IP) suite, and is so prevalent ...
Building Blocks of Zone Protection Profiles
Building Blocks of Zone Protection Profiles To create a Zone Protection profile, Add a profile and name it. Zone Protection Profile Settings Configured In Description ...