To instruct the firewall what to do with certain IP packets it receives in the zone, specify the following settings.
Zone Protection Profile Settings—Packet Based Attack Protection
Spoofed IP address
NetworkNetwork ProfilesZone ProtectionPacket Based Attack ProtectionIP Drop
Discard packets with a spoofed IP address.
Strict IP Address Check
Discard packets with malformed source or destination IP addresses. For example, discard packets where the source or destination IP address is the same as the network interface address, is a broadcast address, a loopback address, a link-local address, an unspecified address, or is reserved for future use.
For a firewall in Common Criteria (CC) mode, you can enable logging for discarded packets. On the firewall web interface, select DeviceLog Settings. In the Manage Logs section, select Selective Audit and enable Packet Drop Logging.
Discard fragmented IP packets.
IP Option Drop
Select the settings in this group to enable the firewall to drop packets containing these IP Options.
Strict Source Routing
Discard packets with the Strict Source Routing IP option set. Strict Source Routing is an option whereby a source of a datagram provides routing information through which a gateway or host must send the datagram.
Loose Source Routing
Discard packets with the Loose Source Routing IP option set. Loose Source Routing is an option whereby a source of a datagram provides routing information and a gateway or host is allowed to choose any route of a number of intermediate gateways to get the datagram to the next address in the route.
Discard packets with the Timestamp IP option set.
Discard packets with the Record Route IP option set. When a datagram has this option, each router that routes the datagram adds its own IP address to the header, thus providing the path to the recipient.
Discard packets if the security option is defined.
Discard packets if the Stream ID option is defined.
Discard packets if the class and number are unknown.
Discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.
IPv6 Drop To instruct the firewall to drop certain IPv6 packets it receives in the zone, select the following settings to enable them. Zone Protection ...
Best Practices for Securing Your Network from Layer 4 and L...
Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions To monitor and protect your network from most Layer 4 and Layer ...
ICMP Drop To instruct the firewall to drop certain ICMP packets it receives in the zone, select the following settings to enable them. Zone Protection ...
Packet-Based Attack Protection
Packet-Based Attack Protection Packet-based attacks take many forms. Zone protection profiles check IP, TCP, ICMP, IPv6, and ICMPv6 packet header parameters and protect a zone ...
Configure Tunnel Content Inspection
Configure Tunnel Content Inspection Perform this task to configure tunnel content inspection for a tunnel protocol that you allow in a tunnel. Create a Security ...
Networking Features New Networking Features Description Tunnel Content Inspection The firewall can now inspect the traffic content of cleartext tunnel protocols: Generic Routing Encapsulation (GRE) ...
Create a Policy-Based Forwarding Rule
Create a Policy-Based Forwarding Rule Use a PBF rule to direct traffic to a specific egress interface on the firewall and override the default path ...
How Do the Zone Defense Tools Work?
How Do the Zone Defense Tools Work? When a packet arrives at the firewall, the firewall attempts to match the packet to an existing session, ...
Building Blocks in a Tunnel Inspection Policy
Building Blocks in a Tunnel Inspection Policy The following table describes the fields you configure for a Tunnel Inspection policy. Building Blocks in a Tunnel ...