End-of-Life (EoL)
TCP Drop
To instruct the firewall what to do with certain TCP
packets it receives in the zone, specify the following settings.
Zone Protection Profile Settings—Packet Based Attack Protection | Configured In | Description |
|---|---|---|
Mismatched overlapping TCP segment | Network Network Profiles Zone Protection Packet Based Attack Protection TCP Drop | Attackers can construct connections with
overlapping but different data in them to cause misinterpretation
of the connection. Attackers can use IP spoofing and sequence number
prediction to intercept a user’s connection and inject their own
data. Use this setting to report an overlap mismatch and drop the
packet when segment data does not match in these scenarios:
This
protection mechanism uses sequence numbers to determine where packets
reside within the TCP data stream. |
Split Handshake | Prevent a TCP session from being established
if the session establishment procedure does not use the well-known three-way
handshake. A four-way or five-way split handshake or a simultaneous
open session establishment procedure are examples of variations
that would not be allowed. The Palo Alto Networks next-generation
firewall correctly handles sessions and all Layer 7 processes for
split handshake and simultaneous open session establishment without
configuring Split Handshake . When this is configured
for a zone protection profile and the profile is applied to a zone,
TCP sessions for interfaces in that zone must be established using
the standard three-way handshake; the variations are not allowed. | |
TCP SYN with Data | Prevent a TCP session from being established
if the TCP SYN packet contains data during a three-way handshake. Enabled
by default. | |
TCP SYNACK with Data | Prevent a TCP session from being established
if the TCP SYN-ACK packet contains data during a three-way handshake.
Enabled by default. | |
Reject Non-SYN TCP | Determine whether to reject the packet if
the first packet for the TCP session setup is not a SYN packet:
Allowing
non-SYN TCP traffic may prevent file blocking policies from working
as expected in cases where the client and/or server connection is
not set after the block occurs. | |
Asymmetric Path | Determine whether to drop or bypass packets
that contain out-of-sync ACKs or out-of-window sequence numbers:
| |
Strip TCP Options | Determine whether to strip the TCP Timestamp
or TCP Fast Open option from TCP packets. | |
TCP Timestamp | Network Network Profiles Zone Protection Packet Based Attack Protection TCP Drop | Determine whether the packet has a TCP timestamp
in the header and, if it does, strip the timestamp from the header. |
TCP Fast Open | Strip the TCP Fast Open option (and data
payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way
handshake. When this is cleared (disabled), the TCP Fast Open
option is allowed, which preserves the speed of a connection setup
by including data delivery. This functions independently of the TCP
SYN with Data and TCP SYN-ACK with Data. Disabled by default. | |
Multipath TCP (MPTCP) Options | MPTCP is an extension of TCP that allows
a client to maintain a connection by simultaneously using multiple paths
to connect to the destination host. By default, MPTCP support is
disabled, based on the global MPTCP setting. Review or adjust
the MPTCP settings for the security zones associated with this profile:
|
Recommended For You
Recommended Videos
Recommended videos not found.
