Configure Packet Based Attack Protection
To enhance security for a zone, Packet-Based Attack Protection allows
you to specify whether the firewall drops IP, IPv6, TCP, ICMP, or
ICMPv6 packets that have certain characteristics or strips certain
options from the packets.
For example, you can drop TCP SYN
and SYN-ACK packets that contain data in the payload during a TCP
three-way handshake. A Zone Protection profile by default is set
to drop SYN and SYN-ACK packets with data (you must apply the profile
to the zone).
The TCP Fast Open option (RFC 7413) preserves the speed of a connection
setup by including data in the payload of SYN and SYN-ACK packets.
A Zone Protection profile treats handshakes that use the TCP Fast
Open option separately from other SYN and SYN-ACK packets; the profile
by default is set to allow the handshake packets if they contain
a valid Fast Open cookie.
If you have existing Zone
Protection profiles in place when you upgrade to PAN-OS 8.0, the
three default settings will apply to each profile and the firewall
will act accordingly.
Beginning with PAN-OS 8.1.2 and
later releases, you can use a CLI command (Step 4 in this task)
to enable the firewall to generate a Threat log when the firewall receives
and drops the following types of packets, so that you can more easily analyze
these occurrences and also fulfill audit and compliance requirements:
- Teardrop attack
- DoS attack using ping of death
Furthermore,
the same CLI command also enables the firewall to generate Threat logs
for the following types of packets if you enable the corresponding
Packet Based Attack Protection:
- Fragmented IP packets
- IP address spoofing
- ICMP packets larger than 1024 bytes
- Packets containing ICMP fragments
- ICMP packets embedded with an error message
- First packets for a TCP session that are not SYN packets
- Create a Zone Protection profile and configure
Packet-Based Attack Protection settings.
- Select NetworkNetwork ProfilesZone Protection and Add a new profile.
- Enter a Name for the profile and an optional Description.
- Select Packet Based Attack Protection.
- On each tab (IP Drop, TCP Drop, ICMP Drop, IPv6 Drop, and ICMPv6 Drop), select the Packet-Based Attack Protection settings you want to enforce to protect a zone.
- Click OK.
- Apply the Zone Protection profile to a security zone
that is assigned to interfaces you want to protect.
- Select NetworkZones and select the zone where you want to assign the Zone Protection profile.
- Add the Interfaces belonging to the zone.
- For Zone Protection Profile, select the profile you just created.
- Click OK.
- Commit your changes.
- (PAN-OS 8.1.2 and later releases) Enable the
firewall to generate Threat logs for a teardrop attack and a DoS
attack using ping of death, and also generate Threat logs for the
types of packets listed above if you enable the corresponding packet-based
attack protection (in Step 1). For example, if you enable packet-based
attack protection for Spoofed IP address,
using the following CLI causes the firewall to generate a Threat
log when the firewall receives and drops a packet with a spoofed
IP address.
- Access the CLI.
- Use the operational CLI command set systemsetting additional-threat-log on.
Default is off.To display the Threat name in the Threat log, you must use content update version 8027 or later; otherwise, the Threat ID number displays in the log.
Related Documentation
Packet-Based Attack Protection
Protect your network against bad IP, TCP, ICMP, IPv6, and ICMPv6 packets. ...
Flood Protection
Flood Protection Network > Network Profiles > Zone Protection > Flood Protection Configure a profile that provides flood protection against SYN, ICMP, ICMPv6, SCTP INIT, ...
Zone Protection for a Virtual Wire Interface
You can provide virtual wire interfaces with zone protection; a few packet-based attack protections that are based on IP addresses don’t apply to virtual wire ...
Deploy DoS and Zone Protection Using Best Practices
DoS and Zone Protection deployment best practices help to ensure a smooth rollout that protects your network and your most critical servers. ...
ICMP
ICMP Internet Control Message Protocol (ICMP) ( RFC 792 ) is another one of the main protocols of the Internet Protocol suite; it operates at ...
Flood Protection
Flood Protection Network > Network Profiles > Zone Protection > Flood Protection Configure a profile that provides flood protection against SYN, ICMP, ICMPv6, SCTP INIT, ...
Networking Features
PAN-OS® 8.1 includes Tunnel Content Inspection Logging, Dynamic IP Address Support for Destination NAT, FQDN Support for IKE Gateway Peer IP Address, Configuration Capacity Improvements, ...
TCP Drop
TCP Drop To instruct the firewall what to do with certain TCP packets it receives in the zone, specify the following settings. Zone Protection Profile ...