Packet-Based Attack Protection
Protect your network against bad IP, TCP, ICMP, IPv6, and ICMPv6 packets.
Packet-based attacks take many forms. Zone Protection profiles check IP, TCP, ICMP, IPv6, and ICMPv6 packet headers and protect a zone by:
- Dropping packets with undesirable characteristics.
- Stripping undesirable options from packets before admitting them to the zone.
Select the drop characteristics for each packet type when you Configure Packet Based Attack Protection. The best practices for each IP protocol are:
- IP Drop—Drop Unknown and Malformed packets. Also drop Strict Source Routing and Loose Source Routing because allowing these options allows adversaries to bypass Security policy rules that use the Destination IP address as the matching criteria. For internal zones only, check Spoofed IP Address so only traffic with a source address that matches the firewall routing table can access the zone.
- TCP Drop—Retain the default TCP SYN with Data and TCP SYNACK with Data drops, drop Mismatched overlapping TCP segment and Split Handshake packets, and strip the TCP Timestamp from packets.Enabling Rematch Sessions (DeviceSetupSessionSession Settings) is a best practice that applies committed newly configured or edited Security Policy rules to existing sessions. However, if you configure Tunnel Content Inspection on a zone and Rematch Sessions is enabled, you must also disable Reject Non-SYN TCP (change the selection from Global to No), or else when you enable or edit a Tunnel Content Inspection policy, the firewall drops all existing tunnel sessions. Create a separate Zone Protection profile to disable Reject Non-SYN TCP only on zones that have Tunnel Content Inspection policies and only when you enable Rematch Sessions.
- ICMP Drop—There are no standard best practice settings because dropping ICMP packets depends on how you use ICMP (or if you use ICMP). For example, if you want to block ping activity, you can block ICMP Ping ID 0.
- IPv6 Drop—If compliance matters, ensure that the firewall drops packets with non-compliant routing headers, extensions, etc.
- ICMPv6 Drop—If compliance matters, ensure that the firewall drops certain packets if the packets don’t match a Security policy rule.
Deploy DoS and Zone Protection Using Best Practices
DoS and Zone Protection deployment best practices help to ensure a smooth rollout that protects your network and your most critical servers. ...
Configure Packet Based Attack Protection
Configure Packet Based Attack Protection To enhance security for a zone, Packet-Based Attack Protection Protect your network against bad IP, TCP, ICMP, IPv6, and ICMPv6 ...
ICMP Internet Control Message Protocol (ICMP) ( RFC 792 ) is another one of the main protocols of the Internet Protocol suite; it operates at ...
TCP Transmission Control Protocol (TCP) ( RFC 793 ) is one of the main protocols in the Internet Protocol (IP) suite, and is so prevalent ...
TCP Drop To instruct the firewall what to do with certain TCP packets it receives in the zone, specify the following settings. Zone Protection Profile ...
Security Policy Rules Based on ICMP and ICMPv6 Packets
Security Policy Rules Based on ICMP and ICMPv6 Packets The firewall forwards ICMP or ICMPv6 packets only if a security policy rule allows the session ...
Packet Based Attack Protection
Packet Based Attack Protection Network > Network Profiles > Zone Protection > Packet Based Attack Protection You can configure Packet Based Attack protection to drop ...
Configure Tunnel Content Inspection
Configure Tunnel Content Inspection Perform this task to configure tunnel content inspection for a tunnel protocol that you allow through a tunnel. Create a Security ...
Flood Protection Network > Network Profiles > Zone Protection > Flood Protection Configure a profile that provides flood protection against SYN, ICMP, ICMPv6, SCTP INIT, ...