To enhance security for a zone, Packet-Based Attack Protection allows
you to specify whether the firewall drops IP, IPv6, TCP, ICMP, or
ICMPv6 packets that have certain characteristics or strips certain options
from the packets.
For example, you can drop TCP SYN and SYN-ACK
packets that contain data in the payload during a TCP three-way
handshake. A Zone Protection profile by default is set to drop SYN
and SYN-ACK packets with data (you must apply the profile to the zone).
The TCP Fast Open option (RFC 7413) preserves the
speed of a connection setup by including data in the payload of
SYN and SYN-ACK packets. A Zone Protection profile treats handshakes
that use the TCP Fast Open option separately from other SYN and
SYN-ACK packets; the profile by default is set to allow the handshake
packets if they contain a valid Fast Open cookie.
you have existing Zone Protection profiles in place when you upgrade
to PAN-OS 8.0, the three default settings will apply to each profile
and the firewall will act accordingly.
PAN-OS 8.1.2 and later releases, you can use a CLI command (Step
4 in this task) to enable the firewall to generate a Threat log
when the firewall receives and drops the following types of packets,
so that you can more easily analyze these occurrences and also fulfill
audit and compliance requirements:
DoS attack using ping of death
the same CLI command also enables the firewall to generate Threat
logs for the following types of packets if you enable the corresponding
Packet Based Attack Protection:
Fragmented IP packets
IP address spoofing
ICMP packets larger than 1024 bytes
Packets containing ICMP fragments
ICMP packets embedded with an error message
First packets for a TCP session that are not SYN packets
Create a Zone Protection profile and configure Packet-Based
Attack Protection settings.
Apply the Zone Protection profile to a security zone
that is assigned to interfaces you want to protect.
and select the zone where
you want to assign the Zone Protection profile.
to the zone.
Zone Protection Profile
select the profile you just created.
PAN-OS 8.1.2 and later releases
) Enable the
firewall to generate Threat logs for a teardrop attack and a DoS
attack using ping of death, and also generate Threat logs for the
types of packets listed above if you enable the corresponding packet-based
attack protection (in Step 1). For example, if you enable packet-based
attack protection for
Spoofed IP address
using the following CLI causes the firewall to generate a Threat
log when the firewall receives and drops a packet with a spoofed