To instruct the firewall what to do with certain TCP packets it receives in the zone, specify the following settings.
Zone Protection Profile Settings—Packet Based Attack Protection
Mismatched overlapping TCP segment
Packet Based Attack Protection
Attackers can construct connections with overlapping but different data in them to cause misinterpretation of the connection. Attackers can use IP spoofing and sequence number prediction to intercept a user’s connection and inject their own data. Use this setting to report an overlap mismatch and drop the packet when segment data does not match in these scenarios:
This protection mechanism uses sequence numbers to determine where packets reside within the TCP data stream.
Drop packets with mismatched overlapping TCP segments.
Prevent a TCP session from being established if the session establishment procedure does not use the well-known three-way handshake. A four-way or five-way split handshake or a simultaneous open session establishment procedure are examples of variations that would not be allowed.
The Palo Alto Networks next-generation firewall correctly handles sessions and all Layer 7 processes for split handshake and simultaneous open session establishment without configuring
Split Handshake. When this is configured for a zone protection profile and the profile is applied to a zone, TCP sessions for interfaces in that zone must be established using the standard three-way handshake; the variations are not allowed.
Drop packets with split handshakes.
TCP SYN with Data
Prevent a TCP session from being established if the TCP SYN packet contains data during a three-way handshake. Enabled by default.
TCP SYNACK with Data
Prevent a TCP session from being established if the TCP SYN-ACK packet contains data during a three-way handshake. Enabled by default.
Reject Non-SYN TCP
Determine whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:
Allowing non-SYN TCP traffic may prevent file blocking policies from working as expected in cases where the client and/or server connection is not set after the block occurs.
If you configure Tunnel Content Inspection on a zone and enable
Rematch Sessions, then for that zone only, disable
Reject Non-SYN TCPso that enabling or editing a Tunnel Content Inspection policy doesn’t cause the firewall to drop existing tunnel sessions.
Determine whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers:
Strip TCP Options
Determine whether to strip the TCP Timestamp or TCP Fast Open option from TCP packets.
Packet Based Attack Protection
Determine whether the packet has a TCP timestamp in the header and, if it does, strip the timestamp from the header.
Strip the TCP timestamp from packets that have it to prevent a timestamp DoS attack.
TCP Fast Open
Strip the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.
When this is cleared (disabled), the TCP Fast Open option is allowed, which preserves the speed of a connection setup by including data delivery. This functions independently of the TCP SYN with Data and TCP SYN-ACK with Data. Disabled by default.
Multipath TCP (MPTCP) Options
MPTCP is an extension of TCP that allows a client to maintain a connection by simultaneously using multiple paths to connect to the destination host. By default, MPTCP support is disabled, based on the global MPTCP setting.
Review or adjust the MPTCP settings for the security zones associated with this profile:
Recommended For You
Recommended videos not found.