SCTP Introduction

Palo Alto Networks® firewalls allow you to inspect SCTP traffic, validate messages, filter SCTP payload protocol IDs, Diameter applications, and SS7 chunks, and protect against SCTP INIT packet flooding.
Stream Control Transmission Protocol (SCTP—protocol number 132) is an IP transport-layer protocol in addition to TCP and UDP. You can think of the SCTP transport service as a layer between the IP layer and the SCTP user application above the IP layer in the four-layer IP stack. An SCTP packet includes a common SCTP header and a variable number of chunks, which can be control chunks or data chunks with encapsulated user data.
You use the multilayered approach of your firewall to secure your SCTP traffic, such as validating SCTP packets to ensure they comply with RFC 4960. You can filter SCTP traffic based on payload protocol IDs (PPIDs) and you can apply granular-level filtering on Diameter traffic over SCTP and SS7 traffic over SCTP. You can also protect against flooding of SCTP initiation (INIT) packets. In the case of mobile networks, these security measures prevent attackers from causing network congestion and outages that disrupt data and voice services of mobile subscribers and IoT devices connected to these networks. Additionally, you can view SCTP logs, ACC information, and reports to verify configurations and gain visibility into the SCTP events and traffic between two endpoints.
PA-5200 Series and VM-Series firewalls support SCTP security. SCTP requires content release version 785 or a later version. You configure the firewall with an SCTP Protection profile attached to a Security policy rule for a zone; the SCTP Protection profile enforces the SCTP security feature capabilities. Firewalls in an active/passive HA configuration support SCTP; firewalls in an active/active HA configuration do not support SCTP. You must enable SCTP on both the active and passive firewall or disable SCTP on both—you cannot enable SCTP on one HA firewall and disable SCTP on the other. SCTP firewall sessions and SCTP associations are synchronized across peers in an active/passive HA configuration.
On all firewall models you can Create a Security policy rule to control whether to allow SCTP messages to or from a zone.

Related Documentation