>
    Configure Packet Based Attack Protection
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Set Up Firewalls
    4. Zone Protection and DoS Protection
    5. Configure a Zone Protection Profile to Increase Network Security
    6. Configure Packet Based Attack Protection
    Download PDF
    Next-Generation Firewall

    Configure Packet Based Attack Protection

    Table of Contents

    Configure Packet Based Attack Protection

    Defend your zones against packet based attacks.
    Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Strata Cloud Manager)
    • VM-Series, funded with Software NGFW Credits
    • AIOps for NGFW Premium license (use the Strata Cloud Manager app)
    A Zone Protection profile configured for packet-based attacks check IPv4, TCP, ICM, and ICMPv6 packet headers and enable you to specify whether to drop packets that have undesirable characteristics or to strip characteristics from packets before admitting them to the zone.
    For example, you can drop TCP SYN and SYN-ACK packets that contain data in the payload during a TCP three-way handshake. A Zone Protection profile by default is set to drop SYN and SYN-ACK packets with data.
    1. Log in to cloud management.
    2. Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesDoS Protection and select the Configuration Scope where you want to create the Zone Protection profile.
      You can select a folder or firewall from your Folders or select Snippets to configure the Zone Protection profile in a snippet.
    3. Navigate to the Zone Protection Profiles and Add Profile.
    4. Enter a descriptive Name.
    5. (Optional) Enter a Description.
    6. Select Packet Based Attack.
    7. Configure the packet-based attack protection that you want to enforce.
      • IP Drop—Specify when the firewall should drop IP-based traffic entering the zone.
        (Best Practices) Drop Unknown and Malformed. Also, drop Strict Source Routing and Loose Source Routing because allowing these options allows adversaries to bypass Security policy rules that use the Destination IP address as the matching criteria. For internal zones only, check Spoofed IP Address so only traffic with a source address that matches the firewall routing table can access the zone.
      • TCP Drop—Specify when the firewall should drop TCP-based traffic entering the zone.
        (Best Practices) Retain the default TCP SYN with Data and TCP SYNACK with Data drops, drop Mismatched overlapping TCP segment and Split Handshake packets, and strip the TCP Timestamp from packets.
        The TCP Fast Open option (RFC 7413) preserves the speed of a connection setup by including data in the payload of SYN and SYN-ACK packets. A Zone Protection profile treats handshakes that use the TCP Fast Open option separately from other SYN and SYN-ACK packets; the Zone Protection profile by default is set to allow the handshake packets if they contain a valid Fast Open Cookie.
      • ICMP Drop—Specify when the firewall should drop ICMP-based traffic entering the zone.
        There are no standard best practices for configuring ICMP packet-based protection because dropping ICMP packets depending on how you use ICMP.
      • IPv6 Drop—Specify when the firewall should drop IPv6-based traffic entering the zone.
        If compliance matters, ensure that the firewall drops packets with noncompliant headers and extensions.
      • ICMPv6 Drop—Specify when the firewall should drop ICMPv6-based traffic entering the zone
        If compliance matters, ensure the firewall drops packets that don’t match the policy rule the Zone Protection profile is associated with.
    8. Save.

    © 2024 Palo Alto Networks, Inc. All rights reserved.