Objects > Security Profiles > SCTP Protection
Table of Contents
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Objects > Security Profiles > SCTP Protection
Create a Stream Control Transmission Protocol (SCTP) Protection
profile to specify the ways in which you want the firewall to validate
and filter SCTP chunks. You must first enable SCTP Security (DeviceSetupManagementGeneral Settings) in order
to see this profile type under Security Profiles. You can also limit
the number of IP addresses per SCTP endpoint in a multi-homed environment
and you can specify when the firewall logs SCTP events. After you create
an SCTP Protection profile, you then need to apply the profile to
a Security policy rule for a zone.
Firewall models that support SCTP security have a predefined
SCTP Protection profile (default-ss7) available for you to
use as is or you can clone the default-ss7 profile as the foundation
for a new SCTP Protection profile. Select ObjectSecurity ProfilesSCTP Protection and
select default-ss7 to see the Operation Codes
that cause an alert for this predefined profile.
SCTP Protection Profile Settings | |
---|---|
Name | Enter a name for the SCTP Protection profile. |
Description | Enter a description for the SCTP Protection
profile. |
SCTP Inspection | |
Unknown Chunk | Select the firewall action when it receives
an SCTP packet with an unknown chunk (the chunk is not defined in RFC3758, RFC4820, RFC4895, RFC4960, RFC5061,
or RFC 6525):
|
Chunk Flags | Select the firewall action when it receives
an SCTP packet with a chunk flag inconsistent with RFC4960:
|
Invalid Length | Select the firewall action when it receives
an SCTP chunk with an invalid length:
|
IP address limit for multihoming | Enter the maximum number of IP addresses
you can configure for an SCTP endpoint before the firewall generates
an alert message (range is 1 to 8; default is 4). SCTP multihoming
is the ability of an endpoint to support more than one IP address
for an association with a peer. If one path to an endpoint fails,
SCTP selects one of the other destination IP addresses provided
for that association. |
Log Settings | Select any combination of settings to generate
SCTP logs for allowed chunks, association start and end, and state
failure events:
For
the firewall to store SCTP logs, you need to allocate SCTP log storage
(see Log Storage tab under Logging and Reporting Settings: Device
> Setup > Management). |
Filtering Options | |
SCTP Filtering | |
Name | Enter a name for the SCTP filter. |
PPID | Specify a PPID for the SCTP filter:
Each
SCTP filter can specify only one PPID, but you can specify multiple
SCTP filters for an SCTP Protection profile. |
Action | Specify the action the firewall takes on
data chunks containing the specified PPID:
|
SCTP packets are matched to
filters in the list from top to bottom. If you create more than one
SCTP filter for a profile, the order of SCTP filters makes a difference.
Select a filter and Move Up or Move
Down to change its relative priority in the SCTP Filtering
list. | |
Diameter Filtering | |
Name | Enter a name for the Diameter filter. |
Action | Specify the action the firewall takes on
Diameter chunks containing the specified Diameter Application IDs,
Command Code, and AVPs. If the inspected chunk includes the specified Diameter
Application ID and any of the specified Diameter Command
Codes and any of the specified Diameter AVPs, then:
|
Diameter Application ID | Specify the Diameter Application ID for
a chunk on which the firewall takes the specified action.
Alternatively,
you can enter a numerical value of a Diameter Application ID (the
range is from 0 to 4,294,967,295). A Diameter filter can have only
one Application ID. |
Diameter Command Code | Specify the Diameter Command Codes for a
chunk on which the firewall takes the specified action. Select any,
select one of the Diameter Command Codes from the drop-down, or
enter a specific value (the range is from 0 to 16,777,215). The
drop-down includes only those command codes that apply to the Diameter Application
ID selected. You can add multiple Diameter Command Codes in a Diameter
filter. |
Diameter AVP | Specify the Diameter Attribute-Value Pair
(AVP) codes for a chunk on which the firewall takes the specified
action. Enter one or more AVP codes or values (the range is from
1 to 16,777,215). |
If you create more than one
Diameter filter for a profile, the order of Diameter filters makes a
difference. Select a filter and Move Up or Move Down to
adjust its relative priority in the Diameter Filtering list. | |
SS7 Filtering | |
Name | Enter a name for the SS7 filter. |
Action | Specify the action the firewall takes on
SS7 chunks containing the specified SS7 filter elements. If the
chunk being inspected contains the SCCP Calling Party SSN and any
of the specified SCCP Calling Party Global Title (GT) values and any
of the specified Operation Codes, then:
|
SCCP Calling Party SSN | Specify the SCCP Calling Party SSN for a
chunk on which the firewall takes the specified action. Select any-map or Add one
of the SCCP Calling Party SSNs from the drop-down:
An
SS7 filter can have only one SCCP Calling Party SSN. |
SCCP Calling Party GT | Specify the SCCP Calling Party GT value
for a chunk on which the firewall takes the specified action. Select Any or Add a numerical
value up to 15 digits. You can also enter a group of SCCP Calling
Party GT values using a prefix. For example: 876534*. You can add
multiple SCCP Calling Party GT values in an SS7 filter. For
SCCP Calling Party SSN: INAP and SCCP Management,
this option is disabled. |
Operation Code | Specify the operation code for a chunk on
which the firewall takes the specified action: For the following
SCCP Calling Party SSNs, select any, or an
operation code from the drop-down, or enter a specific value (range
is 1 to 255):
For SCCP
Calling Party SSN: CAP, enter a value (range
is 1 to 255). For SCCP Calling Party SSN: INAP and SCCP Management,
this option is disabled. You can add multiple operation codes
in an SS7 filter. |
If you create more than one
SS7 filter for a profile, the order of SS7 filters makes a difference.
Select a filter and Move Up or Move Down to
adjust its relative priority in the SS7 Filtering list. |