IP Drop
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device Setup Ace
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
IP Drop
To instruct the firewall what to do with certain IP
packets it receives in the zone, specify the following settings.
Zone Protection Profile Settings—Packet
Based Attack Protection | Configured In | Description |
|---|---|---|
Spoofed IP address | NetworkNetwork ProfilesZone ProtectionPacket Based Attack ProtectionIP Drop | Check that the source IP address of the
ingress packet is routable and the routing interface is in the same
zone as the ingress interface. If either condition is not true,
discard the packet. The firewall does not consider Policy Based
Forwarding (PBF) rules during this check; it considers only routes
listed in the routing table (RIB), that is, routes listed under
the CLI output for show routing route. On internal zones only, drop spoofed IP
address packets to ensure that on ingress, the source address matches
the firewall routing table. |
Strict IP Address Check | Check that both conditions are true:
If
either condition is not true, discard the packet. The
firewall does not consider Policy Based Forwarding (PBF) rules during
this check; it considers only routes listed in the routing table
(RIB), that is, routes listed under the CLI output for show routing route. For
a firewall in Common Criteria (CC) mode, you can enable logging
for discarded packets. On the firewall web interface, select DeviceLog Settings.
In the Manage Logs section, select Selective Audit and
enable Packet Drop Logging. | |
Fragmented traffic | Discard fragmented IP packets. | |
IP Option Drop | Select the settings in this group to enable
the firewall to drop packets containing these IP Options. | |
Strict Source Routing | Discard packets with the Strict Source Routing
IP option set. Strict Source Routing is an option whereby a source
of a datagram provides routing information through which a gateway
or host must send the datagram. Drop
packets with strict source routing because source routing allows
adversaries to bypass Security policy rules that use the destination
IP address as the matching criteria. | |
Loose Source Routing | Discard packets with the Loose Source Routing
IP option set. Loose Source Routing is an option whereby a source
of a datagram provides routing information and a gateway or host
is allowed to choose any route of a number of intermediate gateways
to get the datagram to the next address in the route. Drop packets with loose source routing
because source routing allows adversaries to bypass Security policy
rules that use the destination IP address as the matching criteria. | |
Timestamp | Discard packets with the Timestamp IP option
set. | |
Record Route | Discard packets with the Record Route IP
option set. When a datagram has this option, each router that routes
the datagram adds its own IP address to the header, thus providing the
path to the recipient. | |
Security | Discard packets if the security option is
defined. | |
Stream ID | Discard packets if the Stream ID option
is defined. | |
Unknown | Discard packets if the class and number
are unknown. Discard unknown packets. | |
Malformed | Discard packets if they have incorrect combinations
of class, number, and length based on RFCs 791, 1108, 1393, and 2113. Discard malformed packets. |