PAN-OS Web Interface Help
    : Objects > Security Profiles > SCTP Protection
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS Web Interface Help
    4. Objects
    5. Objects > Security Profiles > SCTP Protection
    Download PDF

    PAN-OS Web Interface Help

    Objects > Security Profiles > SCTP Protection

    Table of Contents

    Objects > Security Profiles > SCTP Protection

    Create a Stream Control Transmission Protocol (SCTP) Protection profile to specify the ways in which you want the firewall to validate and filter SCTP chunks. You must first enable SCTP Security (DeviceSetupManagementGeneral Settings) in order to see this profile type under Security Profiles. You can also limit the number of IP addresses per SCTP endpoint in a multi-homed environment and you can specify when the firewall logs SCTP events. After you create an SCTP Protection profile, you then need to apply the profile to a Security policy rule for a zone.
    Firewall models that support SCTP security have a predefined SCTP Protection profile (default-ss7) available for you to use as is or you can clone the default-ss7 profile as the foundation for a new SCTP Protection profile. Select ObjectSecurity ProfilesSCTP Protection and select default-ss7 to see the Operation Codes that cause an alert for this predefined profile.
    SCTP Protection Profile Settings
    Name
    Enter a name for the SCTP Protection profile.
    Description
    Enter a description for the SCTP Protection profile.
    SCTP Inspection
    Unknown Chunk
    Select the firewall action when it receives an SCTP packet with an unknown chunk (the chunk is not defined in RFC3758, RFC4820, RFC4895, RFC4960, RFC5061, or RFC 6525):
    • allow (default)—Allow the packet to pass without modification.
    • alert—Allow the packet to pass without modification and generate an SCTP log (you need to allocate log storage for these logs—see Log Storage tab under Logging and Reporting Settings: Device > Setup > Management).
    • block—Nullify the chunk before passing the packet and generate an SCTP log.
    Chunk Flags
    Select the firewall action when it receives an SCTP packet with a chunk flag inconsistent with RFC4960:
    • allow (default)—Allow the packet to pass without modification.
    • alert—Allow the packet to pass without modification and generate an SCTP log (you need to allocate log storage for these logs—see Log Storage tab under Logging and Reporting Settings: Device > Setup > Management).
    • block—Drop the packet and generate an SCTP log.
    Invalid Length
    Select the firewall action when it receives an SCTP chunk with an invalid length:
    • allow (default)—Allow the packet or chunk to pass without modification.
    • block—Drop the packet and generate an SCTP log (you need to allocate log storage for these logs—see Log Storage tab.
    IP address limit for multihoming
    Enter the maximum number of IP addresses you can configure for an SCTP endpoint before the firewall generates an alert message (range is 1 to 8; default is 4).
    SCTP multihoming is the ability of an endpoint to support more than one IP address for an association with a peer. If one path to an endpoint fails, SCTP selects one of the other destination IP addresses provided for that association.
    Log Settings
    Select any combination of settings to generate SCTP logs for allowed chunks, association start and end, and state failure events:
    • Log at Association Start
    • Log at Association End
    • Log Allowed Association Initialization Chunks
    • Log Allowed Heartbeat Chunks
    • Log Allowed Association Termination Chunks
    • Log All Control Chunks
    • Log State Failure Events
    For the firewall to store SCTP logs, you need to allocate SCTP log storage (see Log Storage tab under Logging and Reporting Settings: Device > Setup > Management).
    Filtering Options
    SCTP Filtering
    Name
    Enter a name for the SCTP filter.
    PPID
    Specify a PPID for the SCTP filter:
    • any—causes the firewall to take the Action you specify on all SCTP data chunks containing a PPID.
    • 3GPP PUA
    • 3GPP RNA
    • LCS-AP
    • M2PA
    • M2UA
    • M3UA
    • NBAP
    • RUA
    • S1AP
    • SBc-AP
    • SUA
    • X2AP
    • Enter a valid PPID value (one that isn’t present in the drop-down). For example, the PPID value for H.323 is 13.
    Each SCTP filter can specify only one PPID, but you can specify multiple SCTP filters for an SCTP Protection profile.
    Action
    Specify the action the firewall takes on data chunks containing the specified PPID:
    • allow (default)—Allow the chunk to pass without modification.
    • alert—Allow the chunk to pass without modification and generate an SCTP log (you need to allocate log storage for these logs—see Log Storage tab under Logging and Reporting Settings: Device > Setup > Management).
    • block—Nullify the chunk before passing the packet and generate an SCTP log (you need to allocate log storage for these logs—see Log Storage tab under Logging and Reporting Settings: Device > Setup > Management).
    SCTP packets are matched to filters in the list from top to bottom. If you create more than one SCTP filter for a profile, the order of SCTP filters makes a difference. Select a filter and Move Up or Move Down to change its relative priority in the SCTP Filtering list.
    Diameter Filtering
    Name
    Enter a name for the Diameter filter.
    Action
    Specify the action the firewall takes on Diameter chunks containing the specified Diameter Application IDs, Command Code, and AVPs. If the inspected chunk includes the specified Diameter Application ID and any of the specified Diameter Command Codes and any of the specified Diameter AVPs, then:
    • allow (default)—Allow the chunk to pass without modification.
    • alert—Allow the chunk to pass without modification and generate an SCTP log (you need to allocate log storage for these logs—see Log Storage tab under Logging and Reporting Settings: Device > Setup > Management).
    • block—Nullify the chunk before passing the packet and generate an SCTP log (you need to allocate log storage for these logs—see Log Storage tab under Logging and Reporting Settings: Device > Setup > Management).
    Diameter Application ID
    Specify the Diameter Application ID for a chunk on which the firewall takes the specified action.
    • any
    • 3GPP-Rx
    • 3GPP-S6a/S6d
    • 3GPP-S6c
    • 3GPP-S9
    • 3GPP-S13/S13
    • 3GPP-Sh
    • Diameter Base Accounting
    • Diameter Common Messages
    • Diameter Credit Control
    Alternatively, you can enter a numerical value of a Diameter Application ID (the range is from 0 to 4,294,967,295). A Diameter filter can have only one Application ID.
    Diameter Command Code
    Specify the Diameter Command Codes for a chunk on which the firewall takes the specified action. Select any, select one of the Diameter Command Codes from the drop-down, or enter a specific value (the range is from 0 to 16,777,215). The drop-down includes only those command codes that apply to the Diameter Application ID selected. You can add multiple Diameter Command Codes in a Diameter filter.
    Diameter AVP
    Specify the Diameter Attribute-Value Pair (AVP) codes for a chunk on which the firewall takes the specified action. Enter one or more AVP codes or values (the range is from 1 to 16,777,215).
    If you create more than one Diameter filter for a profile, the order of Diameter filters makes a difference. Select a filter and Move Up or Move Down to adjust its relative priority in the Diameter Filtering list.
    SS7 Filtering
    Name
    Enter a name for the SS7 filter.
    Action
    Specify the action the firewall takes on SS7 chunks containing the specified SS7 filter elements. If the chunk being inspected contains the SCCP Calling Party SSN and any of the specified SCCP Calling Party Global Title (GT) values and any of the specified Operation Codes, then:
    • allow (default)—Allow the chunk to pass without modification.
    • alert—Allow the chunk to pass without modification and generate an SCTP log (you need to allocate log storage for these logs—see Log Storage tab under Logging and Reporting Settings: Device > Setup > Management).
    • block—Nullify the chunk before passing the packet and generate an SCTP log (you need to allocate log storage for these logs—see Log Storage tab under Logging and Reporting Settings: Device > Setup > Management).
    SCCP Calling Party SSN
    Specify the SCCP Calling Party SSN for a chunk on which the firewall takes the specified action. Select any-map or Add one of the SCCP Calling Party SSNs from the drop-down:
    • HLR(MAP)
    • VLR(MAP)
    • MSC(MAP)
    • EIR(MAP)
    • GMLC(MAP)
    • gsmSCF(MAP)
    • SIWF(MAP)
    • SGSN(MAP)
    • GGSN(MAP)
    • CSS(MAP)
    • CAP
    • INAP
    • SCCP Management
    An SS7 filter can have only one SCCP Calling Party SSN.
    SCCP Calling Party GT
    Specify the SCCP Calling Party GT value for a chunk on which the firewall takes the specified action. Select Any or Add a numerical value up to 15 digits. You can also enter a group of SCCP Calling Party GT values using a prefix. For example: 876534*. You can add multiple SCCP Calling Party GT values in an SS7 filter.
    For SCCP Calling Party SSN: INAP and SCCP Management, this option is disabled.
    Operation Code
    Specify the operation code for a chunk on which the firewall takes the specified action:
    For the following SCCP Calling Party SSNs, select any, or an operation code from the drop-down, or enter a specific value (range is 1 to 255):
    • HLR(MAP)
    • VLR(MAP)
    • MSC(MAP)
    • EIR(MAP)
    • GMLC(MAP)
    • gsmSCF(MAP)
    • SIWF(MAP)
    • SGSN(MAP)
    • GGSN(MAP)
    • CSS(MAP)
    For SCCP Calling Party SSN: CAP, enter a value (range is 1 to 255).
    For SCCP Calling Party SSN: INAP and SCCP Management, this option is disabled.
    You can add multiple operation codes in an SS7 filter.
    If you create more than one SS7 filter for a profile, the order of SS7 filters makes a difference. Select a filter and Move Up or Move Down to adjust its relative priority in the SS7 Filtering list.

    © 2024 Palo Alto Networks, Inc. All rights reserved.