Packet-Based Attack Protection
Focus
Focus

Packet-Based Attack Protection

Table of Contents
End-of-Life (EoL)

Packet-Based Attack Protection

Protect your network against bad IP, TCP, ICMP, IPv6, and ICMPv6 packets.
Packet-based attacks take many forms. Zone Protection profiles check IP, TCP, ICMP, IPv6, and ICMPv6 packet headers and protect a zone by:
  • Dropping packets with undesirable characteristics.
  • Stripping undesirable options from packets before admitting them to the zone.
Select the drop characteristics for each packet type when you Configure Packet Based Attack Protection. The best practices for each IP protocol are:
  • IP Drop—Drop Unknown and Malformed packets. Also drop Strict Source Routing and Loose Source Routing because allowing these options allows adversaries to bypass Security policy rules that use the Destination IP address as the matching criteria. For internal zones only, check Spoofed IP Address so only traffic with a source address that matches the firewall routing table can access the zone.
  • TCP Drop—Retain the default TCP SYN with Data and TCP SYNACK with Data drops, drop Mismatched overlapping TCP segment and Split Handshake packets, and strip the TCP Timestamp from packets.
    Enabling Rematch Sessions (DeviceSetupSessionSession Settings) is a best practice that applies committed newly configured or edited Security Policy rules to existing sessions. However, if you configure Tunnel Content Inspection on a zone and Rematch Sessions is enabled, you must also disable Reject Non-SYN TCP (change the selection from Global to No), or else when you enable or edit a Tunnel Content Inspection policy, the firewall drops all existing tunnel sessions. Create a separate Zone Protection profile to disable Reject Non-SYN TCP only on zones that have Tunnel Content Inspection policies and only when you enable Rematch Sessions.
  • ICMP Drop—There are no standard best practice settings because dropping ICMP packets depends on how you use ICMP (or if you use ICMP). For example, if you want to block ping activity, you can block ICMP Ping ID 0.
  • IPv6 Drop—If compliance matters, ensure that the firewall drops packets with non-compliant routing headers, extensions, etc.
  • ICMPv6 Drop—If compliance matters, ensure that the firewall drops certain packets if the packets don’t match a Security policy rule.