Zone protection profiles
Resolution
Zone protection profiles are a great way to help protect your network from attacks, including common flood, reconnaissance attacks, and other packet-based attacks. Take a look at our Video Tutorial to learn more about zone protection profiles and how to configure them.
Zone protection can be set using a template configuration to apply similar settings to multiple zones. These settings apply to ingress zone !!
Zone Protection Profile is configured at Network > Network Profiles > Zone Protection.
As you can see, I don’t have one configured yet.
Let’s add one by clicking the Add button and give it a useful name like ZoneProtection.
I’ll go over all the options now.
Notice you have 3 tabs — Flood Protection / Reconnaissance Protection / Packet Based Attack Protection.
Under flood protection, you can configure your device for protection from SYN floods, UDP floods, ICMP floods and other IP floods. The value set in the alert, activate, and maximum fields is the packets per second from one or many hosts to one or many destinations in the zone. Packets to the zones are sampled at an interval of one second, to determine if the rate matches the threshold you configure.
For SYN flood protection, PAN-OS supports SYN cookie or Random Early Drop, as you can see in the dropdown.
With SYN cookie, the firewalls act as man in the middle for the TCP handshake in order to validate the connection.
With Random Early Drop, if packet rate falls between 0 to Activate threshold, drop probability is 0, within range Activate threshold to Maximum threshold drop probability increases. If the rate falls above the Maximum value, all packets will be dropped.
Alert: the number of SYN packets received by the zone (in a second) that triggers an attack alarm. Alarms can be viewed on the Dashboard and in the threat log.
Activate: The number of SYN packets per second to the zone when RED or SYN cookie is triggered.
Maximum: Enter the maximum number of SYN packets able to be received per second. Any number of packets exceeding the maximum will be dropped.
ICMP flood protection applies as the name indicates to ICMP packets (same for ICMPv6)
Alert: Enter the number of ICMP echo requests (pings) received per second that triggers an attack alarm.
Activate: Enter the number of ICMP packets received by the zone that causes subsequent ICMP packets to be dropped.
Maximum: Enter the maximum number of ICMP packets able to be received per second. Any number of packets exceeding the maximum will be dropped.
UDP flood protection applies as the name indicates to UDP packets
Alert: Enter the number of UDP packets received by the zone that triggers an attack alarm.
Activate: Enter the number of UDP packets received by the zone that triggers random dropping of UDP packets.
Maximum: Enter the maximum number of UDP packets able to be received per second. Any number of packets exceeding the maximum will be dropped.
Finally, here we have other IP flood protection:
Alert: Enter the number of IP packets received by the zone that triggers an attack alarm.
Activate: Enter the number of IP packets received by the zone that triggers random dropping of IP packets. The response is disabled when the number of IP packets drops below the threshold.
Maximum: Enter the maximum number of IP packets able to be received per second. Any number of packets exceeding the maximum will be dropped.
Note: PAN-OS does not log the source and destination IP address in the threat logs generated during a flood attack. Typically flood attacks come from spoofed IP addresses or it could even be a DDOS attack. There could be several hundreds or thousands of source addresses to log.
Moving forward, Reconnaissance protection is used to prevent/alert administrators on reconnaissance attempts like TCP and UDP ports scans, and host sweeps. Unlike the flood settings, the threshold you configure here are applicable to hosts in the zone where reconnaissance protection is configured.
You can enable each protection seperately as you can see.
The actions are:
Allow: Permits the port scan attempts
Alert: Generates an alert for each scan that matches the threshold within the specified time interval
Block: Drops all traffic from the source to the destination
Block IP: Drops all further packets for a specified period of time. Choose whether to block source, destination, or source-and-destination traffic and enter a duration (seconds).
Interval: Time between successive probes for open ports. For host sweep it is the time interval between successive probes (ICMP/TCP/UDP) to the network
Threshold: The number of scanned ports on a destination host within the specified time interval that will trigger reconnaissance protection action.
Moving forward, we go to the packet-based Attack Protection. Several tabs here offer many types of additional protections.
To configure IP drop, you can specify the following settings :
Spoofed IP address | Select the check box to enable protection against IP address spoofing. PAN-OS uses the routing table on the device to verify if the source IP of the traffic is arriving on the appropriate interface. If this is not the case the packet will be discarded. |
Strict IP Address Check | Select the checkbox to discard packets with malformed source or destination IP addresses. For example, discard packets where the source or destination IP address is the same as the network interface address, is a broadcast address, a loopback address, is a link-local address, is an unspecified address, or is reserved for future use. |
Fragmented traffic | Discard fragmented IP packets. |
Strict Source Routing | Discard packets with the Strict Source Routing IP option set. |
Loose Source Routing | Discard packets with the Loose Source Routing IP option set. |
Timestamp | Discard packets with the Timestamp IP option set. |
Record Route | Discard packets with the Record Route IP option set. |
Security | Discard packets if the security option is defined. |
Stream ID | Discard packets if the Stream ID option is defined. |
Unknown | Discard packets if the class and number are unknown. |
Malformed | Discard packets if they have incorrect combinations of class, number, and length based on RFC 791, 1108, 1393, and 2113. |
To configure TCP Drop, you can specify the following settings:
Mismatched overlapping TCP segment: Causes the firewall to report an overlap mismatch and drop the packet when segment data does not match in these scenarios:
- The segment is within another segment.
- The segment overlaps with part of another segment.
- The segment covers another segment.
This protection mechanism uses sequence numbers to determine where packets reside within the TCP data stream.
Split Handshake: Prevents a TCP session from being established if the session establishment procedure does not use the well-known 3-way handshake. A 4-way or 5-way split handshake or a simultaneous open session establishment procedure are examples of variations that would not be allowed.
Reject Non-SYN TCP: Determines whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:
- global—Use system-wide setting that is assigned through the CLI.
- yes—Reject non-SYN TCP traffic.
- no—Accept non-SYN TCP traffic.
Asymmetric Path: Determines whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers:
- global—Use systemwide setting that is assigned through the CLI.
- drop—Drop packets that contain an asymmetric path.
- bypass—Bypass scanning on packets that contain an asymmetric path.
Remove TCP Timestamp: Determines whether the packet has a TCP timestamp in the header and, if it does, strips the timestamp from the header.
To configure ICMP Drop, you can specify the following settings:
ICMP Ping ID 0 | Discard packets if the ICMP ping packet has an identifier value of 0. |
ICMP Fragment | Discard packets that consist of ICMP fragments. |
ICMP Large Packet (>1024) | Discard ICMP packets that are larger than 1024 bytes. |
Discard ICMP embedded with error message | Discard ICMP packets that are embedded with an error message. |
Suppress ICMP TTL Expired Error | Stop sending ICMP TTL expired messages. |
Suppress ICMP Frag Needed | Stop sending ICMP fragmentation needed messages in response to packets that exceed the interface MTU and have the do not fragment (DF) bit set. |
To configure IPv6 Drop, you can specify the following settings:
Type 0 Routing Heading | Discard IPv6 packets containing a Type 0 routing header. See RFC 5095 for Type 0 routing header information. |
IPv4 compatible address | Discard IPv6 packets that are defined as an RFC 4291 IPv4-Compatible IPv6 address. |
Anycast source address | Discard IPv6 packets that contain an anycast source address. |
Needless fragment header | Discard IPv6 packets with the last fragment flag (M=0) and offset of zero. |
MTU in ICMP ‘Packet Too Big’ less than 1280 bytes | Discard IPv6 packets that contain a Packet Too Big ICMPv6 message when the maximum transmission unit (MTU) is less than 1280 bytes. |
Hop-by-Hop extension | Discard IPv6 packets that contain the Hop-by-Hop Options extension header. |
Routing extension | Discard IPv6 packets that contain the Routing extension header, which directs packets to one or more intermediate nodes on its way to its destination. |
Destination extension | Discard IPv6 packets that contain the Destination Options extension, which contains options intended only for the destination of the packet. |
Invalid IPv6 options in extension header | Discard IPv6 packets that contain invalid IPv6 options in an extension header. |
Non-zero reserved field | Discard IPv6 packets that have a header with a reserved field not set to zero. |
To configure ICMPv6 Drop, you can specify the following settings:
ICMPv6 destination unreachable | Require explicit security rule match: Require an explicit security policy match for destination unreachable ICMPv6 errors even when associated with an existing session |
ICMPv6 packet too big | Require explicit security rule match: Require an explicit security policy match for packet too big ICMPv6 errors even when associated with an existing session |
ICMPv6 time exceeded - require explicit security rule match | Require an explicit security policy match for time exceeded ICMPv6 errors even when associated with an existing session. |
ICMPv6 parameter problem - require explicit security rule match | Require an explicit security policy match for parameter problem ICMPv6 errors even when associated with an existing session. |
ICMPv6 redirect - require explicit security rule match | Require an explicit security policy match for redirect ICMPv6 messages even when associated with an existing session. |
In order to apply a zone protection profile to a zone, we can go to our Zones page and edit the zone where we want to apply our profile. Simply use the dropdown next to Zone Protection Profile, select the profile you created earlier, and commit the change.
You can verify the zone protection profile in the CLI using the following command.
show zone-protection zone <zone_name>
As you can see in the example, my untrust zone now has the profile ZoneProtection assigned to it.
This concludes my video on Zone Protection Profiles.
As always, feel free to leave comments in the comment section below.
Cheers!
See also
Below are some links to the RFCs mentioned in the video tutorial: