Firewall is dropping fragmented packets when zone protection is enabled

Firewall is dropping fragmented packets when zone protection is enabled

52109
Created On 11/20/19 04:15 AM - Last Modified 10/31/20 13:35 PM


Symptom


  • Firewall drops the packets and global counter “flow_dos_pf_ipfrag” increments.
   > show counter global filter packet-filter yes delta yes

   Global counters:

   Elapsed time since last sampling: 3.917 seconds

   name value rate severity category aspect description

   --------------------------------------------------------------------------------

   flow_dos_pf_ipfrag 2 0 drop flow dos Packets dropped: Zone protection option 'discard-ip-frag'
 

  • Please refer the below document which explains how to check the global counter for a specific traffic:
       How to check global counters for a specific source and destination IP address

 



Environment


  • Zone protection configured with “discard-ip-frag” enabled



Cause


  • Firewall will drop all the received fragmented packets if the receiving  zone has a zone protection configured  with “Fragmented traffic” option enabled.
  • You can run the below command in CLI to check if the setting is configured

       > show zone-protection zone <ingress zone name>

       ------------------------------------------------------------------------------------------

       Number of zones with protection profile: 1

       ------------------------------------------------------------------------------------------

       Zone L3-Trust, vsys vsys1, profile Sample

       ------------------------------------------------------------------------------------------

       IPv(4/6) Filter:

       discard-ip-frag: enabled: yes, packet dropped: 10 ---> The option is enabled here

       tcp-reject-non-syn: enabled: yes, (global), packet dropped: 0

       discard-tcp-syn-with-data: enabled: yes, packet dropped: 0

       discard-tcp-synack-with-data: enabled: yes, packet dropped: 0

       IPv4 packet filter:

       IPv6 packet filter:

       ------------------------------------------------------------------------------------------
 



Resolution


  • If this is a legitimate  traffic you wish to allow then you can disable the option to allow the fragmented traffic.

       Note: Disabling the “Fragmented traffic drop” may have a security risk. If you do not wish to change this option then you need to check the upstream device to see why firewall is receiving fragmented packets.

      From GUI:
  • Select Network --> Network Profiles --> Zone protection
  • Click on the name of the zone protection
  • Select tab “Packet Based Attack Protection” and subtab IP Drop
  • Uncheck the option “Fragmented traffic” and click on OK
       User-added image


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNZMCA4&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language