New informational-severity Threat log messages ID:8723 and 8724 appeared after upgrading PAN-OS to 8.0 or later
11722
Created On 01/27/20 07:56 AM - Last Modified 02/15/23 02:17 AM
Question
After upgrading PAN-OS to 8.0 or later releases from 7.1 or prior versions, count of Threat Logs with "informational" severity increased.
What is the reason to generate those types of Threat logs?
Here are detected Threat Names and ID's:
- TCP SYN with data(8723)
- TCP SYN-ACK with data(8724)
Environment
Firewalls and Panorama with PAN-OS 8.0 or later releases
Answer
It is expected behavior based on Zone Protection feature.
Since PAN-OS 8.0, you can now use a Zone Protection profile for Packet Based Attack Protection to drop TCP SYN and SYN-ACK packets that contain data in the payload during a three-way handshake.
A Zone Protection profile by default is set to drop SYN and SYN-ACK packets with data, and corresponding parameters are enabled in all Zone Protection profiles configured in Firewall.
When upgrading software to PAN-OS 8.0 or later version from 7.1 or prior releases, these are enabled automatically.
You can find it in [Zone Protection Profile > Packet Based Attack protection > TCP Drop] tab in [Network > Zone Protection] Web UI screen.
Additional Information
"Zone Protection for SYN Data Payloads" section in PAN-OSĀ® 8.0 New Features Guide > Networking Features is introduced detailed information about this feature.
https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/8-0/pan-os-new-features/pan-os-new-features.pdf
PAN-OS 8.0 SYN DATA PAYLOAD PROTECTION
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClT5CAK