How to Block IP in IP application CVE-2020-11896 and CVE-2020-11898

How to Block IP in IP application CVE-2020-11896 and CVE-2020-11898

13911
Created On 07/08/20 19:04 PM - Last Modified 07/08/20 19:05 PM


Objective


How to block ip in ip traffic to mitigate CVE-2020-11896 and CVE-2020-11898

Environment


All Palo Alto Firewalls and Palo Alto OS's 8.1 and up

Procedure


To block IP in IP traffic simply create a deny rule toward the top of the rule stack.
User-added image

Name the rule, then set Source, User, and Destination to the endpoints or network area you wish this rule to cover. 


In my example I want to cover the entire network so I set them to ANY.
 User-added image
Now add the application IP to IP in the application Tab.
User-added image
And set the action to Deny.
Your finished rule will look like this. Remember to commit the changes. 
User-added image
If at any time you wish to add more applications to this block list you can go to the Application tab and add the applications. 

Thank you for using Palo Alto networks and thank you for taking the time to read this set of instructions.
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UiwCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language