How to block IKE Version 1 traffic with application signature

How to block IKE Version 1 traffic with application signature

159
Created On 06/20/22 13:05 PM - Last Modified 02/04/26 23:21 PM


Objective


This article instructs how to block IKE version 1 traffic to avoid ambiguities and vulnerabilities inherent in IKEv1.

Environment


  • Palo Alto Firewall
  • Supported PAN-OS
  • Custom Application.

Procedure


​​​​​Step1: Create a custom application


On the Web UI:

  1. Navigate to Objects > Applications
  2. Click Add to bring up the Application dialog
  3. Under Configuration, we will configure the following fields:
  • General
    • Name: IKEv1
    • Description: Internet key exchange (IKE) is the protocol used to set up a Security Association in the IPsec protocol suite.
  • Properties
    • Category: networking
    • SubCategory: encrypted-tunnel
    • Technology: client-server
    • Parent App: ike
    • Risk: 2
  • Characteristics
    • Evasive: no
    • Excessive Bandwidth Use: no
    • Used by Malware: no
    • Capable of File Transfer: no
    • Has Known Vulnerabilities: yes
    • Tunnels Other Applications: yes
    • Prone to Misuse: no
    • Widely Used: yes

Application - Configuration

  1. Under Advanced, we will configure the following fields:
  • Defaults
    • We will check Port
    • Under PORT we will Click add and write: tcp/500 
    •  Click add and write: UDP/500
  • Timeouts - We will leave as default
  • Scanning
    • We will check File Types, Viruses, Data Patterns

Application - Advanced

  1. Under Signatures, we will configure the following
  • Click Add to bring up the Signature dialog
    • In the Signature Name Field write the Signature name
    • In the Scope Field choose Transaction
    • Check the Ordered Condition Match option

 Application - Signature

  • Click Add and Condition to bring up the Condition dialog
    • On Operator choose Equal To
    • On Context choose ike-version
    • On Value write 16

Application - Signature - Condition

Explanation on the "value field" - Ike version field contains 8 bits, first 4 bits for the numbers after the decimal point and the second 4 bits for the before the decimal point
For example: IKE version 1 is presented as 1.0, in binary it will present as 0001000 which equal to 16.
IKE version 2 is presented as 2.0, in binary it will present as 0010000 which equal to 32.

Step2: After creating the custom application Add this application to security rule with drop action:

IKEv1 Policy Drop

Step3: Verify the IKEv1 negotiation is dropped in the security policy as shown in the following log:
image.png

And on the firewalls Tunnels panel:
image.png
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000Cq6fCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail