Unable to locate Unique Threat ID 8708 to create a threat exception.

7480

Created On 06/29/23 07:48 AM - Last Modified 06/29/23 07:53 AM

Objects

Vulnerability Protection

Zone Protection

Threat Prevention

Zone and DoS Protection

8.1

9.1

10.0

10.2

10.1

11.0

PAN-OS

Symptom

The Threat Vault (https://threatvault.paloaltonetworks.com/) classifies the signature as "Vulnerability Protection Signatures".
Unable to locate the Unique threat ID 8708 to create an exception in the vulnerability protection profile.

Palo Alto Networks Firewalls configured with Zone Protection Profile and Packet Based Attack Protection.
PAN-OS 8.1.0 and later versions.
PAN-OS 9.1.0 and later versions.
PAN-OS 10.0.0 and later versions.
PAN-OS 10.1.0 and later versions.
PAN-OS 10.2.0 and later versions.
PAN-OS 11.0.0 and later versions.

Although the Unique threat ID 8708 is identified as a "Vulnerability Protection Signature," all signatures IDs between 8700-8799 are associated with Packet Based Attacks Protections available in the "Zone Protection" profiles.
Unique threat ID 8708 (Invalid IP fragment length), when triggered, will discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.

This is the expected behavior. Exceptions for this signature cannot be found under the "Vulnerability Protection Profile."
There are no threat exceptions for signatures related to Packet Based Protections.
If disabling the alerts for this signature is required, uncheck the option for "Malformed" packets in the Packet Based Attack Protection configuration.

Network -->Zone Protection --> Zone Protection Profile -->Packet Based Attack Protection-->IP Drop---->IP Option Drop---->Malformed

What are the Threat IDs for Packet Based Attacks associated with Zone Protection?