How to Troubleshoot Potential Issues with the Packet-Based Attack Protection mechanisms recommended to Mitigate the CVE-2022-0028 Threat
Objective
Provide guidance on how to search for indicators related to the TCP SYN w/Data and TCP Fast Open options in the PanOS web GUI and CLI.
Environment
- Any PAN-OS
- Threat Logs
- CVE-2022-0028
Procedure
In the security advisory addressing CVE-2022-0028, the “Recommended” workaround suggests enabling the “TCP SYN with DATA” and the strip “TCP Fast Open” options in the Packet-based Attack Protection section of the Zone Protection profile. Refer Palo Alto Networks Security Advisory for CVE-2022-0028
1. Use the operational CLI command to enable logging for the Packet-based Attack Protection mechanisms
Refer Configure Packet Based Attack Protection, for the CLI command referenced that will enable logging for the Packet-based Attack Protection methods in the Zone Protection profile.
CLI Command:
> set system setting additional-threat-log on
2. Check the Threat Logs for the "packet" subtype.
When enabled, if the two options are checked, you should be able to observe/query the threat logs based on the log “Type” column for the subtype “packet”.
( subtype eq packet )
The correlating “Threat ID/Name” column will show either “TCP SYN with data” or “TCP Fast Open” for the selected options (GUI: Monitor > Logs > Threat).
3. Check the Zone Protection profile to see the enabled Packet-based Attack Protection mechanisms.
In the CLI, the following command will display the zone protection profile enabled settings based on the zone name.
> show zone-protection zone <zone name>
NOTE: By default, there are 4 IPv6 options enabled in a Zone Protection profile. You can uncheck them in the “IPv6 Drop” section of the “Packet-based Attack Protection” section of your Zone Protection profile if you do not want them enabled.
After entering the above "show zone-protection zone..." command, you should see the following output if only the two recommended TCP Drop options are selected:
------------------------------------------------------------------------------------------
Number of zones with protection profile: 1
------------------------------------------------------------------------------------------
Zone <zone name>, vsys vsys1, profile <profile name>
------------------------------------------------------------------------------------------
IPv(4/6) Filter:
tcp-reject-non-syn: enabled: yes, (global), packet dropped: 0
discard-tcp-syn-with-data: enabled: yes, packet dropped: 0
strip-tcp-fast-open-and-data: enabled: yes, packet stripped: 0
IPv4 packet filter:
IPv6 packet filter:
------------------------------------------------------------------------------------------
This output displays the specific amount of packets dropped and/or stripped for the two settings enabled.