Saucepan

User Tools

Site Tools

Trace: console user_id_terminal_services snmp technical_support_file basics panorama certificates globalprotect ipv6 lsvpn
paloaltonetworks:configuration:zone_protection

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:configuration:zone_protection [2020/05/28 15:45] – [Best Practice] bstaffordpaloaltonetworks:configuration:zone_protection [2022/11/23 12:49] (current) – external edit 127.0.0.1
Line 1: Line 1:
-======Zone Protection====== +====== Zone Protection ====== 
-=====Troubleshooting=====+Remember, you should not have TCP-SYN enabled on both Zone Protection and DoS policies at the same time. 
 +===== Logging ===== 
 +To enable the additional logging, run this operational command: 
 + 
 +<code>set system setting additional-threat-log on</code> 
 +More data [[https://live.paloaltonetworks.com/t5/blogs/pan-os-8-1-2-introduces-new-log-options/ba-p/217858|here]]. 
 +===== Troubleshooting =====
 Information on troubleshooting Zone Protection Profiles can be found [[paloaltonetworks:troubleshooting:testing_panos#zone_protection|here]]. Information on troubleshooting Zone Protection Profiles can be found [[paloaltonetworks:troubleshooting:testing_panos#zone_protection|here]].
  
-=====Zone Protection Profile Logging=====+While not strictly Zone Protection, Device > Setup > Session > "Drop segments with null timestamp option" will break PS4 connection to Internet. 
 + 
 +===== Logging ===== 
 +Zone Protection Profile alerts appear in the Threat Prevention logs. 
 + 
 +===== Zone Protection Profile Logging =====
  
   * Flood Protection logs appear under the Threat Logs.   * Flood Protection logs appear under the Threat Logs.
Line 16: Line 27:
 Packet Based Attack Protection Packet Based Attack Protection
 <code>show counter global filter packet-filter yes delta yes | match Zone</code> <code>show counter global filter packet-filter yes delta yes | match Zone</code>
-=====Problems with Zone Protection=====+===== Problems with Zone Protection =====
  
-  * **Strict IP Address Check** caused problems when doing BGP and ECMP with four ISP links after a HA failover.+  * **Strict IP Address Check** caused problems with VPN tunnel interface monitoring. I couldn't ping the other tunnel when both firewall's were Palo Alto Networks and each end had an IP in a /30. It also caused problems when doing BGP and ECMP with four ISP links after a HA failover. This also causes internal hosts to not be able to ping past the ISP router when you failover from ISP1 to ISP2 using a PBF rule and this is enabled on the "External" zone protection profile.
   * **Fragmented traffic** broke the PS3 connection to the Internet.   * **Fragmented traffic** broke the PS3 connection to the Internet.
   * **ICMP Drop > Suppress ICMP TTL Expired Error** This will break the first hop of a traceroute and mark the hop as "Request timed out". This is when traceroute is starting from inside the network and the zone protection profile is on the outside zone.   * **ICMP Drop > Suppress ICMP TTL Expired Error** This will break the first hop of a traceroute and mark the hop as "Request timed out". This is when traceroute is starting from inside the network and the zone protection profile is on the outside zone.
   * **ICMP Drop > Discard ICMP embedded with error message** This will break all hops of a traceroute (except for the first) and mark each hop as "Request timed out".This is when traceroute is starting from inside the network and the zone protection profile is on the inside zone.   * **ICMP Drop > Discard ICMP embedded with error message** This will break all hops of a traceroute (except for the first) and mark each hop as "Request timed out".This is when traceroute is starting from inside the network and the zone protection profile is on the inside zone.
-=====Best Practice=====+  * **ICMP Drop > Suppress ICMP Frag Needed** This setting will interfere with the PMTUD process performed by hosts behind the firewall. 
 +===== Best Practice ===== 
 +(Remember, Spoofed IP address is based on routing tables. Strict IP Address Check is based on ingress interface - be wary with aggregate links) 
 Palo Alto Network's best practice (June 2019) is to block **Spoofed IP Address** (//internal zones only//) as well as **Unknown** and **Malformed** under IP Option Drop. Also, block **TCP with SYN data** and **TCP with SYNACK data** and strip **TCP Timestamp** option. IPv6 drop best practice is to to drop packets with routing header type 0, 1, 4 to 252 and 255. Palo Alto Network's best practice (June 2019) is to block **Spoofed IP Address** (//internal zones only//) as well as **Unknown** and **Malformed** under IP Option Drop. Also, block **TCP with SYN data** and **TCP with SYNACK data** and strip **TCP Timestamp** option. IPv6 drop best practice is to to drop packets with routing header type 0, 1, 4 to 252 and 255.
  
 +A packet is **malformed** if it has incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.
 +
 +A packet is **unknown** if the class and number are unknown.
 +
 +**Spoofed IP Address** - On internal zones only, drop spoofed IP address packets to ensure that on ingress, the source address matches the firewall routing table. Obviously, this doesn't really work on the interface that the default route points to.
 +
 +**Reject Non-SYN TCP** - If you configure Tunnel Content Inspection on a zone and enable Rematch Sessions, then for that zone only, disable Reject Non-SYN TCP so that enabling or editing a Tunnel Content Inspection policy doesn’t cause the firewall to drop existing tunnel sessions.
  
paloaltonetworks/configuration/zone_protection.1590680741.txt.gz · Last modified: (external edit)