Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:configuration:zone_protection [2020/05/28 15:51] – [Problems with Zone Protection] bstafford
+++ paloaltonetworks:configuration:zone_protection [2022/11/23 12:49] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
-======Zone Protection======
+====== Zone Protection ======
-=====Troubleshooting=====
+Remember, you should not have TCP-SYN enabled on both Zone Protection and DoS policies at the same time.
+===== Logging =====
+To enable the additional logging, run this operational command:
+<code>set system setting additional-threat-log on</code>
+More data [[https://live.paloaltonetworks.com/t5/blogs/pan-os-8-1-2-introduces-new-log-options/ba-p/217858|here]].
+===== Troubleshooting =====
 Information on troubleshooting Zone Protection Profiles can be found [[paloaltonetworks:troubleshooting:testing_panos#zone_protection|here]].
-=====Zone Protection Profile Logging=====
+While not strictly Zone Protection, Device > Setup > Session > "Drop segments with null timestamp option" will break PS4 connection to Internet.
+===== Logging =====
+Zone Protection Profile alerts appear in the Threat Prevention logs.
+===== Zone Protection Profile Logging =====
   * Flood Protection logs appear under the Threat Logs.
@@ Line 16: / Line 27: @@
 Packet Based Attack Protection
 <code>show counter global filter packet-filter yes delta yes | match Zone</code>
-=====Problems with Zone Protection=====
+===== Problems with Zone Protection =====
-  * **Strict IP Address Check** caused problems when doing BGP and ECMP with four ISP links after a HA failover.
+  * **Strict IP Address Check** caused problems with VPN tunnel interface monitoring. I couldn't ping the other tunnel when both firewall's were Palo Alto Networks and each end had an IP in a /30. It also caused problems when doing BGP and ECMP with four ISP links after a HA failover. This also causes internal hosts to not be able to ping past the ISP router when you failover from ISP1 to ISP2 using a PBF rule and this is enabled on the "External" zone protection profile.
   * **Fragmented traffic** broke the PS3 connection to the Internet.
   * **ICMP Drop > Suppress ICMP TTL Expired Error** This will break the first hop of a traceroute and mark the hop as "Request timed out". This is when traceroute is starting from inside the network and the zone protection profile is on the outside zone.
   * **ICMP Drop > Discard ICMP embedded with error message** This will break all hops of a traceroute (except for the first) and mark each hop as "Request timed out".This is when traceroute is starting from inside the network and the zone protection profile is on the inside zone.
   * **ICMP Drop > Suppress ICMP Frag Needed** This setting will interfere with the PMTUD process performed by hosts behind the firewall.
-=====Best Practice=====
+===== Best Practice =====
+(Remember, Spoofed IP address is based on routing tables. Strict IP Address Check is based on ingress interface - be wary with aggregate links)
 Palo Alto Network's best practice (June 2019) is to block **Spoofed IP Address** (//internal zones only//) as well as **Unknown** and **Malformed** under IP Option Drop. Also, block **TCP with SYN data** and **TCP with SYNACK data** and strip **TCP Timestamp** option. IPv6 drop best practice is to to drop packets with routing header type 0, 1, 4 to 252 and 255.