Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:configuration:zone_protection [2020/05/28 15:51] – bstafford
+++ paloaltonetworks:configuration:zone_protection [2022/11/23 12:49] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 ====== Zone Protection ======
+Remember, you should not have TCP-SYN enabled on both Zone Protection and DoS policies at the same time.
+===== Logging =====
+To enable the additional logging, run this operational command:
+<code>set system setting additional-threat-log on</code>
+More data [[https://live.paloaltonetworks.com/t5/blogs/pan-os-8-1-2-introduces-new-log-options/ba-p/217858|here]].
 ===== Troubleshooting =====
 Information on troubleshooting Zone Protection Profiles can be found [[paloaltonetworks:troubleshooting:testing_panos#zone_protection|here]].
+While not strictly Zone Protection, Device > Setup > Session > "Drop segments with null timestamp option" will break PS4 connection to Internet.
+===== Logging =====
+Zone Protection Profile alerts appear in the Threat Prevention logs.
 ===== Zone Protection Profile Logging =====
@@ Line 18: / Line 29: @@
 ===== Problems with Zone Protection =====
-  * **Strict IP Address Check** caused problems when doing BGP and ECMP with four ISP links after a HA failover.
+  * **Strict IP Address Check** caused problems with VPN tunnel interface monitoring. I couldn't ping the other tunnel when both firewall's were Palo Alto Networks and each end had an IP in a /30. It also caused problems when doing BGP and ECMP with four ISP links after a HA failover. This also causes internal hosts to not be able to ping past the ISP router when you failover from ISP1 to ISP2 using a PBF rule and this is enabled on the "External" zone protection profile.
   * **Fragmented traffic** broke the PS3 connection to the Internet.
   * **ICMP Drop > Suppress ICMP TTL Expired Error** This will break the first hop of a traceroute and mark the hop as "Request timed out". This is when traceroute is starting from inside the network and the zone protection profile is on the outside zone.
@@ Line 24: / Line 35: @@
   * **ICMP Drop > Suppress ICMP Frag Needed** This setting will interfere with the PMTUD process performed by hosts behind the firewall.
 ===== Best Practice =====
+(Remember, Spoofed IP address is based on routing tables. Strict IP Address Check is based on ingress interface - be wary with aggregate links)
 Palo Alto Network's best practice (June 2019) is to block **Spoofed IP Address** (//internal zones only//) as well as **Unknown** and **Malformed** under IP Option Drop. Also, block **TCP with SYN data** and **TCP with SYNACK data** and strip **TCP Timestamp** option. IPv6 drop best practice is to to drop packets with routing header type 0, 1, 4 to 252 and 255.