Zone Protection

Remember, you should not have TCP-SYN enabled on both Zone Protection and DoS policies at the same time.

To enable the additional logging, run this operational command:

set system setting additional-threat-log on

More data here.

Information on troubleshooting Zone Protection Profiles can be found here.

While not strictly Zone Protection, Device > Setup > Session > “Drop segments with null timestamp option” will break PS4 connection to Internet.

Zone Protection Profile alerts appear in the Threat Prevention logs.

• Flood Protection logs appear under the Threat Logs.
• Reconnaissance Protection logs appear under Threat Logs.
• Packet Based Attack Protection logs appear on global counters on the CLI.

Flood protection

( subtype eq flood ) and ( name-of-threatid eq 'UDP Flood' ) and ( severity eq critical )

( subtype eq flood ) and ( name-of-threatid eq 'TCP Flood' ) and ( severity eq critical )

( subtype eq flood ) and ( name-of-threatid eq 'ICMP Flood' ) and ( severity eq critical )

Packet Based Attack Protection

show counter global filter packet-filter yes delta yes | match Zone

• Strict IP Address Check caused problems with VPN tunnel interface monitoring. I couldn't ping the other tunnel when both firewall's were Palo Alto Networks and each end had an IP in a /30. It also caused problems when doing BGP and ECMP with four ISP links after a HA failover. This also causes internal hosts to not be able to ping past the ISP router when you failover from ISP1 to ISP2 using a PBF rule and this is enabled on the “External” zone protection profile.
• Fragmented traffic broke the PS3 connection to the Internet.
• ICMP Drop > Suppress ICMP TTL Expired Error This will break the first hop of a traceroute and mark the hop as “Request timed out”. This is when traceroute is starting from inside the network and the zone protection profile is on the outside zone.
• ICMP Drop > Discard ICMP embedded with error message This will break all hops of a traceroute (except for the first) and mark each hop as “Request timed out”.This is when traceroute is starting from inside the network and the zone protection profile is on the inside zone.
• ICMP Drop > Suppress ICMP Frag Needed This setting will interfere with the PMTUD process performed by hosts behind the firewall.

(Remember, Spoofed IP address is based on routing tables. Strict IP Address Check is based on ingress interface - be wary with aggregate links)

Palo Alto Network's best practice (June 2019) is to block Spoofed IP Address (internal zones only) as well as Unknown and Malformed under IP Option Drop. Also, block TCP with SYN data and TCP with SYNACK data and strip TCP Timestamp option. IPv6 drop best practice is to to drop packets with routing header type 0, 1, 4 to 252 and 255.

A packet is malformed if it has incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.

A packet is unknown if the class and number are unknown.

Spoofed IP Address - On internal zones only, drop spoofed IP address packets to ensure that on ingress, the source address matches the firewall routing table. Obviously, this doesn't really work on the interface that the default route points to.

Reject Non-SYN TCP - If you configure Tunnel Content Inspection on a zone and enable Rematch Sessions, then for that zone only, disable Reject Non-SYN TCP so that enabling or editing a Tunnel Content Inspection policy doesn’t cause the firewall to drop existing tunnel sessions.