Saucepan

User Tools

Site Tools

Trace: log_retention bad_session_end ipv6 dos_protection snmp certificates firewall_resources basics kerberos zone_protection
paloaltonetworks:configuration:zone_protection

This is an old revision of the document!

Table of Contents

Zone Protection

Troubleshooting

Information on troubleshooting Zone Protection Profiles can be found here.

Zone Protection Profile Logging

  • Flood Protection logs appear under the Threat Logs.
  • Reconnaissance Protection logs appear under Threat Logs.
  • Packet Based Attack Protection logs appear on global counters on the CLI.

Flood protection 

( subtype eq flood ) and ( name-of-threatid eq 'UDP Flood' ) and ( severity eq critical )
( subtype eq flood ) and ( name-of-threatid eq 'TCP Flood' ) and ( severity eq critical )
( subtype eq flood ) and ( name-of-threatid eq 'ICMP Flood' ) and ( severity eq critical )

Packet Based Attack Protection 

show counter global filter packet-filter yes delta yes | match Zone

Problems with Zone Protection

  • Strict IP Address Check caused problems when doing BGP and ECMP with four ISP links after a HA failover.
  • Fragmented traffic broke the PS3 connection to the Internet.
  • ICMP Drop > Suppress ICMP TTL Expired Error This will break the first hop of a traceroute and mark the hop as “Request timed out”. This is when traceroute is starting from inside the network and the zone protection profile is on the outside zone.
  • ICMP Drop > Discard ICMP embedded with error message This will break all hops of a traceroute (except for the first) and mark each hop as “Request timed out”.This is when traceroute is starting from inside the network and the zone protection profile is on the inside zone.

Best Practice

Palo Alto Network's best practice (June 2019) is to block Spoofed IP Address (internal zones only) as well as Unknown and Malformed under IP Option Drop. Also, block TCP with SYN data and TCP with SYNACK data and strip TCP Timestamp option. IPv6 drop best practice is to to drop packets with routing header type 0, 1, 4 to 252 and 255.

A packet is malformed if it has incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.

A packet is unknown if the class and number are unknown.

Spoofed IP Address - On internal zones only, drop spoofed IP address packets to ensure that on ingress, the source address matches the firewall routing table. Obviously, this doesn't really work on the interface that the default route points to.

Reject Non-SYN TCP - If you configure Tunnel Content Inspection on a zone and enable Rematch Sessions, then for that zone only, disable Reject Non-SYN TCP so that enabling or editing a Tunnel Content Inspection policy doesn’t cause the firewall to drop existing tunnel sessions.

paloaltonetworks/configuration/zone_protection.1590681008.txt.gz · Last modified: (external edit)