https://live.paloaltonetworks.com/t5/general-topics/disable-tcp-1323-timestamp-response-through-palo-alto-firewall/m-p/305583#M79415 <P>Interestingly, for me it is the PALO ALTO 5200 series Vers 8.1 that IS RESPONDING to timestamp requests from a desktop.<BR /><BR />Why? I don't know.&nbsp; Why offer discovery information that a hacker could use?&nbsp; We have PING enabled on the interface--but I don't see any way to stop it from answering these esoteric ICMP queries.<BR /><BR />It is also being asked for ADDRESS MASK (ICMP), but at least it doesn't respond to that.</P> Fri, 03 Jan 2020 18:05:45 GMT Royalfr 2020-01-03T18:05:45Z https://live.paloaltonetworks.com/t5/general-topics/disable-tcp-1323-timestamp-response-through-palo-alto-firewall/m-p/37517#M27508 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I'm wondering whether is there a way to set the PAN Firewall to detect and drop TCP 1323 Timestamp queries to servers?</P><P></P><P>According to some web vulnerabilities scanning reports, it is reccomended to disable the TCP Timestamp as it discloses server uptime information, allowing attackers to guess the OS patch status.</P><P>In the recent Windows server OS (2008 and R2), disabling the TCP1323opts in registry doesn't seem to disable to the Timestamp responses as nmap scan test will still be able to get the uptime information.</P><P></P><P>In some web scanner reports, there are reccomendations to set in cisco firewalls to disable tcp timestamp eg, (no ip tcp timestamp).</P><P></P><P>Appreciate the reponse,</P><P></P><P>Regards,</P><P>Hans</P></BODY></HTML> Fri, 26 Apr 2013 04:54:44 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-tcp-1323-timestamp-response-through-palo-alto-firewall/m-p/37517#M27508 LCMember4126 2013-04-26T04:54:44Z https://live.paloaltonetworks.com/t5/general-topics/disable-tcp-1323-timestamp-response-through-palo-alto-firewall/m-p/37518#M27509 <HTML><HEAD></HEAD><BODY><P>Not that im aware of.</P><P></P><P>Disabling timestamps should be done at the endpoints if you want to block timestamp information.</P><P></P><P>Easy to do in a linuxbox:</P><P></P><P>echo "0" &gt; /proc/sys/net/ipv4/tcp_timestamps</P><P></P><P>Did you reboot your windowsbox before you did the new nmap test?</P><P></P><P>Also verify with pcap so the uptime which nmap picks up isnt from some application running on your server.</P><P></P><P>The "no ip tcp timestamp" is usually for traffic that the cisco device itself generates (such as stuff from its mgmt-interface etc) and not for traffic that passes through.</P><P></P><P>However note that timestamps are part of "high performance tcp" if I remember it correctly so disabling timestamps could in some situations be bad (<A href="http://www.ietf.org/rfc/rfc1323.txt" title="http://www.ietf.org/rfc/rfc1323.txt">http://www.ietf.org/rfc/rfc1323.txt</A>).</P></BODY></HTML> Fri, 26 Apr 2013 05:38:14 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-tcp-1323-timestamp-response-through-palo-alto-firewall/m-p/37518#M27509 mikand 2013-04-26T05:38:14Z https://live.paloaltonetworks.com/t5/general-topics/disable-tcp-1323-timestamp-response-through-palo-alto-firewall/m-p/37519#M27510 <HTML><HEAD></HEAD><BODY><P>Also instead of altering the registry try to use this cmdline instead:</P><P></P><P><STRONG>netsh int tcp set global timestamps=disabled</STRONG></P><P><STRONG><BR /></STRONG></P><P><A href="http://technet.microsoft.com/en-us/library/cc731258%28WS.10%29.aspx#BKMK_6" title="http://technet.microsoft.com/en-us/library/cc731258%28WS.10%29.aspx#BKMK_6">http://technet.microsoft.com/en-us/library/cc731258%28WS.10%29.aspx#BKMK_6</A></P><P></P><P>You might need a reboot afterwards aswell...</P></BODY></HTML> Fri, 26 Apr 2013 05:47:28 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-tcp-1323-timestamp-response-through-palo-alto-firewall/m-p/37519#M27510 mikand 2013-04-26T05:47:28Z https://live.paloaltonetworks.com/t5/general-topics/disable-tcp-1323-timestamp-response-through-palo-alto-firewall/m-p/305583#M79415 <P>Interestingly, for me it is the PALO ALTO 5200 series Vers 8.1 that IS RESPONDING to timestamp requests from a desktop.<BR /><BR />Why? I don't know.&nbsp; Why offer discovery information that a hacker could use?&nbsp; We have PING enabled on the interface--but I don't see any way to stop it from answering these esoteric ICMP queries.<BR /><BR />It is also being asked for ADDRESS MASK (ICMP), but at least it doesn't respond to that.</P> Fri, 03 Jan 2020 18:05:45 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-tcp-1323-timestamp-response-through-palo-alto-firewall/m-p/305583#M79415 Royalfr 2020-01-03T18:05:45Z https://live.paloaltonetworks.com/t5/general-topics/disable-tcp-1323-timestamp-response-through-palo-alto-firewall/m-p/305766#M79472 <P>Hi All,</P><P>&nbsp;</P><P>It is possible to drop packets with the timestamp option set through a Zone Protection profile.</P><P>&nbsp;</P><P>Network -&gt; Zone Protection -&gt; Packet Based Attack Protection -&gt; IP Drop -&gt; Timestamp.</P><P>&nbsp;</P><P>The zone protection profile would then be applied to the ingress zone, untrust.</P><P>&nbsp;</P><P>Cheers,</P><P>Luke.</P> Mon, 06 Jan 2020 15:21:40 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-tcp-1323-timestamp-response-through-palo-alto-firewall/m-p/305766#M79472 LukeBullimore 2020-01-06T15:21:40Z https://live.paloaltonetworks.com/t5/general-topics/disable-tcp-1323-timestamp-response-through-palo-alto-firewall/m-p/340535#M85462 <P><FONT face="arial,helvetica,sans-serif" size="3">In my case, the Rapid7 reported this vulnerability on PA5020 and PA5220:</FONT></P><P><FONT face="arial,helvetica,sans-serif" size="3"><STRONG>Vulnerability Title:</STRONG> TCP timestamp response</FONT></P><P><FONT face="arial,helvetica,sans-serif" size="3"><STRONG>Description:</STRONG> The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps.</FONT></P><P>&nbsp;</P><P><FONT face="arial,helvetica,sans-serif" size="3">The scanning was ran to the MGMT interface, that's why the Zone Protection Profile won't work in this case.</FONT></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 24 Jul 2020 16:02:04 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-tcp-1323-timestamp-response-through-palo-alto-firewall/m-p/340535#M85462 Alvaro_Arango 2020-07-24T16:02:04Z https://live.paloaltonetworks.com/t5/general-topics/disable-tcp-1323-timestamp-response-through-palo-alto-firewall/m-p/384904#M90083 <P>Hello,</P><P>&nbsp;</P><P>Was there any solution for disabling tcp timestamp in mgmt interface.</P> Wed, 10 Feb 2021 00:40:47 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-tcp-1323-timestamp-response-through-palo-alto-firewall/m-p/384904#M90083 dinesh3888 2021-02-10T00:40:47Z https://live.paloaltonetworks.com/t5/general-topics/disable-tcp-1323-timestamp-response-through-palo-alto-firewall/m-p/405562#M92024 <P><A href="https://live.paloaltonetworks.com/t5/threat-vulnerability-discussions/tcp-timestamp-response-on-mgmnt-ip/td-p/384943" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/threat-vulnerability-discussions/tcp-timestamp-response-on-mgmn...</A></P><P>User&nbsp;<A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/34186" target="_blank">@mivaldi</A>&nbsp; explains this topic and what can be done.</P><P>&nbsp;</P><P>Also found this option as well:<BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFZCA0" target="_blank" rel="nofollow noopener noreferrer">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFZCA0</A></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 07 May 2021 19:40:04 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-tcp-1323-timestamp-response-through-palo-alto-firewall/m-p/405562#M92024 DaBone 2021-05-07T19:40:04Z