For details on cookie usage on our site, read our Privacy Policy
Zone Protection Best Practice Query
- LIVEcommunity
- Discussions
- Best Practice Assessment Discussions
- Zone Protection Best Practice Query
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Zone Protection Best Practice Query
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-31-2021 10:35 PM
Dear Team,
I have enabled Zone Protection Profile for untrusted Network as below
"1. Packet Based Attack Protection / Spoofed IP address disabled. Passed - Packet Based Attack Protection / Strict Source Routing enabled.
Loose Source Routing enabled.
Malformed enabled.
Mismatched Overlapping TCP Segment disabled.
Loose Source Routing Failed -
Mismatched Overlapping TCP Segment"
"2. Packet Based Attack Protection > TCP/IP Drop. Set Spoofed IP address to be checked. Set Mismatched overlapping TCP segment to be checked. Under IP Option Drop, set Strict Source Routing, Loose Source Routing, and Malformed to all be checked"
but facing connection drop while enabling this profile in Trusted Zone. In that case how can i enable Zone Protection profile in Trusted zone or Not needed.
In this case shall i enable only below options as per the below KB Article
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVkCAK
"Some Packet Based Attack Protection recommendations on the other hand apply somewhat equally to all organizations. For example, “unknown” and “malformed” IP options are generally unwanted and can be dropped. Selecting the options to drop “mismatched overlapping TCP segments” and “remove TCP timestamp” can prevent certain evasive techniques from being successful through the firewall, and are also generally recommended for all customers. In addition, you can prevent address spoofing in security zones by enabling protection against “Spoofed IP addresses”. This will ensure only traffic with source addresses that match the firewall routing table will be permitted on ingress."
Please suggest.
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-03-2022 12:44 PM
Hello,
I would enable a zone protection policy on the inside trust zones. I however have a separate zone protection policy that the external one. This way I can enable/disable features that are causing issues.
Hope this helps.
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
- Info about the vulnerabilities and the possible remediations for them. in Next-Generation Firewall Discussions
- Best Practices for Global Protect Machine and User Cert Authentication in GlobalProtect Discussions
- XSOAR Threat intel IOC Ingestion to Splunk in Cortex XSOAR Discussions
- Selecting Appropriate Security Profile in Next-Generation Firewall Discussions
- Threat Intelligence External Dynamic Lists vs URL Filtering Security Profile in Next-Generation Firewall Discussions
