02-09-2021 10:38 PM
In my case, the team is performing a vulnerability assessment on PA820
Vulnerability Title: TCP timestamp response.
Description: The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps.
The scanning was running to the MGMT IP,
How to disable the timestamp response.
04-09-2021 08:33 PM
A zone protection profile should help alleviate the problem. For the mgmt IP, a change in network may be needed where it is connected to a switch and then the traffic is routed through one of the data interfaces where the zone protection profile is enabled with relevant TCP options enabled.
Hope this helps
Yogesh
05-04-2021 03:28 AM - edited 05-05-2021 01:55 AM
@MyPrepaidCente wrote:In my case, the team is performing a vulnerability assessment on PA820
Vulnerability Title: TCP timestamp response.
Description: The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps.
The scanning was running to the MGMT IP,
How to disable the timestamp response.
According to RFC 1323 (TCP Extensions for High Performance) TCP Timestamp is used for two main mechanisms:
PAWS (Protect Against Wrapped Sequence)
RTT (Round Trip Time)
PAWS - defense mechanism for identification and rejection of packets that arrived in other wrapping sequence (data integrity).
Round Trip Time - time for packet to get to the destination and sent acknowledgment back to the device it originated.
05-04-2021 01:29 PM - edited 05-13-2021 09:56 AM
I verified that you can estimate the uptime of the firewall by running:
nmap -d -v -O <mgmt_ipaddress>
To mitigate this, move the management-interface to a data port, and tie a Zone Protection profile with the option
Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Timestamp (check)
A fix would be to add an option in PAN-OS to enable/disable TCP Timestamps in the management interface (toggle the value of net.ipv4.tcp_timestamps). Disabling the option can be achieved by editing the firewall's /etc/sysctl.conf file, and adding value ipv4.tcp_timestamps=0 ( I am with TAC and I verified this by going into root in the firewall in our lab and then running a new scan, which now shows clean). This will require a Feature Request, please involve your Palo Alto Networks SE to 'vote up' on FR ID: 10815.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
