TCP timestamp response on MGMNT IP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

TCP timestamp response on MGMNT IP

L4 Transporter

In my case, the team is performing a vulnerability assessment on PA820

Vulnerability Title: TCP timestamp response.

Description: The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps.

 

The scanning was running to the MGMT IP,

 

How to disable the timestamp response.

3 REPLIES 3

L2 Linker

Hi @Mohammed_Yasin 

 

A zone protection profile should help alleviate the problem. For the mgmt IP, a change in network may be needed where it is connected to a switch and then the traffic is routed through one of the data interfaces where the zone protection profile is enabled with relevant TCP options enabled.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/best-practices-for-secur...

 

Hope this helps

Yogesh

L0 Member

@MyPrepaidCente  wrote:

In my case, the team is performing a vulnerability assessment on PA820

Vulnerability Title: TCP timestamp response.

Description: The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps.

 

The scanning was running to the MGMT IP,

 

How to disable the timestamp response.


According to RFC 1323 (TCP Extensions for High Performance) TCP Timestamp is used for two main mechanisms:

PAWS (Protect Against Wrapped Sequence)
RTT (Round Trip Time)
PAWS - defense mechanism for identification and rejection of packets that arrived in other wrapping sequence (data integrity).

Round Trip Time - time for packet to get to the destination and sent acknowledgment back to the device it originated.

L7 Applicator

I verified that you can estimate the uptime of the firewall by running:

 

 

nmap -d -v -O <mgmt_ipaddress>

 

 

To mitigate this, move the management-interface to a data port, and tie a Zone Protection profile with the option 

Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Timestamp (check)

 

A fix would be to add an option in PAN-OS to enable/disable TCP Timestamps in the management interface (toggle the value of net.ipv4.tcp_timestamps). Disabling the option can be achieved by editing the firewall's /etc/sysctl.conf file, and adding value ipv4.tcp_timestamps=0 ( I am with TAC and I verified this by going into root in the firewall in our lab and then running a new scan, which now shows clean). This will require a Feature Request, please involve your Palo Alto Networks SE to 'vote up' on FR ID: 10815.

  • 7312 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!