Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions
To monitor and protect your network from most Layer 4 and Layer 7 attacks, here are a few recommendations.
Upgrade to the most current PAN-OS software version and content release version to ensure that you have the latest security updates. For evasion prevention, upgrade to PAN-OS 7.1.1 and Applications and Threats content release version 579. See Install Content and Software Updates. Set up the firewall to act as a DNS proxy and enable evasion signatures: Enable DNS Proxy.
When acting as a DNS proxy, the firewall resolves DNS requests and caches hostname-to-IP-address mappings in order to quickly and efficiently resolves future DNS queries.
Evasion signatures that detect crafted HTTP or TLS requests can alert when a client connects to a domain other than the domain specified in the original DNS request. Make sure that DNS proxy is configured if you choose to enable evasion signatures. Without DNS proxy enabled, evasion signatures can trigger when a DNS server in DNS load balancing configuration returns different IP addresses (for servers hosting identical resources) to the firewall and client in response to the same DNS request.
For servers, create Security policy rules to only allow the application(s) that you sanction on each server. Verify that the standard port for the application matches the listening port on the server. For example, to ensure that only SMTP traffic is allowed to your email server set the Application to smtp and set the Service to application-default. If your server uses only a subset of the standard ports (for example, if your SMTP server uses only port 587 while the SMTP application has standard ports defined as 25 and 587), you should create a new custom service that only includes port 587 and use that new service in your security policy rule instead of using application-default. Additionally, make sure to restrict access to specific source and destinations zones and sets of IP addresses. Attach the following security profiles to your Security policy rules to provide signature-based protection. Create a Vulnerability Protection profile to block all vulnerabilities with severity low and higher. Create an Anti-Spyware profile to block all spyware with severity low and higher. Create an Antivirus profile to block all content that matches an antivirus signature. Block all unknown applications/traffic using Security policy. Typically, the only applications that are classified as unknown traffic are internal or custom applications on your network, or potential threats. Because unknown traffic can be a non-compliant application or protocol that is anomalous or abnormal, or a known application that is using non-standard ports, unknown traffic should be blocked. See Manage Custom or Unknown Applications. Create a File Blocking profile that blocks Portable Executable (PE) file types for Internet-based SMB (Server Message Block) traffic from traversing the trust to untrust zones, (ms-ds-smb applications).
Create a Zone Protection profile that is configured to protect against packet-based attacks ( Network > Network Profiles > Zone Protection): Select the option to drop Malformed IP packets ( Packet Based Attack Protection > IP Drop).
Remove TCP timestamps on SYN packets before the firewall forwards the packet. When you select the Remove TCP Timestamp option in a SYN packet, the TCP stack on both ends of the TCP connection will not support TCP timestamps. Therefore, by disabling the TCP timestamp for a SYN packet, you can prevent an attack that uses different timestamps on multiple packets for the same sequence number. ( Packet Based Attack Protection > TCP Drop). Select the option to drop Mismatched overlapping TCP segment. By deliberately constructing connections with overlapping but different data in them, attackers can attempt to cause misinterpretation of the intent of the connection. This can be used to deliberately induce false positives or false negatives. An attacker can use IP spoofing and sequence number prediction to intercept a user's connection and inject his/her own data into the connection. Selecting this option causes PAN-OS to discard such frames with mismatched and overlapping data. The scenarios where the received segment will be discarded are when the segment received is contained within another segment, the segment received overlaps with part of another segment, or the segment completely contains another segment.
Verify that support for IPv6 is enabled, if you have configured IPv6 addresses on your network hosts ( Network > Interfaces > Ethernet> IPv6).
This allows access to IPv6 hosts and filters IPv6 packets that are encapsulated in IPv4 packets. Enabling support for IPv6 prevents IPv6 over IPv4 multicast addresses from being leveraged for network reconnaissance.
Enable support for multicast traffic so that the firewall can enforce policy on multicast traffic. ( Network > Virtual Router > Multicast).
Configure the firewall to Clear the Urgent Data Flag in the TCP header ( Device > Setup > Session > TCP Settings).
Many hosts use the urgent data flag in the TCP header to promote a packet for immediate processing, removing it from the processing queue and expediting it through the TCP/IP stack. This process is called out-of-band processing. However, the implementation of the urgent data flag varies from host to host. Configuring the firewall to clear this flag eliminates ambiguity in how the packet is processed on the firewall and the host, allowing the firewall sees the same stream in the protocol stack as the host for which the packet is destined. When the firewall clears this flag, it includes it in the payload and prevents the packet from being processed urgently.
Enable the Drop segments without flag option ( Device > Setup > Session > TCP Settings).
Illegal TCP segments without any flags set can be used to evade content inspection. When you enable this option, the firewall will drop packets that have no flags set in the TCP header.
Enable the Drop segments with null timestamp option ( Device > Setup > Session > TCP Settings).
The TCP timestamp records when the segment was sent and allows the firewall to verify that the timestamp is valid for that session, preventing TCP sequence number wrapping. The TCP timestamp is also used to calculate round trip time. When a TCP Timestamp is set to 0 (null) it could confuse either end of the connection, resulting in an evasion. The firewall drops packets with null timestamps with this setting enabled.
Disable the Forward segments exceeding TCP out-of-order queue option ( Device > Setup > Session > TCP Settings).
By default, the firewall forwards segments that exceed the TCP out-of-order queue limit of 64 per session. By disabling this option, the firewall instead drops segments that exceed the out-of-order queue limit.
Disable the Forward segments exceeding TCP App-ID inspection queue option ( Device > Setup > Content-ID > Content-ID Settings).
By default, when the App-ID inspection queue is full the firewall skips App-ID inspection—classifying the application as unknown-tcp—and forwards the segments. By disabling this option, the firewall instead drops segments when the App-ID inspection queue is full.
Disable the Forward datagrams exceeding UDP content inspection queue and Forward segments exceeding TCP content inspection queue options ( Device > Setup > Content-ID > Content-ID Settings).
By default, when the TCP or UDP content inspection queue is full the firewall skips Content-ID inspection for TCP segments or UDP datagrams that exceed the queue limit of 64. By disabling these options, the firewall instead drops TCP segments and UDP datagrams when the corresponding TCP or UDP content inspection queue is full.
Disable the Allow HTTP Header Range Option ( Device > Setup > Content-ID > Content-ID Settings).
The HTTP Range option allows a client to fetch part of a file only. When a next-generation firewall in the path of a transfer identifies and drops a malicious file, it terminates the TCP session with a RST packet. If the web browser implements the HTTP Range option, it can start a new session to fetch only the remaining part of the file. This prevents the firewall from triggering the same signature again due to the lack of context into the initial session, while at the same time allowing the web browser to reassemble the file and deliver the malicious content. Disabling this option prevents this from happening. Keep in mind that disabling this option should not impact device performance; however, HTTP file transfer interruption recovery may be impaired. In addition, disabling this option could also impact streaming media services, such as Netflix, Windows Server Updates Services (WSUS), and Palo Alto Networks content updates.

Related Documentation