Palo Alto Networks ALG STIG Version Comparison

There are 2 differences between versions v3 r2 (Oct. 24, 2024) (the "left" version) and v3 r4 (April 2, 2025) (the "right" version).

Check PANW-AG-000102 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

The Palo Alto Networks security platform must protect against block outbound traffic containing denial-of-service (DoS) attacks from to protect against the use of internal external sources. information systems to launch any DoS attacks against other networks or endpoints.

Check Content

View the site's Security Protection Plan (SSP). Verify if Zone-based protection, DoS Protection, protection, or both are required by the SSP. There may be more than one configured inbound policy. If policy that protects external networks and DMZ networks from DoS type attacks generated from the internal devices on the trusted networks. If the SSP required requires one or more Zone Protection protection Policies: 1. policies: 1. Navigate to Network >> Network Profiles >> Zone Protection. 2. Navigate to Network >> Zones and view the "Zone Protection Profile", which should not be blank. 3. If a Zone Protection Profile is not configured, has a blank "Zone Protection Profile" column, or is incorrectly identified, this is a finding. If the SSP requires one or more DoS Protection protection Policies: 1. policies: 1. Navigate to Objects >> Security Profiles >> DoS Protection. 2. Navigate to Policies >> DoS Protection. 3. Protection. If If a DoS Protection Profile is not configured, has a blank zone, or is incorrectly identified, this is a finding. If neither a Zone Protection Profile or nor a DoS Protection policy is not configured to protect each ingress interface, external networks and DMZ networks from DoS type attacks generated from the internal devices on the trusted networks, this is a finding.

Discussion

If the network does not provide safeguards against DoS attacks, network resources may be unavailable to users. Installation of content filtering gateways and application-layer firewalls at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type. Detection components that use rate-based behavior analysis can detect attacks when signatures for the attack do not exist or are not installed. These attacks include zero-day attacks that are new attacks for which vendors have not yet developed signatures. Rate-based behavior analysis can detect sophisticated, Distributed DoS (DDoS) attacks by correlating traffic information from multiple network segments or components. PAN-OS can use either Zone-Based Protection or End Host Protection to mitigate DoS attacks. Zone-Based Protection protects against most common floods, reconnaissance attacks, and other packet-based attacks and is applied to any zone. End Host Protection is specific to defined end hosts. Zone Protections are always applied on the ingress interface, so to protect against floods or scans from the internet, apply the profile on the zone containing the untrusted internet interface. Security administrators wishing to harden their networks even further can apply Zone Protections to both internal and external interfaces to ensure that protective measures are being applied across the entire environment. It is important to set the Flood Protection parameters that are suitable for the enclave or system. The Administrator administrator should perform a traffic baseline to tune these parameters. Refer to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVkCAK.

Fix

Configure either a Zone-Based Protection protection policy or a DoS Protection protection policy. Zone Protections protections are, at a minimum, applied on the each ingress interface. To configure a Zone-Based Protection protection policy, perform the following: 1. Navigate to Network >> Network Profiles >> Zone Protection and select "Add". 2. In the "Zone Protection Profile" window, complete the required fields. 3. In the "General" tab, complete the "Name" and "Description" fields. 4. Configure Flood Protection: a. In the "Flood Protection" tab, select the "Syn" check box, in the "Action" field, select either "Random Early Drop" (preferred in this case) or "SYN Cookie"; complete the "Alert", "Activate", and "Maximum" fields. b. In the "Flood Protection" tab, select the "ICMP" check box; complete the "Alert", "Activate", and "Maximum" fields. c. In the "Flood Protection" tab, select the "ICMPv6" check box; complete the "Alert", "Activate", and "Maximum" fields. d. In the "Flood Protection" tab, select the "Other IP" check box; complete the "Alert", "Activate", and "Maximum" fields. e. In the "Flood Protection" tab, select the "UDP" check box; complete the "Alert", "Activate", and "Maximum" fields. f. For each of the "Alert", "Activate", and "Maximum" fields, the appropriate values depends on the expected traffic of the system. 5. Configure Reconnaissance Protection: a. In the "Reconnaissance Protection" tab, select the "TCP Port Scan", "Host Sweep", and "UDP Port Scan" rows. b. Select the action of Block IP. c. The Interval and Threshold values can either remain as the default values or they can be changed based on the specific traffic conditions of the network. 6. Configure Packet Based Attack Protection settings: a. Select the "Packet Based Attack Protection" tab and select the following at a minimum. b. IP Drop tab: select Select the "Spoofed IP address", "Strict Source Routing", "Loose Source Routing", "Unknown", and "Malformed". c. TCP Drop tab: select Select "Mismatched overlapping TCP segment" and "TCP Timestamp", and for the "Reject Non-SYN TCP" field, select "yes". For the "Asymmetric Path" field, select "bypass". d. ICMP Drop tab: select Select the "ICMP Ping ID 0, ICMP Fragment", and "ICMP Large Packet(>1024)" check-boxes. The "Suppress ICMP TTL Expired Error" and "Suppress ICMP Frag Needed" check-boxes can remain unchecked unless this profile will be applied to an internal or DMZ. e. IPv6 Drop tab: select Select the "Type 0 Routing Header", "IPv4 compatible address", "Anycast source address", "Needless fragment header", "MTU in ICMPv6 'Packet Too Big' less than 1280 bytes", "Hop-by-Hop extension", "Routing extension", "Destination extension", "Invalid IPv6 options in extension header", and "Non-zero reserved field" check-boxes. f. In the "ICMPv6" tab, select the "ICMPv6 destination unreachable", "ICMPv6 packet too big", "ICMPv6 time exceeded", "ICMPv6 parameter problem", and "ICMPv6 redirect" check-boxes. g. Click "OK". 7. Apply the Zone Protection Profile to any the internal zone and the DMZ: a. that includes ingress interfaces to external networks: a. Select Network >> Zones and select the internal ingress zone. b. In the "Zone" window, in the "Zone Protection Profile" window, select the configured Zone Protection Profile. c. Click "OK". d. Select Network >> Zones and select the DMZ zone. e. In the "Zone" window, in the "Zone Protection Profile" window, select the configured Zone Protection Profile. f. Click "OK". 8. Commit the changes. To configure a DoS Protection policy: 1. Navigate to Objects >> Security Profiles >> DoS Protection. 2. Select "Add" to create a new profile. 3. In the "DoS Protection Profile" window, complete the required fields. For the "Type", select "Classified". 4. Configure Flood Protection by enabling each type of flood protection and configuring the following at a minimum: a. SYN Flood tab: select Select "SYN Cookie" as the action. b. UDP Flood tab: select Select "UDP Flood and complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. c. ICMP Flood tab: select Select "ICMP Flood" and complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. d. ICMPv6 Flood tab: select Select "ICMPv6 Flood" and complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. e. Other IP Flood tab: select Select "Other IP Flood" check box and complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. 5. Configure Resources Protection in the Resources Protection tab with the following settings: a. Select "Maximum Concurrent Sessions". b. Complete the "Max Concurrent Sessions" field. If the DoS profile type is aggregate, this limit applies to the entire traffic hitting the DoS rule on which the DoS profile is applied. c. Click "OK", and then click "Commit". 6. Create a DoS protection policy policy. a. that specifies the criteria for matching the incoming traffic. a. Navigate to Policies >> DoS Protection and select "Add" to create a new policy. b. In the "DoS Rule" Window, complete the required fields. c. In the "General" tab, complete the "Name" and "Description" fields. d. In the "Source" tab, for "Zone", select the "External zone", and for "Source Address", select "Any". e. In the "Destination" tab, "Zone", select "Internal zone", and for "Destination Address", select "Any". f. In the "Option/Protection" tab, for "Service", select "Any", and for "Action", select "Protect". g. Select the "Classified" check-box. h. In the "Profile" field, select the configured DoS Protection profile containing for the ingress interface. i. inbound traffic. i. In the "Address" field, select destination-ip-only. j. Click "OK", and then click "Commit".