Information
For all zones, attach a Zone Protection Profile that is configured to drop packets with a spoofed IP address or a mismatched overlapping TCP segment, and packets with malformed, strict source routing, or loose source routing IP options set.
Rationale:
Using specially crafted packets, an attacker may attempt to evade or diminish the effectiveness of network security devices. Enabling the options in this recommendation lowers the risk of these attacks.
Solution
Navigate to Network > Network Profiles > Zone Protection > Zone Protection Profile > Packet Based Attack Protection > TCP/IP Drop.
Set Spoofed IP address to be checked.
Set Mismatched overlapping TCP segment to be checked.
Under IP Option Drop, set Strict Source Routing, Loose Source Routing, and Malformed to all be checked. Additional options may also be set if desired.
Default Value:
Not Configured