>
    Security Profile: Zone Protection
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Network Security: Security Policy
    4. Security Profiles
    5. Security Profile: Zone Protection
    Download PDF
    Network Security

    Security Profile: Zone Protection

    Table of Contents

    Security Profile: Zone Protection

    Zone Protection profiles applied to zones offer protection against most common floods, reconnaissance attacks, and other packet-based attacks.
    Where Can I Use This?
    What Do I Need?
    • NGFW (Cloud Managed)
    • NGFW (PAN-OS & Panorama Managed)
    • Prisma Access (Cloud Managed)
    • Prisma Access (Panorama Managed)
    Check for any license or role requirements for the products you're using.
    Zone Protection profiles provide additional protection between specific network zones in order to protect the zones against attack. A Zone Protection profile applied to a zone offers protection against most common floods, reconnaissance attacks, other packet-based attacks, the use of non-IP protocols, and headers with 802.1Q (EtherType 0x8909) that have specific Security Group Tags (SGTs). A Zone Protection profile is designed to provide broad-based protection at the ingress zone (the zone where traffic enters your configuration) and isn't designed to protect a specific end host or traffic going to a particular destination zone. You can attach one Zone Protection profile to a zone.
    • The profile must be applied to the entire zone, so it's important to carefully test the profiles in order to prevent issues that may arise with the normal traffic traversing the zones.
    • Zone protection is enforced only when there is no session match for the packet because zone protection is based on new connections per second (cps), not on packets per second (pps). If the packet matches an existing session, it will bypass the zone protection setting.
    • To augment zone protection capabilities on your configuration, configure a DoS Protection policy to match on a specific zone, interface, IP address, or user.
    Apply a Zone Protection profile to each zone to defend it based on the aggregate traffic entering the ingress zone.
    • Apply a Zone Protection profile to each zone to layer in extra protection against IP floods, reconnaissance, packet-based attacks, and non-IP protocol attacks. Zone protection on your configuration should be a second layer of protection after a dedicated DDoS device at the internet perimeter.
    • In addition to configuring zone protection and DoS protection, apply the best practice Vulnerability Protection profile to each Security rule to help defend against DoS attacks.

    Create a Zone Protection Profile

    Cloud Managed

    Create a Zone Protection profile to apply to zones for protection against most common floods, reconnaissance attacks, and other packet-based attacks.
    Create a Zone Protection profile to apply to zones for protection against most common floods, reconnaissance attacks, and other packet-based attacks.
    1. Go to
      Manage
      Configuration
      NGFW and Prisma Access
      Device Settings
      Zones
      .
    2. Select
      Add Zone
      , and then
      Create New
       Zone Protection profile.
    3. Give your profile a
      Name
       (up to 31 characters). This name appears in the list of Zone Protection profiles when configuring zones. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, and underscores.
    4. Give an optional
      Description
       for the Zone Protection profile for easy reference and reuse later.
    5. Configure any combination of these settings based on what types of protection your zone needs:
      A Zone Protection profile is only active when it’s included in a profile group that a Security policy rule references. Follow the steps to activate a Zone Protection profile (and any Security profile).
      • Flood Protection
        A Zone Protection profile with flood protection configured defends an entire ingress zone against SYN, ICMP, ICMPv6, UDP, and other IP flood attacks. Your configuration measures the aggregate amount of each flood type entering the zone in new connections-per-second (CPS) and compares the totals to the thresholds you configure in the Zone Protection profile.
      • Reconnaissance Protection
        Similar to the military definition of reconnaissance, the network security definition of reconnaissance is when attackers attempt to gain information about your network’s vulnerabilities by secretly probing the network to find weaknesses. Reconnaissance activities are often preludes to a network attack.
        Enable Reconnaissance Protection on all zones
         to defend against port scans and host sweeps.
      • Packet-Based Attack Protection
        Packet-based attacks take many forms. Zone Protection profiles check IP, TCP, ICMP, IPv6, and ICMPv6 packet headers and protect a zone by:
        • Dropping packets with undesirable characteristics.
        • Stripping undesirable options from packets before admitting them to the zone.
      • Protocol Protection
        Protocol Protection defends against non-IP protocol-based attacks. Enable Protocol Protection to block or allow non-IP protocols between security zones on a Layer 2 VLAN or on a virtual wire, or between interfaces within a single zone on a Layer 2 VLAN.
      • Ethernet SGT Protection
        In a Cisco TrustSec network, a Cisco Identity Services Engine (ISE) assigns a Layer 2 Security Group Tag (SGT) of 16 bits to a user’s or endpoint’s session. You can create a Zone Protection profile with Ethernet SGT protection when your configuration is part of a Cisco TrustSec network.

    PAN-OS & Panorama

    Create a Zone Protection profile to apply to zones for protection against most common floods, reconnaissance attacks, and other packet-based attacks.
    Create a Zone Protection profile to apply to zones for protection against most common floods, reconnaissance attacks, and other packet-based attacks.
    1. Go to
      Network
      Network Profiles
      Zone Protection
      .
    2. Add
       a Zone Protection profile.
    3. Give your profile a
      Name
       (up to 31 characters). This name appears in the list of Zone Protection profiles when configuring zones. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, and underscores.
    4. Give an optional
      Description
       for the Zone Protection profile for easy reference and reuse later.
    5. Configure any combination of these settings based on what types of protection your zone needs:
      • Flood Protection
        A Zone Protection profile with flood protection configured defends an entire ingress zone against SYN, ICMP, ICMPv6, UDP, and other IP flood attacks. The firewall measures the aggregate amount of each flood type entering the zone in new connections-per-second (CPS) and compares the totals to the thresholds you configure in the Zone Protection profile.
      • Reconnaissance Protection
        Similar to the military definition of reconnaissance, the network security definition of reconnaissance is when attackers attempt to gain information about your network’s vulnerabilities by secretly probing the network to find weaknesses. Reconnaissance activities are often preludes to a network attack.
        Enable Reconnaissance Protection on all zones
         to defend against port scans and host sweeps.
      • Packet-Based Attack Protection
        Packet-based attacks take many forms. Zone Protection profiles check IP, TCP, ICMP, IPv6, and ICMPv6 packet headers and protect a zone by:
        • Dropping packets with undesirable characteristics.
        • Stripping undesirable options from packets before admitting them to the zone.
      • Protocol Protection
        Protocol Protection defends against non-IP protocol-based attacks. Enable Protocol Protection to block or allow non-IP protocols between security zones on a Layer 2 VLAN or on a virtual wire, or between interfaces within a single zone on a Layer 2 VLAN.
      • Ethernet SGT Protection
        In a Cisco TrustSec network, a Cisco Identity Services Engine (ISE) assigns a Layer 2 Security Group Tag (SGT) of 16 bits to a user’s or endpoint’s session. You can create a Zone Protection profile with Ethernet SGT protection when your firewall is part of a Cisco TrustSec network.
      If you have a multi-virtual system environment, and have enabled the following:
      • External zones to enable inter-virtual system communication
      • Shared gateways to allow virtual systems to share a common interface and a single IP address for external communications
      The following zone and DoS protection mechanisms will be disabled on the external zone:
      • SYN cookies
      • IP fragmentation
      • ICMPv6
      To enable IP fragmentation and ICMPv6 protection for the shared gateway, you must create a separate Zone Protection profile for the shared gateway.
      To protect against SYN floods on a shared gateway, you can apply a SYN Flood protection profile with either Random Early Detection or SYN cookies; on an external zone, only Random Early Detection is available for SYN Flood protection.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.