Create a Zone Protection Profile (Strata Cloud Manager)

1. Go to ManageConfigurationNGFW and Prisma AccessDevice SettingsZones.
2. SelectAdd Zone, and then Create New Zone Protection profile.
3. Give your profile a Name (up to 31 characters). This name appears in the list of Zone Protection profiles when configuring zones. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, and underscores.
4. Give an optional Description for the Zone Protection profile for easy reference and reuse later.
5. Configure any combination of these settings based on what types of protection your zone needs:

   A Zone Protection profile is only active when it’s included in a profile group that a Security policy rule references. Follow the steps to activate a Zone Protection profile (and any Security profile).

   • Flood Protection
     A Zone Protection profile with flood protection configured defends an entire ingress zone against SYN, ICMP, ICMPv6, UDP, and other IP flood attacks. Your configuration measures the aggregate amount of each flood type entering the zone in new connections-per-second (CPS) and compares the totals to the thresholds you configure in the Zone Protection profile.
   • Reconnaissance Protection
     Similar to the military definition of reconnaissance, the network security definition of reconnaissance is when attackers attempt to gain information about your network’s vulnerabilities by secretly probing the network to find weaknesses. Reconnaissance activities are often preludes to a network attack. Enable Reconnaissance Protection on all zones to defend against port scans and host sweeps.
   • Packet-Based Attack Protection
     Packet-based attacks take many forms. Zone Protection profiles check IP, TCP, ICMP, IPv6, and ICMPv6 packet headers and protect a zone by:
     • Dropping packets with undesirable characteristics.
     • Stripping undesirable options from packets before admitting them to the zone.
   • Protocol Protection
     Protocol Protection defends against non-IP protocol-based attacks. Enable Protocol Protection to block or allow non-IP protocols between security zones on a Layer 2 VLAN or on a virtual wire, or between interfaces within a single zone on a Layer 2 VLAN.
   • Ethernet SGT Protection
     In a Cisco TrustSec network, a Cisco Identity Services Engine (ISE) assigns a Layer 2 Security Group Tag (SGT) of 16 bits to a user’s or endpoint’s session. You can create a Zone Protection profile with Ethernet SGT protection when your configuration is part of a Cisco TrustSec network.