Network Security
Create a Zone Protection Profile (PAN-OS & Panorama)
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
Create a Zone Protection Profile (PAN-OS & Panorama)
Create a Zone Protection profile to apply to zones for protection against most common
floods, reconnaissance attacks, and other packet-based attacks.
Create a Zone Protection profile to apply to zones for protection against most common
floods, reconnaissance attacks, and other packet-based attacks.
- Go to NetworkNetwork ProfilesZone Protection.
- Add a Zone Protection profile.
- Give your profile a Name (up to 31 characters). This name appears in the list of Zone Protection profiles when configuring zones. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, and underscores.
- Give an optional Description for the Zone Protection profile for easy reference and reuse later.
- Configure any combination of these settings based on what types of protection your zone needs:
- Flood ProtectionA Zone Protection profile with flood protection configured defends an entire ingress zone against SYN, ICMP, ICMPv6, UDP, and other IP flood attacks. The firewall measures the aggregate amount of each flood type entering the zone in new connections-per-second (CPS) and compares the totals to the thresholds you configure in the Zone Protection profile.
- Reconnaissance
ProtectionSimilar to the military definition of reconnaissance, the network security definition of reconnaissance is when attackers attempt to gain information about your network’s vulnerabilities by secretly probing the network to find weaknesses. Reconnaissance activities are often preludes to a network attack. Enable Reconnaissance Protection on all zones to defend against port scans and host sweeps.
- Packet-Based Attack
ProtectionPacket-based attacks take many forms. Zone Protection profiles check IP, TCP, ICMP, IPv6, and ICMPv6 packet headers and protect a zone by:
- Dropping packets with undesirable characteristics.
- Stripping undesirable options from packets before admitting them to the zone.
- Protocol ProtectionProtocol Protection defends against non-IP protocol-based attacks. Enable Protocol Protection to block or allow non-IP protocols between security zones on a Layer 2 VLAN or on a virtual wire, or between interfaces within a single zone on a Layer 2 VLAN.
- Ethernet SGT ProtectionIn a Cisco TrustSec network, a Cisco Identity Services Engine (ISE) assigns a Layer 2 Security Group Tag (SGT) of 16 bits to a user’s or endpoint’s session. You can create a Zone Protection profile with Ethernet SGT protection when your firewall is part of a Cisco TrustSec network.
If you have a multi-virtual system environment, and have enabled the following:- External zones to enable inter-virtual system communication
- Shared gateways to allow virtual systems to share a common interface and a single IP address for external communications
The following zone and DoS protection mechanisms will be disabled on the external zone:- SYN cookies
- IP fragmentation
- ICMPv6
To enable IP fragmentation and ICMPv6 protection for the shared gateway, you must create a separate Zone Protection profile for the shared gateway.To protect against SYN floods on a shared gateway, you can apply a SYN Flood protection profile with either Random Early Detection or SYN cookies; on an external zone, only Random Early Detection is available for SYN Flood protection. - Flood Protection