PAN-OS

1. Create a Zone Protection profile and configure Packet-Based Attack Protection settings.

   1. Select NetworkNetwork ProfilesZone Protection and Add a new profile.
   2. Enter a Name for the profile and an optional Description.
   3. Select Packet Based Attack Protection.
   4. On each tab (IP Drop, TCP Drop, ICMP Drop, IPv6 Drop, and ICMPv6 Drop), select the Packet-Based Attack Protection settings you want to enforce to protect a zone.
   5. Click OK.
2. Apply the Zone Protection profile to a security zone that is assigned to interfaces you want to protect.

   1. Select NetworkZones and select the zone where you want to assign the Zone Protection profile.
   2. Add the Interfaces belonging to the zone.
   3. For Zone Protection Profile, select the profile you just created.
   4. Click OK.
3. Commit your changes.
4. (PAN-OS 8.1.2 and later releases) Enable the firewall to generate Threat logs for a teardrop attack and a DoS attack using ping of death, and also generate Threat logs for the types of packets listed above if you enable the corresponding packet-based attack protection (in Step 1). For example, if you enable packet-based attack protection for Spoofed IP address, using the following CLI causes the firewall to generate a Threat log when the firewall receives and drops a packet with a spoofed IP address.

   1. Access the CLI.
   2. Use the operational CLI command set system setting additional-threat-log on. Default is off.