>
    Security Profile: Zone Protection
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Network Security: Security Policy
    4. Security Profiles
    5. Security Profile: Zone Protection
    Download PDF
    Network Security

    Security Profile: Zone Protection

    Table of Contents

    Security Profile: Zone Protection

    Zone Protection profiles applied to zones offer protection against most common floods, reconnaissance attacks, and other packet-based attacks.
    Where Can I Use This?
    What Do I Need?
    • NGFW (Cloud Managed)
    • NGFW (PAN-OS & Panorama Managed)
    • Prisma Access (Cloud Managed)
    • Prisma Access (Panorama Managed)
    Check for any license or role requirements for the products you're using.
    Zone Protection profiles provide additional protection between specific network zones in order to protect the zones against attack. A Zone Protection profile applied to a zone offers protection against most common floods, reconnaissance attacks, other packet-based attacks, the use of non-IP protocols, and headers with 802.1Q (EtherType 0x8909) that have specific Security Group Tags (SGTs). A Zone Protection profile is designed to provide broad-based protection at the ingress zone (the zone where traffic enters your configuration) and isn't designed to protect a specific end host or traffic going to a particular destination zone. You can attach one Zone Protection profile to a zone.
    • The profile must be applied to the entire zone, so it's important to carefully test the profiles in order to prevent issues that may arise with the normal traffic traversing the zones.
    • Zone protection is enforced only when there is no session match for the packet because zone protection is based on new connections per second (cps), not on packets per second (pps). If the packet matches an existing session, it will bypass the zone protection setting.
    • To augment zone protection capabilities on your configuration, configure a DoS Protection policy to match on a specific zone, interface, IP address, or user.
    Apply a Zone Protection profile to each zone to defend it based on the aggregate traffic entering the ingress zone.
    • Apply a Zone Protection profile to each zone to layer in extra protection against IP floods, reconnaissance, packet-based attacks, and non-IP protocol attacks. Zone protection on your configuration should be a second layer of protection after a dedicated DDoS device at the internet perimeter.
    • In addition to configuring zone protection and DoS protection, apply the best practice Vulnerability Protection profile to each Security rule to help defend against DoS attacks.

    Create a Zone Protection Profile

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.