Zone Defense
Firewalls provide a layer of defense against application-based,
protocol-based, and volumetric flood attacks, and reconnaissance,
packet-based, and non-IP-protocol-based attacks.
| Where Can I Use This? | What Do I Need? |
|---|
| NGFW (Managed by PAN-OS or Panorama) |
|
Zone Protection profiles defend zones against flood, reconnaissance, packet-based, and
non-IP-protocol-based attacks. DoS Protection profiles used in DoS Protection policy
rules defend specific, critical devices against targeted flood and resource-based
attacks. A DoS attack overloads the network or targeted critical systems with large
amounts of unwanted traffic in an attempt to disrupt network services.
Plan to defend your network against different types of DoS attacks:
Application-Based Attacks—Target weaknesses in
a particular application and try to exhaust its resources so legitimate
users can’t use it. An example of this is the
Slowloris attack.
Protocol-Based Attacks—Also known as state-exhaustion
attacks, these attacks target protocol weaknesses. A common example
is a
SYN flood attack.
Volumetric Attacks—High-volume attacks that attempt
to overwhelm the available network resources, especially bandwidth,
and bring down the target to prevent legitimate users from accessing
those resources. An example of this is a
UDP flood attack.
There are no default Zone Protection profiles or DoS Protection
profiles and DoS Protection policy rules. Configure and apply zone
protection based on each zone’s traffic characteristics and configure
DoS protection based on the individual critical systems you want
to protect in each zone.
