A Zone Protection profile applied to a zone offers protection
against most common floods, reconnaissance attacks, other packet-based
attacks, the use of non-IP protocols, and headers with 802.1Q (Ethertype
0x8909) that have specific Security Group Tags (SGTs). A Zone Protection
profile is designed to provide broad-based protection at the ingress
zone (the zone where traffic enters the firewall) and is not designed
to protect a specific end host or traffic going to a particular
destination zone. You can attach one zone protection profile to
a zone.
Apply a Zone Protection profile to each
zone to layer in extra protection against IP floods, reconnaissance,
packet-based attacks, and non-IP protocol attacks. Zone Protection
on the firewall should be a second layer of protection after a dedicated
DDoS device at the internet perimeter.
To augment zone protection capabilities on the firewall, configure
a DoS Protection policy (Policies
> DoS Protection) to match on a specific zone, interface,
IP address, or user.
Zone protection is enforced only when there is no session
match for the packet because zone protection is based on new connections
per second (cps), not on packets per second (pps). If the packet
matches an existing session, it will bypass the zone protection
setting.