Zone Protection profile - Threshold Recommendation on FW
Focus
Focus
Next-Generation Firewall

Zone Protection profile - Threshold Recommendation on FW

Table of Contents

Zone Protection profile - Threshold Recommendation on FW

Incident Code
INC_NGFW_ZPP_CPS_EXCEEDED_THRESHOLD
Severity
Warning
Category
Device
Subcategory
System Resources
Description
A zone is missing a Zone Protection profile or the threshold values in a Zone Protection profile need adjustment.
Raise Condition
A ZPP incident is raised for a firewall zone and protocol when all of the following conditions are met: * The zone and protocol are configured in the Zone Protection Profile. * There is recent, non-zero traffic observed for the zone. * There is sufficient historical data (minimum one month lookback) to compute recommended thresholds. * The system computes recommended thresholds from historical daily maximum CPS values: Alarm Threshold = baseline value +10%, Activate Threshold = baseline value +20%, Maximum Threshold = Twice Activate Threshold. A minimum threshold floor of 1000 CPS is always enforced. * The currently configured thresholds (Alarm, Activate, or Maximum) fall outside the acceptable range of the system-recommended values.
Clear Condition
A ZPP incident is cleared when any one of the following conditions occurs: * The customer updates the Zone Protection Profile thresholds for the zone (either to the system-recommended values or to custom values, whether more aggressive or more conservative). * The zone has no recent traffic or insufficient data, preventing reliable threshold evaluation. * The incident automatically closes after 90 days if no customer action is taken.