Zone Protection and DoS Protection
Protect network zones and critical devices from flood
attacks, reconnaissance, packet-based attacks, and non-IP protocol-based
attacks.
Where Can I Use This? | What Do I Need? |
NGFW (Managed by PAN-OS or Panorama) |
|
Segmenting the network into functional and organizational
zones reduces the network’s attack surface—the portion of the network
exposed to potential attackers. Zone protection defends network
zones against flood attacks, reconnaissance attempts, packet-based
attacks, and attacks that use non-IP protocols. Tailor a Zone Protection
profile to protect each zone (you can apply the same profile to
similar zones). Denial-of-service (DoS) protection defends specific
critical systems against flood attacks, especially devices that
user access from the internet such as web servers and database servers,
and protects resources from session floods. Tailor DoS Protection
profiles and policy rules to protect each set of critical devices.
Visit the
Best Practices documentation
portal to get a checklist of Zone Protection and DoS Protection
best practices.
Check and monitor firewall dataplane CPU consumption to
ensure that each firewall is properly sized to support DoS and Zone
Protection along with any other features that consume CPU cycles,
such as decryption. If you use Panorama to manage your firewalls,
use Device Monitor ()
to check and monitor the CPU consumption of all managed firewalls at
one time.