How Do the Zone Defense Tools Work?

When a packet arrives at the firewall, the firewall attempts to match the packet to an existing session, based on the ingress zone, egress zone, source IP address, destination IP address, protocol, and application derived from the packet header. If the firewall finds a match, then the packet uses the security policy rules that already control the session.
If the packet does not match an existing session, the firewall uses zone protection profiles, DoS protection profiles and policy rules, and security policy rules to determine whether to establish a session or discard the packet, and the level of access the packet receives.
The first protection the firewall applies is the broad edge defense of the zone protection profile, if one exists for the zone. The firewall determines the zone from the interface on which the packet arrives (each interface is assigned to one zone only and all interfaces that carry traffic must belong to a zone). If the zone protection profile denies the packet, the packet is discarded and no DoS protection policy rule or security policy lookup occurs. The firewall applies zone protection profiles only to packets that do not match an existing session. After the firewall establishes a session, the firewall bypasses the zone protection profile lookup for succeeding packets in that session.
The second protection the firewall applies is a DoS protection policy rule lookup. Even if a zone protection profile allows a packet based on the total amount of traffic going to the zone, a DoS protection policy rule and protection profile may deny the packet if it is going to a particular destination or coming from a particular source that has exceeded the flood protection or resource protection settings in the rule’s DoS protection profile. If the packet matches a DoS protection policy rule, the firewall applies the rule to the packet. If the rule denies access, the firewall discards the packet and does not perform a security policy lookup. If the rule allows access, the firewall performs a security policy lookup. The DoS protection policy rule is enforced only on new sessions.
The third protection the firewall applies is a Security Policy lookup, which happens only if the zone protection profile and DoS protection policy rules allow the packet. If the firewall finds no security policy rule match for the packet, the firewall discards the packet. If the firewall finds a matching security policy rule, the firewall applies the rule to the packet. The firewall enforces the security policy rule on traffic in both directions (c2s and s2c) for the life of the session.

Related Documentation