When a packet arrives at the firewall, the firewall
attempts to match the packet to an existing session, based on the
ingress zone, egress zone, source IP address, destination IP address,
protocol, and application derived from the packet header. If the
firewall finds a match, then the packet uses the security policy
rules that already control the session.
If the packet does not match an existing session, the firewall
uses zone protection profiles, DoS protection profiles and policy
rules, and security policy rules to determine whether to establish
a session or discard the packet, and the level of access the packet
The first protection the firewall applies is the broad edge defense
of the zone protection profile, if one exists for the zone. The
firewall determines the zone from the interface on which the packet
arrives (each interface is assigned to one zone only and all interfaces
that carry traffic must belong to a zone). If the zone protection profile
denies the packet, the packet is discarded and no DoS protection
policy rule or security policy lookup occurs. The firewall applies
zone protection profiles only to packets that do not match an existing
session. After the firewall establishes a session, the firewall
bypasses the zone protection profile lookup for succeeding packets
in that session.
The second protection the firewall applies is a DoS protection
policy rule lookup. Even if a zone protection profile allows a packet
based on the total amount of traffic going to the zone, a DoS protection
policy rule and protection profile may deny the packet if it is
going to a particular destination or coming from a particular source
that has exceeded the flood protection or resource protection settings
in the rule’s DoS protection profile. If the packet matches a DoS
protection policy rule, the firewall applies the rule to the packet.
If the rule denies access, the firewall discards the packet and
does not perform a security policy lookup. If the rule allows access,
the firewall performs a security policy lookup. The DoS protection
policy rule is enforced only on new sessions.
The third protection the firewall applies is a Security Policy lookup,
which happens only if the zone protection profile and DoS protection
policy rules allow the packet. If the firewall finds no security
policy rule match for the packet, the firewall discards the packet.
If the firewall finds a matching security policy rule, the firewall
applies the rule to the packet. The firewall enforces the security
policy rule on traffic in both directions (c2s and s2c) for the
life of the session.