Zone Defense Tools

Palo Alto Networks firewalls provide three complementary tools to protect the zones in your network:
  • Zone protection profiles defend the zone at the ingress zone edge against reconnaissance port scan and host sweep attacks, IP packet-based attacks, non-IP protocol attacks, and against flood attacks by limiting the number of connections-per-second of different packet types. The ingress zone is where traffic enters the firewall in the direction of flow from the client to the server (c2s), where the client is the originator of the flow and the server is the responder. The egress zone is where traffic enters the firewall in the direction of flow from the server to the client (s2c).
    Zone protection profiles provide broad defense of the entire zone based on the aggregate traffic entering the zone, protecting against flood attacks and undesirable packet types and options. Zone protection profiles don’t control traffic between zones, they control traffic only at the ingress zone. Zone protection profiles don’t take individual IP addresses into account because they apply to the aggregate traffic entering the zone (DoS protection policy rules defend individual IP addresses in a zone).
    Use zone protection profiles as a first pass to detect and remove non-compliant traffic. Zone protection profiles defend the network as the session is formed, before the firewall performs DoS protection policy and security policy rule lookups, and consume fewer CPU cycles than a DoS protection policy or security policy rule lookup. If a zone protection profile denies traffic, the firewall doesn’t spend CPU cycles on policy rule lookups.
  • DoS protection profiles and DoS protection policy rules defend against flood attacks and protect specific individual endpoints and resources. The difference between flood protection using a zone protection profile and using a DoS protection profile is that a zone protection profile defends an entire ingress zone based on the aggregate traffic flowing into the zone, while a DoS protection policy rule applies a DoS protection profile that can protect specific IP addresses and address groups, users, zones, and interfaces, so DoS protection is more granular and targeted than a zone protection profile.
    A DoS protection profile sets flood protection thresholds (connections-per-second limits), resource protection thresholds (session limits for specified endpoints and resources), and whether the profile applies to aggregate or classified traffic.
    A DoS protection policy rule specifies:
    • Source, destination, and services match criteria.
    • The action to take when traffic matches the rule.
    • Logging and scheduling options.
    • The aggregate or classified DoS protection profile the rule applies to matching traffic when protecting resources.
    Aggregate DoS protection profiles and policy rules apply to all of the traffic that matches the specified source, destination, and services. Classified DoS protection profiles and policy rules protect only the traffic that matches the source, destination, or source and destination pair IP addresses and the services specified in the DoS protection policy rule.
  • Security policy rules affect both the ingress (c2s) and egress (s2c) flows of a session. To establish a session, the incoming traffic must match an existing security policy rule (including the default rules). If there is no match, the firewall discards the packet.
    A Security Policy can protect zones by controlling traffic between zones (interzone) and within zones (intrazone) using criteria including zones, IP addresses, users, applications, services, and URL categories.
    The default security policy rules do not permit traffic to travel between zones, so you need to configure a security rule if you want to allow interzone traffic. All intrazone traffic is allowed by default. You can configure security policy rules to match and control intrazone, interzone, or universal (intrazone and interzone) traffic.
    Zone protection profiles, DoS protection profiles and policy rules, and security policy rules only affect dataplane traffic on the firewall. Traffic originating on the firewall management interface does not cross the dataplane, so the firewall does not match management traffic against these profiles or policy rules.

Related Documentation