A Zone Protection profile applied to a zone offers protection
against most common floods, reconnaissance attacks, other packet-based
attacks, and the use of non-IP protocols. It is designed to provide
broad-based protection at the ingress zone (that is, the zone where
traffic enters the firewall) and is not designed to protect a specific
end host or traffic going to a particular destination zone. You
can attach one zone protection profile to a zone.
To augment zone protection capabilities on the firewall, configure
a DoS Protection policy (Policies
> DoS Protection) to match on a specific zone, interface,
IP address, or user.
Zone protection is enforced only when there is no session
match for the packet because zone protection is based on new connections
per second (cps), not on packets per second (pps). If the packet
matches an existing session, it will bypass the zone protection