Building Blocks of Zone Protection Profiles
To create a Zone Protection profile, Add a profile and name it.
Zone Protection Profile Settings
NetworkNetwork ProfilesZone Protection
Enter a profile name (up to 31 characters). This name appears in the list of Zone Protection profiles when configuring zones. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, and underscores.
Enter an optional description for the Zone Protection profile.
Continue to create the Zone Protection profile by configuring any combination of settings based on what types of protection your zone needs:
If you have a multi virtual system environment, and have enabled the following:
- External zones to enable inter virtual system communication
- Shared gateways to allow virtual systems to share a common interface and a single IP address for external communications
the following Zone and DoS protection mechanisms will be disabled on the external zone:
- SYN cookies
- IP fragmentation
To enable IP fragmentation and ICMPv6 protection for the shared gateway, you must create a separate Zone Protection profile for the shared gateway.
To protect against SYN floods on a shared gateway, you can apply a SYN Flood protection profile with either Random Early Drop or SYN cookies; on an external zone, only Random Early Drop is available for SYN Flood protection.
Objects > Security Profiles > DoS Protection
Objects > Security Profiles > DoS Protection DoS Protection profiles are designed for high-precision targeting and they augment Zone Protection profiles. A DoS Protection profile ...
Flood Protection Network > Network Profiles > Zone Protection > Flood Protection Configure a profile that provides flood protection against SYN, ICMP, ICMPv6, and UDP ...
Zone Protection for SYN Data Payloads
Zone Protection for SYN Data Payloads You can now use a Zone Protection profile for Packet Based Attack Protection to drop TCP SYN and SYN-ACK ...
Actions in Security Profiles
Actions in Security Profiles The action specifies how the firewall responds to a threat event. Every threat or virus signature that is defined by Palo ...
Flood Protection A zone protection profile with flood protection configured defends an entire ingress zone against SYN, ICMP, ICMPv6, UDP, and other IP floods. The ...
Configure DoS Protection Against Flooding of New Sessions
Configure DoS Protection Against Flooding of New Sessions Configure Security policy rules to deny traffic from the attacker’s IP address and allow other traffic based ...
Protect your data center web servers and the firewall from DoS attacks to prevent attackers from taking down your data center network. ...
Configure Packet Based Attack Protection
Configure Packet Based Attack Protection To enhance security for a zone, Packet-Based Attack Protection allows you to specify whether the firewall drops IP, IPv6, TCP, ...
Network > Network Profiles > Zone Protection
Network > Network Profiles > Zone Protection A Zone Protection profile applied to a zone offers protection against most common floods, reconnaissance attacks, other packet-based ...