Zone Protection and DoS Protection

Protect network zones and critical devices from flood attacks, reconnaissance, packet-based attacks, and non-IP protocol-based attacks.
Segmenting the network into functional and organizational zones reduces the network’s attack surface—the portion of the network exposed to potential attackers. Zone protection defends network zones against flood attacks, reconnaissance attempts, packet-based attacks, and attacks that use non-IP protocols. Tailor a Zone Protection profile to protect each zone (you can apply the same profile to similar zones). Denial-of-service (DoS) protection defends specific critical systems against flood attacks, especially devices that user access from the internet such as web servers and database servers, and protects resources from session floods. Tailor DoS Protection profiles and policy rules to protect each set of critical devices. Visit the Best Practices documentation portal to get a checklist of Zone Protection and DoS Protection best practices.
Check and monitor firewall dataplane CPU consumption to ensure that each firewall is properly sized to support DoS and Zone Protection along with any other features that consume CPU cycles, such as decryption. If you use Panorama to manage your firewalls, use Device Monitor (PanoramaManaged DevicesHealth) to check and monitor the CPU consumption of all managed firewalls at one time.

Related Documentation