Zone Defense

Firewalls provide a layer of defense against application-based, protocol-based, and volumetric flood attacks, and reconnaissance, packet-based, and non-IP-protocol-based attacks.
Zone Protection profiles defend zones against flood, reconnaissance, packet-based, and non-IP-protocol-based attacks. DoS Protection profiles used in DoS Protection policy rules defend specific, critical devices against targeted flood and resource-based attacks. A DoS attack overloads the network or targeted critical systems with large amounts of unwanted traffic an attempt to disrupt network services.
Plan to defend your network against different types of DoS attacks:
  • Application-Based Attacks—Target weaknesses in a particular application and try to exhaust its resources so legitimate users can’t use it. An example of this is the Slowloris attack.
  • Protocol-Based Attacks—Also known as state-exhaustion attacks, these attacks target protocol weaknesses. A common example is a SYN flood attack.
  • Volumetric Attacks—High-volume attacks that attempt to overwhelm the available network resources, especially bandwidth, and bring down the target to prevent legitimate users from accessing those resources. An example of this is a UDP flood attack.
There are no default Zone Protection profiles or DoS Protection profiles and DoS Protection policy rules. Configure and apply zone protection based on each zone’s traffic characteristics and configure DoS protection based on the individual critical systems you want to protect in each zone.

Related Documentation