A Zone Protection profile applied to a zone offers protection
against most common floods, reconnaissance attacks, other packet-based
attacks, and the use of non-IP protocols. It is designed to provide
broad-based protection at the ingress zone (the zone where traffic
enters the firewall) and is not designed to protect a specific end host
or traffic going to a particular destination zone. You can attach
one zone protection profile to a zone.
Apply a Zone Protection profile to each
zone to layer in extra protection against IP floods, reconnaissance,
packet-based attacks, and non-IP protocol attacks. Zone Protection
on the firewall should be a second layer of protection after a dedicated
DDoS device at the internet perimeter.
To augment zone protection capabilities on the firewall, configure
a DoS Protection policy (Policies
> DoS Protection) to match on a specific zone, interface,
IP address, or user.
Zone protection is enforced only when there is no session
match for the packet because zone protection is based on new connections
per second (cps), not on packets per second (pps). If the packet
matches an existing session, it will bypass the zone protection