Network > Network Profiles > Zone Protection
A zone protection profile offers protection against most common floods, reconnaissance attacks and other packet-based attacks. It is designed to provide broad-based protection at the ingress zone (i.e. the zone where traffic enters the firewall) and is not designed to protect a specific end host or traffic going to a particular destination zone.
To augment zone protection capabilities on the firewall, use the DoS protection rulebase to match on a specific zone, interface, IP address, or user.
Zone protection is enforced only when there is no session match for the packet. If the packet matches an existing session, it will bypass the zone protection setting.
To create a zone protection profile, click Add and specify the first two settings.
Zone Protection Profile Setting Description
Name Enter a profile name (up to 31 characters). This name appears in the list of zone protection profiles when configuring zones. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, and underscores.
Description (Optional) Enter a description for the zone protection profile.
Continue to create a zone protection profile by configuring any combination of settings based on what types of protection your zone needs:
If you have an environment with multiple virtual systems and you enable the following: External zones to enable inter-virtual system communication Shared gateways to allow virtual systems to share a common interface and a single IP address for external communications then the following zone and DoS protection mechanisms are disabled on the external zone: SYN cookies IP fragmentation ICMPv6 To enable IP fragmentation and ICMPv6 protection, you must create a separate zone protection profile for the shared gateway. To protect against SYN floods on a shared gateway, you can apply a SYN Flood protection profile with either Random Early Drop or SYN cookies; on an external zone, only Random Early Drop is available for SYN Flood protection.
Configuring Flood Protection
Flood Protection Setting Description
Flood Protection Thresholds - SYN Flood
Action Select the action to take in response to a SYN flood attack. Random Early Drop —Causes SYN packets to be dropped to mitigate a flood attack: When the flow exceeds the Alert rate threshold, an alarm is generated. When the flow exceeds the Activate rate threshold, individual SYN packets are dropped randomly to restrict the flow. When the flow exceeds the Maximal rate threshold, all packets are dropped. SYN Cookies —Computes a sequence number for SYN-ACK packets that does not require pending connections to be stored in memory. This is the preferred method.
Alert (packets/sec) Enter the number of SYN packets received by the zone (in a second) that triggers an attack alarm. You can view alarms on the Dashboard (refer to Dashboard) and in the threat log (refer to Monitor > Packet Capture).
Activate (packets/sec) Enter the number of SYN packets received by the zone (in a second) that triggers the action specified.
Maximum (packets/sec) Enter the maximum number of SYN packets the zone will receive per second. Any number of packets exceeding the maximum in a second will be dropped.
Flood Protection Thresholds - ICMP Flood
Alert (packets/sec) Enter the number of ICMP echo requests (pings) received by the zone (in a second) that triggers an attack alarm.
Activate (packets/sec) Enter the number of ICMP packets received by the zone (in a second) that causes subsequent ICMP packets to be dropped.
Maximum (packets/sec) Enter the maximum number of ICMP packets the zone will receive per second. Any number of packets exceeding the maximum in a second will be dropped.
Flood Protection Thresholds - ICMPv6
Alert (packets/sec) Enter the number of ICMPv6 echo requests (pings) received by the zone (in a second) that triggers an attack alarm.
Activate (packets/sec) Enter the number of ICMPv6 packets received by the zone (in a second) that causes subsequent ICMPv6 packets to be dropped. Metering stops when the number of ICMPv6 packets drops below the threshold.
Maximum (packets/sec) Enter the maximum number of ICMPv6 packets the zone will receive per second. Any number of packets exceeding the maximum in a second will be dropped.
Flood Protection Thresholds - UDP
Alert (packets/sec) Enter the number of UDP packets received by the zone (in a second) that triggers an attack alarm.
Activate (packets/sec) Enter the number of UDP packets received by the zone (in a second) that triggers random dropping of UDP packets. The response is disabled when the number of UDP packets drops below the threshold.
Maximum (packets/sec) Enter the maximum number of UDP packets the zone will receive per second. Any number of packets exceeding the maximum in a second will be dropped.
Flood Protection Thresholds - Other IP
Alert (packets/sec) Enter the number of other IP packets (non-TCP, non-ICMP, non-ICMPv6, and non-UDP packets) received by the zone (in a second) that triggers an attack alarm.
Activate (packets/sec) Enter the number of other IP packets (non-TCP, non-ICMP, non-ICMPv6, and non-UDP packets) received by the zone (in a second) that triggers random dropping of other IP packets. The response is disabled when the number of other IP packets drops below the threshold. Any number of packets exceeding the maximum will be dropped.
Maximum (packets/sec) Enter the maximum number of other IP packets (non-TCP, non-ICMP, non-ICMPv6, and non-UDP packets) the zone will receive per second. Any number of packets exceeding the maximum in a second will be dropped.
Configuring Reconnaissance Protection
The following table describes reconnaissance protection settings for zone protection.
Zone Protection Field Description
TCP Port Scan Enable configures the profile to enable protection against TCP port scans.
UDP Port Scan Enable configures the profile to enable protection against UDP port scans.
Host Sweep Enable configures the profile to enable protection against host sweeps.
Action Action that the system will take in response to the corresponding reconnaissance attempt: Allow —Permits the port scan or host sweep reconnaissance. Alert —Generates an alert for each port scan or host sweep that matches the threshold within the specified time interval (the default action). Block —Drops all subsequent packets from the source to the destination for the remainder of the specified time interval. Block IP —Drops all subsequent packets for the specified Duration, in seconds (range is 1-3,600). Track By determines whether to block source or source-and-destination traffic. For example, block attempts above the threshold number per interval that are from a single source (more stringent), or block attempts that have a source and destination pair (less stringent).
Interval (sec) Time interval (in seconds) for TCP or UDP port scan detection (range is 2-65,535; default is 2). Time interval (in seconds) for host sweep detection (range is 2-65,535; default is 10).
Threshold (events) Number of scanned port events or host sweep events within the specified time interval that triggers the Action (range is 2-65,535; default is 100).
Configuring Packet Based Attack Protection
You can configure Packet Based Attack protection by dropping types of packets with various characteristics:
Configuring the IP Drop tab
To instruct the firewall what to do with certain IP packets it received in the zone, specify the following settings.
Packet Based Attack Protection Setting Description
IP Drop tab
Spoofed IP address Discard packets with a spoofed IP address.
Strict IP Address Check Discard packets with malformed source or destination IP addresses. For example, discard packets where the source or destination IP address is the same as the network interface address, is a broadcast address, a loopback address, a link-local address, an unspecified address, or is reserved for future use. For a firewall in Common Criteria (CC) mode, you can enable logging for discarded packets. On the firewall web interface, select Device > Log Settings. In the Manage Logs section, select Selective Audit and enable Packet Drop Logging.
Fragmented traffic Discard fragmented IP packets.
IP Option Drop
Strict Source Routing Discard packets with the Strict Source Routing IP option set.
Loose Source Routing Discard packets with the Loose Source Routing IP option set.
Timestamp Discard packets with the Timestamp IP option set.
Record Route Discard packets with the Record Route IP option set.
Security Discard packets if the security option is defined.
Stream ID Discard packets if the Stream ID option is defined.
Unknown Discard packets if the class and number are unknown.
Malformed Discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.
Configuring the TCP Drop tab
To instruct the firewall what to do with certain TCP packets it received in the zone, specify the following settings.
TCP Drop Setting Description
Mismatched overlapping TCP segment Report an overlap mismatch and drop the packet when segment data does not match in these scenarios: The segment is within another segment. The segment overlaps with part of another segment. The segment covers another segment. This protection mechanism uses sequence numbers to determine where packets reside within the TCP data stream.
Split Handshake Prevent a TCP session from being established if the session establishment procedure does not use the well-known 3-way handshake. A 4-way or 5-way split handshake or a simultaneous open session establishment procedure are examples of variations that would not be allowed. The Palo Alto Networks next-generation firewall correctly handles sessions and all Layer 7 processes for split handshake and simultaneous open session establishment without configuring Split Handshake. When this option is configured for a zone protection profile and the profile is applied to a zone, TCP sessions for interfaces in that zone must be established using the standard 3-way handshake; the variations are not allowed.
Reject Non-SYN TCP Determine whether to reject the packet if the first packet for the TCP session setup is not a SYN packet: global —Use system-wide setting that is assigned through the CLI. yes —Reject non-SYN TCP. no —Accept non-SYN TCP. Note that allowing non-SYN TCP traffic may prevent file blocking policies from working as expected in cases where the client and/or server connection is not set after the block occurs.
Asymmetric Path Determine whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers: global —Use system-wide setting that is assigned through the CLI. drop —Drop packets that contain an asymmetric path. bypass —Bypass scanning on packets that contain an asymmetric path.
Remove TCP Timestamp Determine whether the packet has a TCP timestamp in the header and, if it does, strip the timestamp from the header.
Configuring the ICMP Drop Tab
To instruct the firewall what to do with certain ICMP packets it received in the zone, specify the following settings.
ICMP Drop Setting Description
ICMP Ping ID 0 Discard packets if the ICMP ping packet has an identifier value of 0.
ICMP Fragment Discard packets that consist of ICMP fragments.
ICMP Large Packet (>1024) Discard ICMP packets that are larger than 1024 bytes.
Discard ICMP embedded with error message Discard ICMP packets that are embedded with an error message.
Suppress ICMP TTL Expired Error Stop sending ICMP TTL expired messages.
Suppress ICMP Frag Needed Stop sending ICMP fragmentation needed messages in response to packets that exceed the interface MTU and have the do not fragment (DF) bit set. This setting will interfere with the PMTUD process performed by hosts behind the firewall.
Configuring the IPv6 Drop Tab
To instruct the firewall what to do with certain IPv6 packets it received in the zone, specify the following settings.
IPv6 Drop Setting Description
Type 0 Routing Heading Discard IPv6 packets containing a Type 0 routing header. See RFC 5095 for Type 0 routing header information.
IPv4 compatible address Discard IPv6 packets that are defined as an RFC 4291 IPv4-Compatible IPv6 address.
Anycast source address Discard IPv6 packets that contain an anycast source address.
Needless fragment header Discard IPv6 packets with the last fragment flag (M=0) and offset of zero.
MTU in ICMP ‘Packet Too Big’ less than 1280 bytes Discard IPv6 packets that contain a Packet Too Big ICMPv6 message when the maximum transmission unit (MTU) is less than 1,280 bytes.
Hop-by-Hop extension Discard IPv6 packets that contain the Hop-by-Hop Options extension header.
Routing extension Discard IPv6 packets that contain the Routing extension header, which directs packets to one or more intermediate nodes on its way to its destination.
Destination extension Discard IPv6 packets that contain the Destination Options extension, which contains options intended only for the destination of the packet.
Invalid IPv6 options in extension header Discard IPv6 packets that contain invalid IPv6 options in an extension header.
Non-zero reserved field Discard IPv6 packets that have a header with a reserved field not set to zero.
Configuring the ICMPv6 Drop tab
To instruct the firewall what to do with certain ICMPv6 packets it received in the zone, specify the following settings.
ICMPv6 Drop Setting Description
ICMPv6 destination unreachable - require explicit security rule match Require an explicit security policy match for Destination Unreachable ICMPv6 messages, even when the message is associated with an existing session.
ICMPv6 packet too big - require explicit security rule match Require an explicit security policy match for Packet Too Big ICMPv6 messages, even when the message is associated with an existing session.
ICMPv6 time exceeded - require explicit security rule match Require an explicit security policy match for Time Exceeded ICMPv6 messages, even when the message is associated with an existing session.
ICMPv6 parameter problem - require explicit security rule match Require an explicit security policy match for Parameter Problem ICMPv6 messages, even when the message is associated with an existing session.
ICMPv6 redirect - require explicit security rule match Require an explicit security policy match for Redirect Message ICMPv6 messages, even when the message is associated with an existing session.

Related Documentation